Comment 1 Stefan Behte (RETIRED) 2008-11-07 21:44:48 UTC

POC: http://downloads.securityfocus.com/vulnerabilities/exploits/31916.java
Java, I know that we have java Webstart in sun-jdk and sun-jre, can someone help us and test the POC, I've really no idea how to do it, and it would not be time efficent to research this right now.

Comment 2 Stefan Behte (RETIRED) 2008-11-15 22:12:16 UTC

java: ping!

Comment 3 Petteri Räty (RETIRED) 2008-11-15 23:46:34 UTC

(In reply to comment #2)
> java: ping!
> 

Well testing that requires to learn how to write java web start stuff and create the necessary stuff so it's not something that is done in a couple of minutes and probably not something that would inspire people that much. I just tried if I could do it quickly but seems like it requires more work.

Comment 4 Petteri Räty (RETIRED) 2008-11-15 23:47:45 UTC

Any way I suggest we don't look into as we are stabling new versions any way.

Comment 5 Stefan Behte (RETIRED) 2008-11-16 11:46:18 UTC

I just wanted feedback, according to our vulnerability policy our timeline for A2 is 5 days and the bug was opened 8 days ago.
If we stable newer versions anyways, we don't have a problem here.
Thanks!

Comment 6 Petteri Räty (RETIRED) 2008-11-26 16:31:22 UTC

(In reply to comment #5)
> I just wanted feedback, according to our vulnerability policy our timeline for
> A2 is 5 days and the bug was opened 8 days ago.
> If we stable newer versions anyways, we don't have a problem here.
> Thanks!
> 

The new stable version went stable some days ago.

Comment 7 Petteri Räty (RETIRED) 2008-11-26 16:32:16 UTC

(In reply to comment #6)
> 
> The new stable version went stable some days ago.
> 

One thing to note is that 1.6.0.10 should have the same security baseline as 07.

Comment 8 Robert Buchholz (RETIRED) 2008-11-26 16:39:34 UTC

There doesn't seem to be an upstream statement to this issue, as there is for most of the web start issues. I think we ignore those issues that are not picked up by regular ustream releases...

Comment 9 Petteri Räty (RETIRED) 2008-12-06 13:47:35 UTC

(In reply to comment #8)
> There doesn't seem to be an upstream statement to this issue, as there is for
> most of the web start issues. I think we ignore those issues that are not
> picked up by regular ustream releases...
> 

There's bug 250012 now so might consider adding this to that one.

Comment 10 Matti Bickel (RETIRED) 2008-12-06 19:31:09 UTC

I guess this is issue (11) in the list mentioned on bug 250012, so i'd call it a dupe. I'm not totally sure about them being exactly the same, though.

Comment 11 Vlastimil Babka (Caster) (RETIRED) 2009-01-06 07:37:11 UTC

(In reply to comment #10)
> I guess this is issue (11) in the list mentioned on bug 250012, so i'd call it
> a dupe. I'm not totally sure about them being exactly the same, though.

Yeah both say it's opening local files in browser via file:// URL's. Whether the browser has associated application to open the file doesn't matter. Duping.



*** This bug has been marked as a duplicate of bug 250012 ***