seduction
 Language:
Welcome, Guest. Please login or register.
Did you miss your activation email?
2019/12/09, 03:25:59


Help

Author [EN] [PL] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: java security hole  (Read 7843 times)

0 Members and 1 Guest are viewing this topic.

Offline michaa7

  • User
  • Posts: 2.126
java security hole
« on: 2012/08/27, 13:14:24 »
In short:
There was found a java security hole with existing exploits. It is strongly recommended to *deactivate* the java plugin (ice-tea).  

German IT magazine:
http://www.heise.de/newsticker/meldung/Warnung-vor-kritischer-Java-Luecke-1675454.html

english edition:
http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html
Ok, you can't code, but you still might be able to write a bug report for Debian's sake

Offline ralul

  • User
  • Posts: 1.809
java security hole
« Reply #1 on: 2012/08/27, 17:19:13 »
Gibt es eigentlich www-Seiten, die Java benutzen?
Ich habe das Java plugin schon Jahre disabled und nichts gemerkt ...

PS, merke: Java und Javascript sind sehr verschiedenen Dinge!
experiencing siduction runs better than my gentoo makes me know I know nothing

Offline musca

  • Global Moderator
  • User
  • *****
  • Posts: 725
  • sid, fly high!
java security hole
« Reply #2 on: 2012/08/27, 23:49:35 »
Im eGovernmentbereich gibt es einige Javalösungen. Der Grund dürfte die Plattformunabhängigkeit sein. Die verwendeten Applets ermöglichen z.B. die EID mit dem nPA oder die qualifizierte elektronische Signatur nach dem Signaturgesetz mit einer Signaturkarte und einem SmartCard-Reader der Klasse 3.

http://www.ebuergersafe.de  (Online-Speicherplatz mit dem NPA nutzen)
https://www.seccommerce.de/de/products/secsigner/secsigner-online
http://www.zks-abfall.de  (elektronisches AbfallNachweisVerfahren)
http://www.egvp.de  (Elektronischen Gerichts- und Verwaltungspostfach)

ebuergersafe und SecSigner sind privat nutzbar.
Das eANV der ZKS-Abfall ist für Firmen gesetzlich vorgeschrieben.
Das EGVP ist wohl eher etwas für Anwälte und Notare.

Im krassen Gegensatz dazu gibt es bei elsterformular.de nur eine schnöde EXE-Datei zum Herunterladen.

ralul,
was gefällt Dir nun besser: Java-Applets oder EXE-Dateien?
Und Ja, ich deaktiviere mein Java-Plugin nach jeder Benutzung.

greetings
musca
„Es irrt der Mensch, solang er strebt.“  (Goethe, Faust)

Offline ralul

  • User
  • Posts: 1.809
java security hole
« Reply #3 on: 2012/08/28, 02:15:49 »
Ja Java natürlich. Und wenn ich das brauche auf einer Bundesbehördenseite, schalte ich das Plugin sofort wieder ein, auch wenn es Sicherheitslöcher gibt.
Ich werde es bestimmt auslassen auf der Seite
www.gibmirdeinmoney.tuvalu.tv

Musca, danke für das Aufzeigen der Anwendungsfälle!
experiencing siduction runs better than my gentoo makes me know I know nothing

Offline cryptosteve

  • User
  • Posts: 675
java security hole
« Reply #4 on: 2012/08/28, 06:47:08 »
Der Elster-Zertifikatskram braucht imho auch Java. Ist bei mir schon zwei Jahre her, dass ich mein Zertifikat angefordert habe, aber damals hat's gefühlt dreimal so lange gedauert, mit Linux ein gültiges Zertifikat zu bekommen, wie die ganze Steuererklärung auszufüllen und abzusenden.

