I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
mark
On 03/05/2013 11:51 AM, m.roth@5-cent.us wrote:
I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
As soon as redhat releases one?
Johnny Hughes wrote:
On 03/05/2013 11:51 AM, m.roth@5-cent.us wrote:
I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
As soon as redhat releases one?
Figured that - just wondered if y'all had heard anything.
For that matter, I tried following the CSV, and can't find more info on the NIST site - trying to figure out if it *only* affects Oracle's java, or openjdk also.
mark
On 03/05/2013 12:49 PM, m.roth@5-cent.us wrote:
Johnny Hughes wrote:
On 03/05/2013 11:51 AM, m.roth@5-cent.us wrote:
I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
As soon as redhat releases one?
Figured that - just wondered if y'all had heard anything.
For that matter, I tried following the CSV, and can't find more info on the NIST site - trying to figure out if it *only* affects Oracle's java, or openjdk also.
It impacts both:
Johnny Hughes wrote:
On 03/05/2013 12:49 PM, m.roth@5-cent.us wrote:
Johnny Hughes wrote:
On 03/05/2013 11:51 AM, m.roth@5-cent.us wrote:
I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
As soon as redhat releases one?
Figured that - just wondered if y'all had heard anything.
For that matter, I tried following the CSV, and can't find more info on the NIST site - trying to figure out if it *only* affects Oracle's java, or openjdk also.
It impacts both:
I'd found that in googling, but it only mentioned Oracle. Thanks, Johnny, now I can report that to my manager.
mark
On Tue, Mar 5, 2013 at 4:01 PM, m.roth@5-cent.us wrote:
I'd found that in googling, but it only mentioned Oracle.
Because the new pastime of the mainstream IT press (specially IDG; ZDNet which includes many Microsoft employees that write slamming Java) is slamming Oracle, not educating about OpenJDK and its open nature with IBM, RedHat, Apple and Twitter as contributors...
FC
Fernando Cassia wrote:
On Tue, Mar 5, 2013 at 4:01 PM, m.roth@5-cent.us wrote:
I'd found that in googling, but it only mentioned Oracle.
Because the new pastime of the mainstream IT press (specially IDG; ZDNet which includes many Microsoft employees that write slamming Java) is slamming Oracle, not educating about OpenJDK and its open nature with IBM, RedHat, Apple and Twitter as contributors...
What do you mean M$ employees? I've never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java, which failed in everything it was sold on the basis of being able to solve in the mid-nineties....
mark
On Tue, Mar 5, 2013 at 5:29 PM, m.roth@5-cent.us wrote:
What do you mean M$ employees?
http://zdnet.sumben.com/?/meet-the-team/us/jason.perlow/ "Jason Perlow, Sr. Technology Editor at ZDNet ..." "... Jason is currently a Technology Solution Professional with Microsoft Corp. "
I've never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java, which failed in everything it was sold on the basis of being able to solve in the mid-nineties....
Oh really, check out successfull Java based software like Jitsi, for instance: www.jitsi.org or vuze www.vuze.com, or jdownloader... or http://www.sweethome3d.com/index.jsp or http://www.artofillusion.org/
all actively developed, cross-platform and succesful. And I´m just naming a handful off the top of my head.
FC
On Tue, Mar 5, 2013 at 2:29 PM, m.roth@5-cent.us wrote:
What do you mean M$ employees? I've never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java, which failed in everything it was sold on the basis of being able to solve in the mid-nineties....
Errr, beg your pardon? There are some fantastic things written in java - jenkins is one that would clearly be difficult to do in any other language. And android's dalvik is a conceptual if not literal offspring. The thing I don't understand is why there isn't a dalvik VM for other OS's so android apk's could run everywhere without something silly like bluestacks.
Les Mikesell wrote:
On Tue, Mar 5, 2013 at 2:29 PM, m.roth@5-cent.us wrote:
What do you mean M$ employees? I've never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java, which failed in everything it was sold on the basis of being able to solve in the mid-nineties....
