Re: Java plugin vulnerability?

[Alois Treindl <alois astro ch>]

Robert G. (Doc) Savage wrote:
> On Wed, 2004-12-01 at 14:59 -0600, Lee Whatley, Contractor wrote:
>
> > Hello all,
> >
> > Does anyone know if the java browser plugin that is included in the RHEL 
> > 3 extras channel is vulnerable to this:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029
> >
> > The advisory only mentions SUN java and I seem to recall that the RHEL 
> > package is based on IBM java, but I don't know if they are based off of 
> > the same code or what.

It is vulnerable. The german IT magazine 'ct' has a vulnerability test 
on its web site, which can be called up with any browser and tells you 
whether your java has this particular vulnerability or not.

I am afraid it is in german.
http://www.heise.de/security/dienste/browsercheck/tests/java.shtml
For the test, you need to click on the link 'hier' which is in the 4th 
paragraph below the rotating cube applet.
If you are not vulnerable there are the words 'sieht gut aus' at the 
beginning of the popup. If you are vulnerable (I have to tell this from 
memory, as I am no longer) the text starts with 'Sie sind verwundbar'.

I tried, and RHEL with IBM java was shown as vulnerable.

I used the Sun java update (as described in the other reply) and removed 
the vulnerability.
I went manually to /etc/alternatives and replaced the symbolic links 
which went to IBM java in a way that they now point to the Sun java 
installation.

This way, I could leave the links in the various browser's plugin 
directories (which go to /etc/alternatives) unchanged.