May 27, 2009
Major java (Un)Security in Ubuntu/Macos
Ubuntu maintainers impress me one more with their 'i dont care' attitude to security o their system. The first was the debian-specific change to packege openssl that lead to ALL SSL and TLS communications and SSH key generation actually unencrypted.
Now they keep the both versions of sun's 5 and 6 java in stable repository (packages sun-java5 and sun-java6)one minor release BEFORE fixing of major vulnerability (CVE-2008-5353: calendar deserialization). The sun fixed this back in Dec 2008 already (soon after bug was found). And of course they have released stable packages of Java both JDK and JRE.
Hey, Ubuntu repository maintainers, why don't you update sun java packages in repo? Why do you leave unprotecked all those who trust you?
To those Ubuntu users who care about security when surfing in browser, I advice you update java manually using sun'site (Downloads section): http://java.sun.com site AND don't forget to REMOVE ubuntu's packages before, using for example Synaptics. Just search for java and remove everything about Java then reinstall JRE/JDK using Sun site.
PS Vulnerable Java releases are: Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier. To see version just type java -version in terminal console.
PPS Macos users are ALL vulnerable to this, because Apple maintains Java branch for their Macos by themselves and have not yet released update OR patch (!!!). Unfortunately, it seems that security is not priority of Apple.
PS Apple has fixed it. Please update your macs ASAP.
Now they keep the both versions of sun's 5 and 6 java in stable repository (packages sun-java5 and sun-java6)one minor release BEFORE fixing of major vulnerability (CVE-2008-5353: calendar deserialization). The sun fixed this back in Dec 2008 already (soon after bug was found). And of course they have released stable packages of Java both JDK and JRE.
Hey, Ubuntu repository maintainers, why don't you update sun java packages in repo? Why do you leave unprotecked all those who trust you?
To those Ubuntu users who care about security when surfing in browser, I advice you update java manually using sun'site (Downloads section): http://java.sun.com site AND don't forget to REMOVE ubuntu's packages before, using for example Synaptics. Just search for java and remove everything about Java then reinstall JRE/JDK using Sun site.
PS Vulnerable Java releases are: Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier. To see version just type java -version in terminal console.
PPS Macos users are ALL vulnerable to this, because Apple maintains Java branch for their Macos by themselves and have not yet released update OR patch (!!!). Unfortunately, it seems that security is not priority of Apple.
PS Apple has fixed it. Please update your macs ASAP.
Labels: bug, CVE-2008-5353, java, macos, security, ubuntu, vulnerability