Errr, beg your pardon? There are some fantastic things written in java - jenkins is one that would clearly be difficult to do in any other language. And android's dalvik is a conceptual if not literal offspring. The thing I don't understand is why there isn't a dalvik VM for other OS's so android apk's could run everywhere without something silly like bluestacks.
tomcat? Ton's o' websites with java, that are really, really slow, and break easily? And then there's the "write once, try to run everywhere...."
Oh, and how about "with java, you can't have null pointer exceptions"? Or the fact that when tomcat, for example, crashes, the stack traces - in other words, the function calls - range from 100 to 200 deep!
mark
On Tue, Mar 5, 2013 at 2:54 PM, m.roth@5-cent.us wrote:
tomcat? Ton's o' websites with java, that are really, really slow, and break easily?
Tell you what - install OpenGrok http://hub.opensolaris.org/bin/view/Project+opengrok/ (grab it quick it, it is moving soon) and index/browse/search a large codebase. Then tell me what can do it faster.
Les Mikesell wrote:
On Tue, Mar 5, 2013 at 2:54 PM, m.roth@5-cent.us wrote:
tomcat? Ton's o' websites with java, that are really, really slow, and break easily?
Tell you what - install OpenGrok http://hub.opensolaris.org/bin/view/Project+opengrok/ (grab it quick it, it is moving soon) and index/browse/search a large codebase. Then tell me what can do it faster.
So, tell me (since I'd never heard of it): folks around here use eclipse (java, and not really happy with less than 2GB of RAM...) - what does opengrok need, and how's it compare?
mark
On Tue, Mar 5, 2013 at 3:36 PM, m.roth@5-cent.us wrote:
tomcat? Ton's o' websites with java, that are really, really slow, and break easily?
Tell you what - install OpenGrok http://hub.opensolaris.org/bin/view/Project+opengrok/ (grab it quick it, it is moving soon) and index/browse/search a large codebase. Then tell me what can do it faster.
So, tell me (since I'd never heard of it): folks around here use eclipse (java, and not really happy with less than 2GB of RAM...) - what does opengrok need, and how's it compare?
I'm not happy with less the 4GB RAM, with/without java, but I'm not sure how that is relevant. RAM is cheap and useful, if you need it, get more.
Anyway, opengrok is a web service that runs under tomcat (or similar...), so everyone can share one instance. You drop the source in it's directory and tell it to index. Then you can can browse the files, do raw text searches, or follow the def/ref links that it embeds for you. My point is that it is fast and you can try it out pretty quickly if you know how to deploy a tomcat site - or just follow the instructions.(http://hub.opensolaris.org/bin/view/Project+opengrok/installdescription) It may or may not be useful to you but it shows the language works. As does Jenkins, OpenNMS, Alfresco, etc.
Here's a public one but they seem to have disabled the raw browsing - you have to search for something: http://opengrok.libreoffice.org/ And it is not nearly as fast as what you'd get with a local install on a centos box.
On Tue, Mar 5, 2013 at 5:29 PM, m.roth@5-cent.us wrote:
I've never worked for M$, have stayed away from WinDoze for many years, and I *loathe* java
It´s amazing the Java haters are not content with hating it in silence, they must spread their dislike and insisit that everyone else should hate it too.
Just don´t use it, but keep the hate for yourself, and let those of us that understand it, use it and enjoy it. (OpenJDK, Netbeans, jEdit, Vuze, Jitsi, etc)
Like RedHat, for instance, which is a big backer of JBoss and invests in OpenJDK... http://www.redhat.com/summit/2012/pdf/2012-DevDay-OpenJDK-Bhole.pdf
Sheesh... FC
On 03/05/2013 12:51 PM, Johnny Hughes wrote:
On 03/05/2013 12:49 PM, m.roth@5-cent.us wrote:
Johnny Hughes wrote:
On 03/05/2013 11:51 AM, m.roth@5-cent.us wrote:
I see there's a release today or so from Oracle of a new zero-day vulnerability. Any idea how soon we'll have an update?
