Re: gcj and etch freeze
On Sat, Aug 19, 2006 at 01:16:54PM +0200, Jeroen van Wolffelaar wrote:
>
> #267040: remote code execution hole due to lack of Java security manager
>
> This is 'fixed' by:
> - Shows warning before loading an applet (Closes: #267040, #301134)
Not a big deal, #383704 brought my browser down before it was exposed to a
security risk, so I didn't even see the warning =)
> Which, IMHO, doesn't make this usable except in fully trusted
> environments where the browser is exclusively used to browse a fully
> trusted intranet where nobody can change web content that doens't
> already have root on your machine.
>
> Which is, basicly nowhere (IMHO, and barring myself misunderstanding
> something).
>
> The warning is talked about here:
> http://langel.wordpress.com/2006/06/05/gcjwebplugin-is-actually-worth-using/
> (thanks Michael Koch for the link)
>
> I personally do not think we should offer this option to users, because
> users tend to trust sites easily (and they are too often asked about
> 'trusting' too, w.r.t. https websites, for example), even though the
> wording used is strong, and the consequence is arbitrary remote code
> execution.
>
> Anyway, I will followup to the bug in question for discussion about this
> issue.
Completely agreed. I even have doubts it's suitable for experimental. Without
minimal privilege separation not even the roughest bleeding-edge users will dare
to try it, so it's basicaly of no use there.
Anyway, it's good to know there's ongoing work on this area..
--
Robert Millan
My spam trap is honeypot@aybabtu.com. Note: this address is only intended for
spam harvesters. Writing to it will get you added to my black list.
Reply to: