Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 29 Jul 2014, 22:58
All times are UTC - 4
 Forum index » Off-Topic Area » Security
JRE / JDK Security Thread
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 3 [38 Posts]   Goto page: 1, 2, 3 Next
Author Message
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sat 19 Jan 2013, 13:56    Post subject:  JRE / JDK Security Thread  


    Current Release: Java 7u17
    Exploits publicly available: No
    Temporary work around: N/A
    Download Link: http://java.com/en/download/manual.jsp
    32 Bit Puppy Version: You will need to check with your specific Puppy Version
    64 Bit Puppy Version: Will be released shortly

    Legacy Release: Java 6u43
    Exploits publicly available: No
    Temporary work around: N/A
    Download link: http://java.com/en/download/manual_v6.jsp
    32 Puppy Version: You will need to check with your specific Puppy Version
    64 Bit Puppy Version: Will be released shortly


Notice from Oracle:
Quote:
Java SE 6 End of Public Updates
After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download.

EDIT: Despite Oracle's statement that 6u39 was going to be the last v6 release, they have released two more. 6u41 and 6u43

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)[/list]

_________________



My PC is for sale

Last edited by Q5sys on Wed 06 Mar 2013, 20:57; edited 8 times in total
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 15:51    Post subject: Re: JRE / JDK Security Thread  

Q5sys wrote:
Current Release: Java 7u11
Exploits publicly available: Yes
Temporary work around: None Currently

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)


..this is like saying your cell phone is at risk. As noted in other threads, this is strickly related to browser plugins where they are permitted to begin with. Do you have a linux browser with an at risk java plugin?? Do you really believe that there are no other web browser vulnerabilities?

What do you get out of fear mongering?
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sat 19 Jan 2013, 16:38    Post subject: Re: JRE / JDK Security Thread  

jpeps wrote:
Q5sys wrote:
Current Release: Java 7u11
Exploits publicly available: Yes
Temporary work around: None Currently

Instead of just continually putting this in threads for specific puppies, Im making a single thread I can update with the latest Java information. Packages will be listed here if I have them available (or if others make them available)


..this is like saying your cell phone is at risk. As noted in other threads, this is strickly related to browser plugins where they are permitted to begin with. Do you have a linux browser with an at risk java plugin?? Do you really believe that there are no other web browser vulnerabilities?

What do you get out of fear mongering?


This isnt fear mongering. If you notice, its a yes/no field for public exploits. Im not giving all the details, just a simple fyi.

This is nothing more than a consolidated thread for all java related talk and update status. That way its not scattered around in different threads. If a person is curious as to the status of the latest java release, they can take a peek here and go about their way.
btw... Your claim that it is "strickly related to browser plugins", is incorrect. This isn't just related to browser security. In fact one of the 7u7 (i think, it might have been 7u9) bugs had nothing to do with the browser. You could not even have a browser installed and could be exploited. So while certain java exploits are browser dependent, not all are. Java is its own vector on a system.

I created this thread to have a single spot for people to check on java on the forum. And grab the latest packages when I have them available. That's it. If you don't want to know about if you have a decent version of Java... then don't click the thread.

Some people care about security, some don't. This thread is for those that care; if you dont care, then dont bother opening the thread.

_________________



My PC is for sale
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 17:08    Post subject:  

The present security threat is related to enabled browser plugins, mostly with Internet Explorer. Regarding downloading malicious viruses that effects anything else, just how serious do you think that really is on your puppy linux computer?

There will never be a completely secure programming language that can't be exploited, so don't surf the web. Also, avoid beautiful women.

Last edited by jpeps on Sat 19 Jan 2013, 17:12; edited 1 time in total
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 4117
Location: Earth

PostPosted: Sat 19 Jan 2013, 17:10    Post subject:  

Thanks for starting this thread. Let's hope that it doesn't push into the realm of emotionalism and remains in the area of technological understanding.

JAVA is a subsystem that can run in all present Operating Systems; namely Windows, Apple, Unix and Linux. This subsystem is and was designed to provide programmers of the world the ability to write a JAVA program (a JAR) and it will run wherever JAVA resides.

This has provided enormous benefit in and out of the business climate. In fact, it is found on many/most xPhones. And one can expect that an application from the xPhone can run on your PCs as well.

