JRE / JDK Security Thread

For discussions about security.
Message
Author
User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#21 Post by Q5sys »

James C wrote:http://arstechnica.com/security/2013/01 ... t-version/
Java 6, which Oracle is still supporting for the time being, hasn't been vulnerable to most of the recent exploits, although security experts remain mixed on whether it is a more secure alternative to Java 7. Gowdiak said one of the vulnerabilities Security Explorations discovered this week works on both versions while the other works only on Java 7.
Added section about Legacy 6u38 release in first post. It appears the bug that didnt get patched is the one that only affects v7.

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#22 Post by 8-bit »

From what I have read so far on the net, javascript is not prone to the security risks that java 7 is.
Also installing an earlier version of java is not the answer as they also had security problems.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#23 Post by jpeps »

8-bit wrote:From what I have read so far on the net, javascript is not prone to the security risks that java 7 is.
Also installing an earlier version of java is not the answer as they also had security problems.
When was the last time you needed a java plugin?

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#24 Post by 8-bit »

In the versions of Puppy I run with Seamonkey as the browser, I have looked and I can find JavaScript, but not Java.
So, does that mean that to have Java (full), one needs to install it?
I run Seamonkey and have never missed not having Java as JavaScript seems to handle most everything.

If I am wrong, please correct me.

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#25 Post by jpeps »

8-bit wrote:In the versions of Puppy I run with Seamonkey as the browser, I have looked and I can find JavaScript, but not Java.
So, does that mean that to have Java (full), one needs to install it?
I run Seamonkey and have never missed not having Java as JavaScript seems to handle most everything.

If I am wrong, please correct me.
I thought you asked that in another thread; they're two different things with similar names. Web developers generally stopped using Java years ago. It's being used for other purposes. Javascript is an interpreted language coded into the web page; Java is a compiled language that runs applets on computers that have the JRE installed. Many developers switched to Flash (since the user doesn't have to have any preloaded software). I don't know if anyone has a linux browser that loads a java plugin; Firefox certainly doesn't and mozilla blocks java. * I just tested a chrome browser...plugins are only available for windows and mac.


Yes, you'd have to install it. I installed updated binaries as an SFS. Why? Because I can run very complex accounting software, etc., statically....everything works everywhere. Java used to be slow, but both computers and the JRE have improved, so that's no longer an issue. I expect that process to continue. Security? Well, if you get computer viruses that can run your java software, that wouldn't be very good. Systems like puppy are the most ideal, because getting viruses are rare (never heard of it) in addition to offering plenty of protections. So you can have the best of both worlds.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#26 Post by Q5sys »

Updated

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#27 Post by jpeps »

Q5sys wrote:Updated
I'm guessing that it's extremely unlikely that Oracle could prevent all exploits without completely rewriting the entire language from scratch....and perhaps not even then.

Notice how numerous exploits in Chrome were produced by teenagers when a cash reward was offered.

Personally, I'll continue to use Java for apps without any Java browser plugins (if any are available to begin with).

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#28 Post by amigo »

javascript is completely unrelated to java -it's just an unfortunate mistake in naming...

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#29 Post by jpeps »

amigo wrote:javascript is completely unrelated to java -it's just an unfortunate mistake in naming...
Nobody was talking about javascript...we're updating the jre

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#30 Post by Semme »

Does the symlink exist- yes or no? Maybe check Shinobars`instructions..
Makoto wrote:I only install TheAsterisk!'s SFS versions of the JRE - no idea whether or not it creates that symlink. Wouldn't it have a bearing on the Mozilla Plugin Check page, too, though? You'd think that if the Mozilla page can find it, the Java page would...
This with the Asterisk!s`jre-1.7u13-i586.sfs loaded. NO problem..
Attachments
verify-your-settings.jpg
(10.98 KiB) Downloaded 191 times

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#31 Post by amigo »

@jpeps, someone said: "I can find JavaScript, but not Java." I was just responding to that. You seem a bit touchy with me, lately...

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#32 Post by Makoto »

Semme: Not entirely sure why you moved this; my 'issue' isn't really security-related.
Semme wrote:Does the symlink exist- yes or no? Maybe check Shinobars`instructions..
See my post in the original thread here. (I posted while you were moving the discussion, apparently.)
Semme wrote:This with the Asterisk!s`jre-1.7u13-i586.sfs loaded. NO problem..
That page still doesn't work for me, but this page does:
http://www.java.com/en/download/testjava.jsp

As far as I can tell, I have all of the necessary symlinks (TheAsterisk!'s package actually appears to create them for ALL possible Mozilla browsers, including the Ice series), and I even briefly changed the Java console to show, rather than hide (as the Java website advises). Same results as above.

(Edit: Okay, that's weird. I just checked http://www.java.com/en/download/install ... detect=jre again, after posting this, and NOW, it's working. :shock: )
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#33 Post by Semme »

Nooo.. but it's not about Flash either. At any rate- good to hear you finally got it.

User avatar
Makoto
Posts: 1665
Joined: Fri 04 Sep 2009, 01:30
Location: Out wandering... maybe.

#34 Post by Makoto »

I'm surprised it only decided to start working because I posted about it. :mrgreen:
[ Puppy 4.3.1 JP, Frugal install ] * [ XenialPup 7.5, Frugal install ] * [XenialPup 64 7.5, Frugal install] * [ 4GB RAM | 512MB swap ]
In memory of our beloved American Eskimo puppy (1995-2010) and black Lab puppy (1997-2011).

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#35 Post by Q5sys »

OP Updated.
Java released a patch for 7u13 release, which is numbered 7u15
http://www.oracle.com/technetwork/topic ... PatchTable

No 6uX release, as it has reached End of Life.

Hogweed
Posts: 96
Joined: Sat 12 Feb 2011, 19:37

#36 Post by Hogweed »

The mystery of why Java plugin sometimes works in Seamonkey and sometimes doesn't https://bugzilla.mozilla.org/show_bug.cgi?id=754622
Bug 754622 -
Summary: [linux] Oracle/Sun Java jre1.7.0_04 and later does not work in SeaMonkey
Common on Linux,. Importance P5 Major but nobody seems to be able to fix the damn thing and they have been at it for months. Works fine on Firefox with latest Java 7 Update 15 but now will not work for me under Seamonkey again. When it did last week. Yes plugin is in the right place but it is marked as "Invalid" in pluginreg.dat. The suggested workarounds in the Seamonkey open bug report (including disabling the blocklist) don't help in my case either.

Seamonkey just marks the plugin as invalid then you are stuffed.

Code: Select all

[INVALID]
/usr/java/jre1.7.0_15/lib/i386/libnpjp2.so:$
1360964494000:$
Doubtless it will work for some (as it did for me with 13) but not for others.

In Firefox 19 the exact same plugin works and is marked

Code: Select all

[PLUGINS]
libnpjp2.so:$
/usr/java/jre1.7.0_15/lib/i386/libnpjp2.so:$
:$
1360964494000:0:5:$
<a href="http://java.sun.com">Java</a> plug-in for NPAPI-based browsers.:$
Java(TM) Plug-in 1.7.0_15:$
...
...

Hogweed
Posts: 96
Joined: Sat 12 Feb 2011, 19:37

#37 Post by Hogweed »

Gets stranger. Just installed 5.4.93 Precise beta - Installed Java on it and this time it works with the pre-installed Seamonkey 2.15.2.

User avatar
Q5sys
Posts: 1105
Joined: Thu 11 Dec 2008, 19:49
Contact:

#38 Post by Q5sys »


Post Reply