As soon as redhat releases one?
Figured that - just wondered if y'all had heard anything.
For that matter, I tried following the CSV, and can't find more info on the NIST site - trying to figure out if it *only* affects Oracle's java, or openjdk also.
It impacts both:
Note: That means (1) We're on it :D , and (2) When this is released for CentOS-6.x it will initially be in 6.3/CR repo if 6.4 is not released yet or 6.4/updates if 6.4 is released. CentOS-5.9 will just get the update released normally into 5.9/updates.
When will CentOS-6.4 be released ... soon :)
When is soon ... I would expect sometime before Friday, March 8th (or very close to that date).
On Tue, Mar 5, 2013 at 1:01 PM, Johnny Hughes johnny@centos.org wrote:
When will CentOS-6.4 be released ... soon :)
When is soon ... I would expect sometime before Friday, March 8th (or very close to that date).
Thanks for posting a projected date. I promise not to rant if you miss it...
On 03/05/2013 08:13 PM, Les Mikesell wrote:
On Tue, Mar 5, 2013 at 1:01 PM, Johnny Hughes johnny@centos.org wrote:
When will CentOS-6.4 be released ... soon :)
When is soon ... I would expect sometime before Friday, March 8th (or very close to that date).
Thanks for posting a projected date. I promise not to rant if you miss it...
we never miss dates!
Karanbir Singh wrote:
On 03/05/2013 08:13 PM, Les Mikesell wrote:
On Tue, Mar 5, 2013 at 1:01 PM, Johnny Hughes johnny@centos.org wrote:
When will CentOS-6.4 be released ... soon :)
When is soon ... I would expect sometime before Friday, March 8th (or very close to that date).
Thanks for posting a projected date. I promise not to rant if you miss it...
we never miss dates!
Neither do I!
mark "ask my wife"
On Tue, Mar 5, 2013 at 3:49 PM, m.roth@5-cent.us wrote:
trying to figure out if it *only* affects Oracle's java, or openjdk also.
OpenJDK IS Oracle´s java, sans the browser plug-in which was never open sourced by Sun, and which is provided by Icedtea-web.
Oracle has made OpenJDK 7 the reference implementation of JDK 7. 95% shared code according to the RedHat presentation at the JBos 2012 summit: http://www.redhat.com/summit/2012/pdf/2012-DevDay-OpenJDK-Bhole.pdf
FC
Rainer Duffner wrote:
Am 05.03.2013 um 18:51 schrieb m.roth@5-cent.us:
I see there's a release today
The question is rather: are there days without new "emergency patches" for Java? And at what point does an "emergency" become a permanent condition….
Oh, come on. The last one was all of, um, what, two weeks ago? That's not every day.... <g>
mark
On Tue, Mar 5, 2013 at 6:08 PM, Rainer Duffner rainer@ultra-secure.de wrote:
The question is rather: are there days without new "emergency patches" for Java?
Yeah, right, like there are no 0day patches periodically for a multitude of software, including Apache, PHP, and the like. And what are Microsoft´s "Patch Tuesday" Windows updates for, after all?.
Adobe Rolls out emergency patch for Flash plug-in http://www.itworldcanada.com/news/adobe-rolls-out-emergency-flash-patch/1468...
Critical PHP vulnerability exposes web sites to data theft http://www.infoworld.com/t/application-security/critical-php-vulnerability-e...
Top ten PHP security vulnerabilities (Oct 2012) http://phpmaster.com/top-10-php-security-vulnerabilities/
PHP patches actively exploited CGI vulnerability http://www.pcworld.com/article/255289/php_patches_actively_exploited_cgi_vul...
Security is a process. There is no "permanently secure" software. Not even OpenBSD with its "memory randomization".
http://pages.citebite.com/h9a3a5k5umdw
FC
On Tue, Mar 05, 2013 at 06:23:25PM -0300, Fernando Cassia wrote:
Yeah, right, like there are no 0day patches periodically for a multitude of software, including Apache, PHP, and the like. And what are Microsoft´s "Patch Tuesday" Windows updates for, after all?.