In any event, some apps design for desktop have little to no internet exposure. Other apps are internet only. And some of the internet apps actually interact with ,data that it is designed for, on your desktops.

The Homeland Security Announcement is an interesting one to say the least. It does NOT say that/where the exploits have occurred or from whence it comes, just that it has been found. I don't remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

But time marches on.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 17:16    Post subject:  

gcmartin wrote:


The Homeland Security Announcement is an interesting one to say the least. It does NOT say that where the exploits have occurred or from whence it comes, just that it has been found. I don't remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

.

Rather, it raises questions regarding the purpose. In the past, exploiting public fear served the purpose of more big government restrictions and access...i.e, loss of personal freedom. Big government is very interested in controlling the internet.
Back to top
View user's profile Send private message 
Semme

Joined: 07 Aug 2011
Posts: 3582
Location: World_Hub

PostPosted: Sat 19 Jan 2013, 17:28    Post subject:  

As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..
Quote:
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

"Java 7 fails to restrict access to privileged code"
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 17:35    Post subject:  

Semme wrote:
As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..


In fact it's not even available for a linux Firefox browser.
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sat 19 Jan 2013, 19:19    Post subject:  

jpeps wrote:
The present security threat is related to enabled browser plugins, mostly with Internet Explorer. Regarding downloading malicious viruses that effects anything else, just how serious do you think that really is on your puppy linux computer?

There will never be a completely secure programming language that cant be exploited, so dont surf the web. Also, avoid beautiful women.


jpeps wrote:
Semme wrote:
As I doubt many even run a Java plugin (visit JS enabled), this is merely info. No need to panic..

In fact its not even available for a linux Firefox browser.



Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts'? Because everything I've read online so far says nothing about it being for 'Internet Explorer' only. If you have access to information that the rest of the security community does not, PLEASE pass it along. I'd love to read it, as I'm sure, would many others.

This issue isnt just IE based, it can affect Mozilla Browsers as well. If you bothered to even read the page Semme listed, youd see that the release that RedHat put out is vulnerable. [sarcasm] And we all know that Red Hat builds Internet Explorer releases. [/sarcasm]
The first example I saw was explained using sun.org.mozilla.javascript.internal.DefiningClassLoader
It still exists even after Oracle patched for CVE-2013-0422. Im not going to waste time explaining an implementation of how this would work, becuase A) I dont think anyone cares, and B) if someone does care they can find examples online.

So since this can work in mozilla based browsers... isnt it relevant to us? Afterall, most of the broswers that puppy linux users use are mozilla based. (Firefox, Opera, SeaMonkey, etc) Some of those people might want to know.

But even if they didnt... I still dont see how your argument against this thread is valid. Just because the 'latest' threat may be Browser based does not invalidate having a single source for Java issues. You have stated that there are browser threads out there. Well why have broswer threads? Because when people are wondering about their browser they go there. If your logic were applied to that thread, issues with broswers shouldnt have their own thread and only be in the seperate threads for each puppy version. This is obviously nonsense, as having a single broswer thread makes information easier to find.
The same goes for Java... just because this most recent exploit is browser based does not mean that Java shouldnt have its own thread. As I mentioned before, previous java exploits were not browser based. So they cant be discussed in the 'browser thread' becuase they have nothing to do with the browser. So should we have a seperate thread for java threats that are not browser based? One thread for Java is simple and consolidated. Itll have java related information about all the exploits. People in the broswer thread can link to this if they want, when something gets posted here. Or not, what people do in that thread is up to them.

jpeps wrote:
gcmartin wrote:


The Homeland Security Announcement is an interesting one to say the least. It does NOT say that where the exploits have occurred or from whence it comes, just that it has been found. I dont remember a government anti-terrorist organization taking a public stance before now. So, this raises some personal questions on what the exploit most affects.

Rather, it raises questions regarding the purpose. In the past, exploiting public fear served the purpose of more big government restrictions and access...i.e, loss of personal freedom. Big government is very interested in controlling the internet.

