I've sent the following email to j...@freebsd.org & sect...@freebsd.org one month ago, but I got no answer.
The same problem still exists with linux-sun-jdk-1.6.0.20. Date: Mon, 29 Mar 2010 00:48:36 +0200 To: j...@freebsd.org, sect...@freebsd.org Subject: portaudit prevents installation of linux-sun-jdk16 Hi j...@freebsd.org & sect...@freebsd.org, I think this is both a java and a portaudit issue. I've just learnt I have to use at least Java 6 Update 10 for Firefox 3.6: http://www.java.com/en/download/faq/firefox_newplugin.xml So had a look at the versions of /usr/ports/java/*jdk16* on my FreeBSD machine. linux-sun-jdk-1.6.0.18 seems to be the only port in the tree that meets the requirements. But if I try to make it, portaudit prevents the build: ===> linux-sun-jdk-1.6.0.18 has known vulnerabilities: => jdk -- jar directory traversal vulnerability. Reference: <http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a .html> But if I have a look at the reference URL, 1.6 does not seem to be affected. I did a portaudit -F in order to make sure my database is up to date. So is this a false positive that should get fixed? There was a PR on this in 2007: http://www.freebsd.org/cgi/query-pr.cgi?pr=115558&cat= The reason for this PR to get closed was it was reproducable with linux-sun-jdk-1.6.0.02. http://freebsd.monkey.org/freebsd-java/200708/msg00101.html My open questions: 1. Is linux-sun-jdk-1.6.0.18 still vulnerable? Sorry, I don't have a bad.jar, but I'm willing to test. 2. Shouldn't http://portaudit.freebsd.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html get updated in order to make clear at least linux-sun-jdk-1.6.0.02 was vulnerable? 3. Why does portaudit think it's vulnerable even if the auditfile does not seem to contain a matching entry for linux-sun-jdk-1.6.0.18? $ grep 18e5428f-ae7c-11d9-837d-000e0c2e438a auditfile jdk<=1.2.2p11_3|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.3.*<=1.3.1p9_4|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.4.*<=1.4.2p7|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability jdk>=1.5.*<=1.5.0p1_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-ibm-jdk<=1.4.2_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk<=1.4.2.08_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-sun-jdk>=1.5.*<=1.5.2.02,2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-blackdown-jdk<=1.4.2_2|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk<=1.3.1.0_1|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability diablo-jdk-freebsd6<=i386.1.5.0.07.00|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability linux-jdk>=0|http://portaudit.FreeBSD.org/18e5428f-ae7c-11d9-837d-000e0c2e438a.html|jdk -- jar directory traversal vulnerability Thanks for listening, Knarf
smime.p7s
Description: S/MIME cryptographic signature