Please.
Java is doing everything in it's power to rival the insecurity records of sendmail and bind from years ago, or horde's track record or phpBB's. It's just one rolling security vector. It's apparently maintained by people that don't really know what they're doing since it's one issue after another in rapid pace. Oracle's attitude towards patches is abysmal at best and I can't see any relief in sight. Look at it this way: distro's have rolling releases and Java has rolling security vulnerabilities.
Security is a process. There is no "permanently secure" software. Not even OpenBSD with its "memory randomization".
How about permanently insecure?
John
On Tue, Mar 5, 2013 at 3:57 PM, John R. Dennison jrd@gerdesas.com wrote:
Please.
Java is doing everything in it's power to rival the insecurity records of sendmail and bind from years ago, or horde's track record or phpBB's. It's just one rolling security vector. It's apparently maintained by people that don't really know what they're doing since it's one issue after another in rapid pace. Oracle's attitude towards patches is abysmal at best and I can't see any relief in sight. Look at it this way: distro's have rolling releases and Java has rolling security vulnerabilities.
But wait - wasn't making the code 'free' supposed to take care of all those issues since everyone can now see the problems and contribute the fixes? I think RMS may have led us astray.
Les Mikesell wrote:
On Tue, Mar 5, 2013 at 3:57 PM, John R. Dennison jrd@gerdesas.com wrote:
Please.
Java is doing everything in it's power to rival the insecurity records of sendmail and bind from years ago, or horde's track record or phpBB's. It's just one rolling security vector. It's apparently maintained by people that don't really know what they're doing since it's one issue after another in rapid pace. Oracle's attitude towards patches is abysmal at best and I can't see any relief in sight. Look at it this way: distro's have rolling releases and Java has rolling security vulnerabilities.
But wait - wasn't making the code 'free' supposed to take care of all those issues since everyone can now see the problems and contribute the fixes? I think RMS may have led us astray.
No, java was Sun's baby, now it's Oracle's. I know y'all have seen my feelings about Oracle/Sun hardware "tech support"....
mark
On Tue, Mar 5, 2013 at 4:04 PM, m.roth@5-cent.us wrote:
Please.
Java is doing everything in it's power to rival the insecurity records of sendmail and bind from years ago, or horde's track record or phpBB's. It's just one rolling security vector. It's apparently maintained by people that don't really know what they're doing since it's one issue after another in rapid pace. Oracle's attitude towards patches is abysmal at best and I can't see any relief in sight. Look at it this way: distro's have rolling releases and Java has rolling security vulnerabilities.
But wait - wasn't making the code 'free' supposed to take care of all those issues since everyone can now see the problems and contribute the fixes? I think RMS may have led us astray.
No, java was Sun's baby, now it's Oracle's. I know y'all have seen my feelings about Oracle/Sun hardware "tech support"....
I'm talking about all those years when Sun's baby was pretty good and "free as in beer" but not good/free enough for Red Hat to bless with an installer that actually worked so we got the broken gcj instead and made everybody hate java because it didn't work. Now the real thing is free enough, but so far I don't see the improvement that we were supposed to be waiting for...
On Tue, Mar 05, 2013 at 04:11:37PM -0600, Les Mikesell wrote:
I'm talking about all those years when Sun's baby was pretty good and "free as in beer" but not good/free enough for Red Hat to bless with an installer that actually worked so we got the broken gcj instead and made everybody hate java because it didn't work. Now the real thing is free enough, but so far I don't see the improvement that we were supposed to be waiting for...
"free enough"? Is that like "close" in horseshoes and hand grenades?
John
John R. Dennison wrote:
On Tue, Mar 05, 2013 at 04:11:37PM -0600, Les Mikesell wrote:
I'm talking about all those years when Sun's baby was pretty good and "free as in beer" but not good/free enough for Red Hat to bless with an installer that actually worked so we got the broken gcj instead and made everybody hate java because it didn't work. Now the real thing is free enough, but so far I don't see the improvement that we were supposed to be waiting for...
