http://lwn.net/Articles/113640/ This is a special feed containing comments posted to the individual LWN article titled "A java vulnerability". hourly 2 http://lwn.net/Articles/117074/rss 2004-12-24T05:46:21+00:00 barrygould Same problem for me on XP and Win2k, even a week or two afterwards.<br> <p> Also, the installer doesn't remove the offending version.<br> <p> http://lwn.net/Articles/114529/rss 2004-12-07T12:23:09+00:00 eru <i>The end result is that most users will need to get the updated JRE from Sun directly.</i> <p> Assuming they even can... In the past days I have tried to update the JRE package on a Windows 2000 box (yes,a bit offtopic for this forum, but illustrates an OS-independent risk, so bear with me). The default download click on Sun's site rushes me to a page where it congratulates me on having installed Java. Apparently it detects the JRE is installed and ignores my request to "update it, please", an installer bug. There is also a "manual installation" which always seems to hand like the server were too busy (everyone trying to update Java at the same time? Or then I have just been unlucky). <p> The risk I see here is that by keeping tight control on JDK distribution, Sun has made itself a bottleneck. They can handle normal traffic, but when a lot of users want to get an update within a short timeframe, things break down. Of course Microsoft has basically the same problem, and has had it for a long time, but apparently they have learned to handle it better. <p> Sun would do itself a big favour if it allowed all browser and OS distributors (even open source ones and including mirrors) to distribute the JRE and provide update services for it. The other alternative for Sun is to buy a lot more servers and bandwidth, which is more expensive... http://lwn.net/Articles/114367/rss 2004-12-06T13:52:04+00:00 Cato The vulnerability is fixed in 1.5 - check Sun's site for the details.<br> http://lwn.net/Articles/114264/rss 2004-12-04T14:05:45+00:00 chip I can't find any info on whether JRE (JDK?) 1.5 is also vulnerable.<br> http://lwn.net/Articles/114083/rss 2004-12-03T09:01:26+00:00 fredrik Ah, sweet!<br> <p> I found the release notice and a reference to an official deb-archive[0] on blackdown. The notice also mentioned that their latest version, 1.4.2.01-1, fixes the vulnerability in CVE CAN-2004-1029. <br> <p> Apparantly blackdown's version 1.4.2.01 is based on sun's 1.4.2_07pre code, and I must say, that version discrepancy is a bit unclear for a casual observer.<br> <p> Anyway, off I go to add a new source for apt. Wee.<br> <p> [0] <a href="http://blackdown.org/java-linux/java2-status/jdk1.4-status.html#debs">http://blackdown.org/java-linux/java2-status/jdk1.4-statu...</a><br> http://lwn.net/Articles/114041/rss 2004-12-03T00:33:26+00:00 denials The article doesn't mention whether the IBM SDK for Java on Linux is affected by the same security vulnerability; I tried looking at <a href="http://www.ibm.com/developerworks/java/jdk/linux140/">http://www.ibm.com/developerworks/java/jdk/linux140/</a> but their "Click here" download link appeared to be broken.<br> http://lwn.net/Articles/113992/rss 2004-12-02T20:22:03+00:00 hmh deb <a href="http://ftp.gwdg.de/pub/languages/java/linux/debian">http://ftp.gwdg.de/pub/languages/java/linux/debian</a> sid non-free<br> <p> OR<br> <p> deb <a href="http://ftp.gwdg.de/pub/languages/java/linux/debian">http://ftp.gwdg.de/pub/languages/java/linux/debian</a> sarge non-free<br> http://lwn.net/Articles/113969/rss 2004-12-02T19:25:55+00:00 fredrik I'm probably missing something, because when I browse blackdown's ftp mirrors I cannot find any debian packages more recent than 2003. Not even the change log from the most recent tar-package seems to reference any security fix. Are the blackdown developers really maintaining their ftp? And if not, are the debian packages maintained elsewhere?<br> <p> Sofar, I have always pulled the official sun release, and built a java-dummy package. That has been the most predictable method for me to install java. <br> <p> A pity that sun maintains a such obnoxious non-oss-approved license on their official SDK/JRE. They only shoot themselves in the foot by making it harder for both end users and developers to install and update. <br> <p> Oh well, guess I'm preaching to the choir here anyway...<br> http://lwn.net/Articles/113852/rss 2004-12-02T13:47:43+00:00 hmh Well, blackdown.org does support automatic security updating for the Debian packages (as long as you take care to update and upgrade from their repository). Likely something for rpm can be arranged as well.<br> <p> Still non-free as heck, but hey, we did know what the deal with Java was all along, didn't we?<br>