Date: prev next · Thread: first prev next last
2013 Archives by date, by thread · List index

Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK Vulnerability


I can confirm that that is whats already happening in firefox, seems like
safari and mac osx will pop up an error asking if you want to update block
or update later in terms of the java version.


On Fri, Jan 18, 2013 at 8:15 PM, Dennis E. Hamilton <dennis.hamilton@acm.org
wrote:

<
http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089440.html


It appears that the particular reflection feature in Java 7 is the
security-exploit gift that just keeps on giving.  The answer is still to
disable Java plug-ins in browsers and have Java installed only if you
depend on it for something (certain LibreOffice extensions, Base, other
Java-based applications, etc.).

-----Original Message-----
From: Dennis E. Hamilton [mailto:dennis.hamilton@acm.org]
Sent: Wednesday, January 16, 2013 09:10
To: 'Simon Phipps'
Cc: 'lj'; 'Libreoffice Discussion List'
Subject: RE: [tdf-discuss] LibreOffice and Java Security: OpenJDK
Vulnerability

Simon has just provided a superb account of the Java security problem in
an InfoWorld blog post today:
<
http://www.infoworld.com/t/java-programming/why-fixing-the-java-flaw-will-take-so-long-210946
.

I find this more-technical analysis to be plausible as well, and Simon's
report provides context that makes it a bit more understandable:
<
http://lists.grok.org.uk/pipermail/full-disclosure/2013-January/089375.html
.

[ ... ]

For users of openoffice-lineage software, I am not sure what the concern
should be.  Disabling java browser plugins seems prudent.  It may be
inevitable that web sites will cease depending on users employing such
plugins with the famed Java Applet disappearing into history.

[ ... ]

-----Original Message-----
From: Simon Phipps [mailto:simon@webmink.com]
Sent: Tuesday, January 15, 2013 19:29
To: Dennis Hamilton
Cc: lj; Libreoffice Discussion List
Subject: Re: [tdf-discuss] LibreOffice and Java Security: OpenJDK
Vulnerability

I'm investigating, but the issue is a sandbox security manager bypass using
unauthorised reflection and that's exploited using Rhino Javascript. So the
context has to be a browser for there to be an issue even if OpenJDK is
affected. See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0422for
lots of data...

S.


[ ... ]


--
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems?
http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be
deleted




-- 
Jonathan Aquilina

-- 
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.