Security Patches
Andrew John Hughes
gnu_andrew at member.fsf.org
Mon Dec 7 05:29:46 PST 2009
2009/12/7 Deepak Mathews <deepak2427 at gmail.com>:
> Hi,
>
> Thank you Tim for your prompt reply.
>
> Actually, there are more security issues...
>
This latest batch went into OpenJDK in b77:
> These are the bug ids.
> 269868, 269869, 269870, 270474, 270475, 270476
>
> http://blogs.sun.com/security/entry/advance_notification_of_security_updates6
>
> http://blogs.sun.com/security/entry/sun_alert_269868_the_java
> http://blogs.sun.com/security/entry/sun_alert_269869_command_execution
> http://blogs.sun.com/security/entry/sun_alert_269870_security_vulnerability
>
These are all specific to the Sun JDK (deployment and plugin/web start
related issues) and affect code not in OpenJDK.
> http://blogs.sun.com/security/entry/sun_alert_270474_buffer_and
Using the bud IDs on that link, you can trivially check whether they
are in OpenJDK are not using hg log -k <bug id>:
6872357: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/34cc7663e7b8
6872358: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/b19f5dc13e8c
6862968: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/1eff4e2de700
6874643: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/689874730539
The rest I assume are bugs in Sun proprietary code.
> http://blogs.sun.com/security/entry/sun_alert_270475_a_security
6863503: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/4fbe48c706a4
> http://blogs.sun.com/security/entry/sun_alert_270476_two_security
6864911: http://hg.openjdk.java.net/jdk7/jdk7/jdk/rev/5429444e93b1
>
> Thanks.
> Deepak
>
> On Mon, Dec 7, 2009 at 11:09 AM, Tim Bell <Tim.Bell at sun.com> wrote:
>
>> Deepak Mathews wrote:
>>
>> > Does OpenJDK share a lot of codebase with SunJDK.
>>
>> Yes, it does.
>>
>> > There was a security issue for SunJDK...
>>
>> ... ?? specific details please ??
>>
>> > A command execution vulnerability in the Java Runtime Environment
>> Deployment
>> > Toolkit may be leveraged to execute arbitrary code. This may occur as the
>> > result of a user of the Java Runtime Environment viewing a specially
>> crafted
>> > web page that exploits this vulnerability.
>> >
>> > This issue can occur in the following Java SE and Java SE for Business
>> > releases for Windows:
>> >
>> > JDK and JRE 6 Update 16 and earlier
>> > Note: JDK and JRE 5.0, and SDK and JRE 1.4.2 and 1.3.1 are not affected
>> by
>> > this issue.
>> >
>> > The security issues for SunJDK... Will this affect OpenJDK 7 also?
>>
>> Where did you get the text pasted above? Were there bug-ID(s) referenced,
>> and if so, what were they?
>>
>> JDK7 is currently in sync with security fixes, but we won't be
>> able to track this down for sure without more information.
>>
>> Thx-
>>
>> Tim
>>
>>
>
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the jdk7-dev
mailing list