gcjwebplugin runs untrusted code without sandbox

To: debian-release@bugs.debian.org
Cc: security@debian.org, 267040@bugs.debian.org
Subject: gcjwebplugin runs untrusted code without sandbox
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 7 Sep 2008 17:39:28 +0100
Message-id: <[🔎] 20080907163928.GN8657@decadentplace.org.uk>

gcjwebplugin is a Java plugin for web browsers.  It does not include the
security manager which is a crucial part of the "sandboxing" of Java
applets.  The maintainers have "fixed" this bug (#267040) merely by
adding a warning prompt before running applets, which is well known to
be an insufficient means of protecting users from malware.  Please do
not include it in lenny.  (Unfortunately it is built from the classpath
source package, so that will have to be modified to remove it.)

Ben.

-- 
Ben Hutchings
Design a system any fool can use, and only a fool will want to use it.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: gcjwebplugin runs untrusted code without sandbox
  - From: Robert Millan <rmh@aybabtu.com>

Prev by Date: Re: Please add an lenny-ignore tag to bug #477060
Next by Date: Bug#184140: cQxJBr
Previous by thread: Re: NMU of xpdf
Next by thread: Re: gcjwebplugin runs untrusted code without sandbox
Index(es):
- Date
- Thread