Comment 1 Josh Nichols (RETIRED) 2006-08-31 14:15:38 UTC

Phasing out < 1.5.0.07 entirely isn't really feasible at this time. There are still packages which don't compile against except against 1.4, for example.

What we could do, instead, is not install the nsplugin and java webstart perhaps.

Comment 2 Vlastimil Babka (Caster) (RETIRED) 2006-08-31 15:18:50 UTC

Not sure if I understand it right, but I think it says that java plugins in VM's prior to 1.5.0.6 allows the applet to run with different JRE than the JRE which comes with the plugin. And that different JRE may be old and insecure, but it doesn't say that (or how) it really is. It also suggests this happens only on windows, because the linux workaround is to "remove all symbolic links of earlier versions of Java Plug-in from the browser "plugins" directory.". But we have always only one symlink in plugins directory (throught eselect java-nsplugin).

Comment 3 Carsten Lohrke (RETIRED) 2006-09-01 03:51:31 UTC

(In reply to comment #1)
> What we could do, instead, is not install the nsplugin and java webstart
> perhaps.
> 

That's what I proposed. :)


Caster: The user can choose to use any 1.x jre, respective its plugin. While this is by itself not an issue, I do not know, if Sun does still does security fixes for 1.3.x. Also `eselect java-nsplugin` does only work for testing ebuilds, not for the stable ones.

Comment 4 Raphael Marichez (Falco) (RETIRED) 2006-09-08 05:27:07 UTC

> It also suggests this happens
> only on windows, because the linux workaround is to "remove all symbolic links
> of earlier versions of Java Plug-in from the browser "plugins" directory.". But
> we have always only one symlink in plugins directory (throught eselect
> java-nsplugin).

so i understand that it is not really a security issue since our users are not affected by any known vulnerability. At worst, it sounds like a configuration issue. Correct me if you disagree

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2006-09-26 09:37:13 UTC

Security any comments on this one?

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2006-11-20 23:49:46 UTC

Security any comments on this one?

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2006-11-24 12:54:47 UTC

Security any comments on this one?

Comment 8 Wolf Giesen (RETIRED) 2006-11-27 04:30:34 UTC

I can't really comment on this, since I avoid Java like the plague. I know a lot of effort has been put into Java lately to deal with stuff that only compiles against older versions, so it's clear that removal is probably too big a task.

Original post and comment #1 seem okay to me, though, and I didn't see anybody have a counter-argument to that. Regarding Falco (#4) I'd try to stay on the safer side, though.

Comment 9 Vlastimil Babka (Caster) (RETIRED) 2006-12-10 17:34:17 UTC

Currently we have only >=1.4.2.12 and >=1.5.0.8 Sun's JDK/JRE. 1.4.2.13 was released recently which means they still support 1.4. Not sure if they fixed this problem there, but as I said in comment 2, I think this is not issue for us, since we don't install multiple symlinks into browser plugin directory.

Comment 10 Raphael Marichez (Falco) (RETIRED) 2007-03-09 21:56:56 UTC

This bug is obsolete, right?

Comment 11 Petteri Räty (RETIRED) 2007-03-09 22:08:39 UTC

(In reply to comment #10)
> This bug is obsolete, right?
> 

Probably. I trust Caster when he says we are not affected.