"free enough"? Is that like "close" in horseshoes and hand grenades?
And nukes.
mark "and, unfortunately, my late ex-wife"
On Tue, Mar 5, 2013 at 4:21 PM, John R. Dennison jrd@gerdesas.com wrote:
I'm talking about all those years when Sun's baby was pretty good and "free as in beer" but not good/free enough for Red Hat to bless with an installer that actually worked so we got the broken gcj instead and made everybody hate java because it didn't work. Now the real thing is free enough, but so far I don't see the improvement that we were supposed to be waiting for...
"free enough"? Is that like "close" in horseshoes and hand grenades?
Free as in what the FSF names code encumbered with restrictions that prevent combining it with any other components.
On 3/5/2013 2:40 PM, Les Mikesell wrote:
Free as in what the FSF names code encumbered with restrictions that prevent combining it with any other components.
specifically, the Sun Java license restricted redistribution of the runtime, and it wasn't opensource at all. further, it had type-of-use restrictions, you had to agree not to run 'standard edition' (free) on mobile phones, the licensing required a specific J2ME edition for phone use which was NOT free.
On Tue, Mar 5, 2013 at 4:44 PM, John R Pierce pierce@hogranch.com wrote:
Free as in what the FSF names code encumbered with restrictions that prevent combining it with any other components.
specifically, the Sun Java license restricted redistribution of the runtime, and it wasn't opensource at all.
I meant that the GPL imposes restrictions.
It would have been possible to make it trivial to install directly if not to completely automate it. And others started redistributing long before RH included it in their paid support channel. In any case, shipping something that pretended to be java but wasn't had to be the worst possible thing that could happen to a language.
further, it had type-of-use restrictions, you had to agree not to run 'standard edition' (free) on mobile phones, the licensing required a specific J2ME edition for phone use which was NOT free.
Yet oddly, long ago RH shipped Netscape binaries...
On 3/5/2013 1:57 PM, John R. Dennison wrote:
Java is doing everything in it's power to rival the insecurity ...
sad, really, as one of Java's original goals was to be a completely sandboxable environment.
I wonder... is Java really getting worse, or is it that the hackers are getting more sophisticated and finding ever more fiendish ways of violating systems ?
I also wonder how long before the HTML5/Javascript world starts showing up equally gnarly fundamental security exposures.
On Tue, Mar 05, 2013 at 02:10:02PM -0800, John R Pierce wrote:
sad, really, as one of Java's original goals was to be a completely sandboxable environment.
I was just discussing this very issue with someone the other day. That was such a huge marketing factor in the beginning. And we waited. And waited. And waited. And it never materialized.
I wonder... is Java really getting worse, or is it that the hackers are getting more sophisticated and finding ever more fiendish ways of violating systems ?
I think it's sort of a little of both. Tools and people are getting better and the people maintaining Java aren't getting any better.
John
On Tue, Mar 5, 2013 at 4:20 PM, John R. Dennison jrd@gerdesas.com wrote:
sad, really, as one of Java's original goals was to be a completely sandboxable environment.
I was just discussing this very issue with someone the other day. That was such a huge marketing factor in the beginning. And we waited. And waited. And waited. And it never materialized.
Of course it didn't when big companies like Microsoft and Red Hat shipped incompatible competing versions making the code not portable.
I wonder... is Java really getting worse, or is it that the hackers are getting more sophisticated and finding ever more fiendish ways of violating systems ?
I think it's sort of a little of both. Tools and people are getting better and the people maintaining Java aren't getting any better.
I'm cynical enough to believe that most code has intentional backdoors that for various reasons eventually leak out and have to be fixed. And hackers are incredibly sophisticated these days. Even in the Centos 5.3 era I saw URL attacks in the wild that would use a spring (java lib) bug to execute commands to trigger the kernel's root escalation bug.