Mark-of-the-Beast security bug --- community collaboration?
Mark Wielaard
mark at klomp.org
Tue Feb 8 09:59:01 UTC 2011
On Mon, 2011-02-07 at 16:29 -0600, Tom Marble wrote:
> Normally security issues would not be raised to the level
> of the 'discuss' list, but in the interest of getting
> as many 'eyes on the bug' such that the entire community
> can find and patch OpenJDK 6 quickly I respectfully
> would like to call everyone's attention to:
>
> http://www.theregister.co.uk/2011/02/07/java_denial_of_service_bug/
>
> It would be great if we could find this and patch
> OpenJDK 6 deployments ASAP.
There has been extensive discussion on the core-libs mailinglist, with a
patch and some historic digging to find where the issue came from.
Short story, it was already found through the Free Software Jacks
testsuite in 2001 (!). http://sourceware.org/mauve/jacks.html
http://sourceware.org/cgi-bin/cvsweb.cgi/~checkout~/jacks/docs/tests.html?cvsroot=mauve#3.10.2-runtime
reported by the Jikes compiler hacker Eric Blake.
http://bugs.sun.com/view_bug.do?bug_id=4421494 The bug report even has a
suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
that didn't make it in.
http://mail.openjdk.java.net/pipermail/core-libs-dev/2009-November/003153.html
https://bugs.openjdk.java.net/show_bug.cgi?id=100119
It was rediscovered through the php issue a week ago.
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
Andrew Haley almost immediate posted a new patch for it last week.
http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005836.html
With possibly more security fixes following next week.
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Cheers,
Mark
More information about the discuss
mailing list