Mark-of-the-Beast security bug --- community collaboration?
mark at klomp.org
Tue Feb 8 09:59:01 UTC 2011
On Mon, 2011-02-07 at 16:29 -0600, Tom Marble wrote:
> Normally security issues would not be raised to the level
> of the 'discuss' list, but in the interest of getting
> as many 'eyes on the bug' such that the entire community
> can find and patch OpenJDK 6 quickly I respectfully
> would like to call everyone's attention to:
> It would be great if we could find this and patch
> OpenJDK 6 deployments ASAP.
There has been extensive discussion on the core-libs mailinglist, with a
patch and some historic digging to find where the issue came from.
Short story, it was already found through the Free Software Jacks
testsuite in 2001 (!). http://sourceware.org/mauve/jacks.html
reported by the Jikes compiler hacker Eric Blake.
http://bugs.sun.com/view_bug.do?bug_id=4421494 The bug report even has a
suggested fix. Dmitry Nadezhin posted a patch in 2009, but unfortunately
that didn't make it in.
It was rediscovered through the php issue a week ago.
Andrew Haley almost immediate posted a new patch for it last week.
Hopefully it will go into IcedTea6 ASAP according to Andrew Hughes.
With possibly more security fixes following next week.
More information about the discuss