Well if we are going to put on our tinfoil hats... shouldnt you also consider the possibility of governments using existing known flaws to infiltrate computers and networks? Stuxnet and Flame are examples of State Sponsored exploitation. (doesnt matter what country you think is responsible) With the speed of the takedown of the 'Red October' network thats made news recently... some think it too was state sponsored.
I dont know if it was or wasnt, and I dont know enough to make a comment on that. But cyber criminals are not the only ones who are utilizing exploits for gain. Google got nailed when they were accessing wifi networks. Do you think google wasnt puting all that data into their database? And since Google has no problem supplying the gov with information, if you are anti-gov, you wouldnt want anyone to have your data.


To re-iterate. This thread (or at least the first post) was intended to be a single spot where people can quickly check the most recent java release which they may have running on their system. It was not intended to be a thread about the evils of Java or how Java will kill your first born (obvious sarcasm), or how Java is the greatest thing since sliced bread. Although people can use this thread to discuss any aspect of Java Security... the intention of this thread is not to be a Java-fan thread nor a Java-bashing thread. This thread (or at least the first post) was intended to be a Java-security-information thread.

_________________



My PC is for sale
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 19:30    Post subject:  

Q5sys wrote:
jpeps wrote:

In fact its not even available for a linux Firefox browser.



Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts' so that you seem knowledgable?

Why not attempt to install the plugin at the quoted link and find out for yourself? Older plugins don't install either. None of this is recent news, anyway. Mozilla has been blocking access since August of last year. All this has already been hashed out in other threads. How many times do we need to go through the same thing?
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sat 19 Jan 2013, 19:36    Post subject:  

jpeps wrote:
Q5sys wrote:
jpeps wrote:

In fact its not even available for a linux Firefox browser.



Where are you getting your 'facts'? Are you just taking your opinions and calling them 'facts' so that you seem knowledgable?

Why not attempt to install the plugin at the quoted link and find out for yourself? Older plugins don't install either. None of this is recent news, anyway. Mozilla has been blocking access since August of last year. All this has already been hashed out in other threads. How many times do we need to go through the same thing?


So your proof is that a single plugin wont install in mozilla? That's it? One single case that it doesn't work and you assume its a fact that every other possibility wont work either? Facts arent proved by single examples. They must be rigorously tested and verified.

Mozilla blocking whatever since last august hasnt done much for the exploits that were linux vulnerable in the entire Java 7u series. Mozilla may have put something in place last august, but it didnt help all the exploits that Oracle had to deal with in November and December last year that FireFox didnt stop.

_________________



My PC is for sale
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 4117
Location: Earth

PostPosted: Sat 19 Jan 2013, 19:44    Post subject:  

Question
I think I remember seeing or hearing a LInux discussions that references "safe JAVA releases". If this is true, should this thread make reference to those, as well?

Here to help

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 19:48    Post subject:  

Q5sys wrote:

So your proof is that a single plugin wont install in mozilla? That's it? One single case that it doesn't work and you assume its a fact that every other possibility wont work either? Facts arent proved by single examples. They must be rigorously tested and verified.


You have a linux browser with a vulnerable java plugin? I have one on my windows computer with a big "disable" button next to it. But yes...if it's not available, I'm assuming it isn't available.
Back to top
View user's profile Send private message 
Q5sys


Joined: 11 Dec 2008
Posts: 1047

PostPosted: Sat 19 Jan 2013, 19:52    Post subject:  

gcmartin wrote:
Question
I think I remember seeing or hearing a LInux discussions that references "safe JAVA releases". If this is true, should this thread make reference to those, as well?

Here to help


If you can find the information, I'll gladly add it to the first post. I know there are some who advocate still running java v6, but that's not necessarily the best choice for people, because since its an older version, it's limited in some functionality that people (and some programs) expect; and on top of that... its unknown if some new exploits work against it.

_________________



My PC is for sale
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3220

PostPosted: Sat 19 Jan 2013, 19:54    Post subject:  

Q5sys wrote:
... and on top of that... its unknown if some new exploits work against it.


No it isn't. There are no computer languages that can't be exploited. Bash can be exploited.

Quote:

I know there are some who advocate still running java v6, but that's not necessarily the best choice for people...


Java is running on a few billion devices. Now that you've informed us, I'm sure everyone will proceed to delete it. Thanks for sharing.

Last edited by jpeps on Sat 19 Jan 2013, 20:00; edited 2 times in total
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 3 [38 Posts]   Goto page: 1, 2, 3 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1181s ][ Queries: 13 (0.0051s) ][ GZIP on ]