[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Java plugin vulnerability?

From: "Robert G. (Doc) Savage" <dsavage peaknet net>
To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)" <taroon-list redhat com>
Subject: Re: Java plugin vulnerability?
Date: Wed, 01 Dec 2004 20:20:00 -0600

On Wed, 2004-12-01 at 14:59 -0600, Lee Whatley, Contractor wrote:
> Hello all,
> 
> Does anyone know if the java browser plugin that is included in the RHEL 
> 3 extras channel is vulnerable to this:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029
> 
> The advisory only mentions SUN java and I seem to recall that the RHEL 
> package is based on IBM java, but I don't know if they are based off of 
> the same code or what.

Lee,

Have you tried downloading J2SE 1.4.2_06 RE or SDK from Sun? There's
an .rpm.bin file for Linux which, when made executable and run by root,
should yield the RPM you're looking for. RHEL3's 1.4.2_05 distribution
should be the same extracted RPM that you would have gotten downloading
directly from Sun, except that RH probably added the post-install
instructions to create the necessary library link to the Mozilla plug-
ins directory.

If you choose to download directly from Sun (about 2 million folks have
since the security vulnerability in 1.4.2-05 was announced) follow these
simple steps:

Download latest J2SE RE or SDK from http://java.sun.com/j2se/1.4.2/download.html

1.  $ chmod +x j2re-1_4_2_06-linux-i586-rpm.bin
 or $ chmod +x j2sdk-1_4_2_06-linux-i586-rpm.bin

2.  $ ./j2re-1_4_2_06-linux-i586-rpm.bin
 or $ ./j2sdk-1_4_2_06-linux-i586-rpm.bin

3.  $ su -
    Password: ********

4.  # rpm -e j2sdk-1_4_2_05-fcs   <-- required because of the -fcs suffix

5.  # rpm -ivh /path_to/j2re-1_4_2_06-linux.i586.rpm
 or # rpm -ivh /path_to/j2sdk-1_4_2_06-linux.i586.rpm

6.  # cd /usr/lib/mozilla/plugins

7.  # rm -f libjavaplugin_oji.so

8.  # ln -s /usr/java/j2re1.4.2_06/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
 or # ln -s /usr/java/j2sdk1.4.2_06/plugin/i386/ns610-gcc32/libjavaplugin_oji.so

9.  # ls -l
    total NNNN
    ...
    lrwxrwxrwx    1 root     root           67 Dec  1 20:06 libjavaplugin_oji.so -> /usr/java/j2re1.4.2_06/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
 or lrwxrwxrwx    1 root     root           68 Dec  1 20:06 libjavaplugin_oji.so -> /usr/java/j2sdk1.4.2_06/plugin/i386/ns610-gcc32/libjavaplugin_oji.so
    ...

That's it.

-- Doc
Robert G. (Doc) Savage, BSE(EE), CISSP, RHCE | Fairview Heights, IL
RHEL3/ESu3 on Tyan S2468UGN w/3G, dual Athlon MP 2800+, 1.1T RAID5
"Perfection is the enemy of good enough."
                         -- Admiral of the Fleet Sergei G. Gorshkov

Follow-Ups:
- Re: Java plugin vulnerability?
  - From: Alois Treindl

References:
- Java plugin vulnerability?
  - From: Lee Whatley, Contractor

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]