Ich mag Java nicht!
- born to create drama -
CS Virtual Travel Bug: VF6G5D

Offline michaa7

  • User
  • Posts: 2.126
java security hole
« Reply #5 on: 2012/08/31, 23:53:48 »
Anyone knows whether this secutity hole affects OpenJDK as well?
Ok, you can't code, but you still might be able to write a bug report for Debian's sake

Offline GoinEasy9

  • User
  • Posts: 461
RE: java security hole
« Reply #6 on: 2012/09/01, 04:48:03 »
From what I've read it does affect OpenJDK.  I also read that the fix has been made, and, will be available soon.
Linux Counter number 348347


Offline spacepenguin

  • User
  • Posts: 863
    • spacepenguin.de
RE: java security hole
« Reply #8 on: 2012/09/01, 14:44:22 »
And in Sun Java 6 this security hole will persist?

I'm asking because for the Elsteronline website (not only for generating certificates but also for accessing your account) you need Sun Java 6 when you use Linux. They are so stubborn... they refuse to let linux users use OpenJDK because "it has errors" and refuse to let them use Orace Java 7 too, instead force users to deal with an outdated buggy Sun version (apart from forcing the user to use firefox as only possible browser whereas Windows users are allowed to also use Chrome).
Susan | Hardware: SysProfile
Music-Profile: http://www.last.fm/de/user/spacepengu

Offline yossarian

  • User
  • Posts: 7
RE: java security hole
« Reply #9 on: 2012/09/01, 15:14:33 »
Quote
Some may consider downgrading to Java 6 to avoid the problem but this is unwise for a number of reasons. Firstly, although the vulnerability has been exposed on Java 7, there is always a possibility that a malicious developer will work out how to make use of it on Java 6. Secondly, Java 6 already has numerous security holes which have been closed in Java 7, so switching to it would merely expose users to a range of better known vulnerabilities.

http://www.h-online.com/open/news/item/Java-0Day-Turn-off-Java-applets-now-1678618.html

OpenJDK:
Quote
This 2.3.1 release includes a fix for the zero-day issue that arose this week:

* RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks
removed in 6788531.

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html

Offline spacepenguin

  • User
  • Posts: 863
    • spacepenguin.de
RE: java security hole
« Reply #10 on: 2012/09/01, 19:18:02 »
Thanks yossarian, so it seems Sun Java 6 is at least not affected by *this* security hole...
Susan | Hardware: SysProfile
Music-Profile: http://www.last.fm/de/user/spacepengu

Offline DeepDayze

  • User
  • Posts: 410
Re: RE: java security hole
« Reply #11 on: 2012/09/01, 21:23:37 »
Quote from: "spacepenguin"
Thanks yossarian, so it seems Sun Java 6 is at least not affected by *this* security hole...


You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7

Offline GoinEasy9

  • User
  • Posts: 461
RE: Re: RE: java security hole
« Reply #12 on: 2012/09/02, 02:28:45 »
Well, it's nice to see they've created new holes, plugging old ones.  It keeps the black hats busy.  Seriously, if I had a misson critical server, I'd be concerned, but, as a user, I don't think my home box is going to be exploited.  Besides, once these exploits are made public, they're patched quickly.  I think Oracle is sort of the exception.  Although, if it's public, and it'll cost them client service problems, or just cost them, they get off of their asses and fix the problem fast.
Linux Counter number 348347

Offline spacepenguin

  • User
  • Posts: 863
    • spacepenguin.de
Re: RE: java security hole
« Reply #13 on: 2012/09/02, 03:45:16 »
Quote from: "DeepDayze"

You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7


I'm not happy with that either but need to have it installed for that mentioned website. I also have OpenJDK installed.
Susan | Hardware: SysProfile
Music-Profile: http://www.last.fm/de/user/spacepengu

Offline DeepDayze

  • User
  • Posts: 410
Re: RE: java security hole
« Reply #14 on: 2012/09/02, 04:10:05 »
Quote from: "spacepenguin"
Quote from: "DeepDayze"

You are right, but Java SE 6 has a lot of holes not yet discovered or exploited *yet* and Oracle is no longer updating that version so everyone should move to Java SE 7


I'm not happy with that either but need to have it installed for that mentioned website. I also have OpenJDK installed.


If you still need Java 6 then maybe you should inform the site's admin of the need to upgrade Java