On Fri, May 02, 2003 at 02:13:08PM -0500, Drew Scott Daniels wrote: > http://www.securityfocus.com/bid/7109 says Sun's JRE and Java SDKs versions > less than 1.4.1_02 are vulnerable as well as IBM's JDK. > > The BID seems to indicate the vulnerability is in java.util.zip > > I'm not sure which versions of Java JRE's and SDKs are in Debian, but it > seems to me that in Contrib there's an IBM JDK installer that might install > an affected version. > Well, that's an easy question, and also docummented [1]. The JDKs available in Debian are Sun's JDK 1.1 (is it vulnerable?) and Kafee (ditto) (notice that IBM-JDK was an installer-only package in 'stable'). The newer JDKs/JRE are _not_ available (they are at Blackdown). In any case, this is also non-free software (i.e. unsupported) you might want to mention it to the security team but it will go to the end of the "to fix " queue. Regards Javi [1] http://www.debian.org/doc/manuals/debian-java-faq/ Some info is not fully up to date so don't trust it fully.
Attachment:
pgpRXFECnUMZ4.pgp
Description: PGP signature