Maven/Java 1.4.0 security issues

[Brennan Stehling <of...@gmail.com>]

An interesting problem any Windows might have is the bad JAVA_HOME
settings.  When I started to try Apache DS I suddenly got a ton of
virus problems.  Today I am working on running many Maven compiles and
now that I have Norton AntiVirus installed I am seeing it is blocking
this Trojan virus.

It seems j2sdk1.4.0_01 has a security bug in it and when I did install
j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
from the older version.  As I compiled it may have been opening a
security hole and letting stuff in.

So you may want to check that your environment variables are set
properly and also uninstall Java 1.4.0.

-- 
Brennan Stehling
 + http://brennan.offwhite.net/blog/

Re: Maven/Java 1.4.0 security issues

[Emmanuel Lecharny <el...@iktek.com>]

Two serious security issues have been discovered recently (SUN SDK
1.4.2_06) :

http://secunia.com/advisories/13271/

and

http://secunia.com/advisories/13918/

They are both ranked "highly critical".

A new version 1.4.2_07 has been released quite recently (27 january
2005)

It may be wise to switch to this new version, if your are using it (that
exclude IBMers)

Cheers,
Emmanuel

Le dimanche 06 février 2005 à 05:28 -0600, Brennan Stehling a écrit :
> An interesting problem any Windows might have is the bad JAVA_HOME
> settings.  When I started to try Apache DS I suddenly got a ton of
> virus problems.  Today I am working on running many Maven compiles and
> now that I have Norton AntiVirus installed I am seeing it is blocking
> this Trojan virus.
> 
> It seems j2sdk1.4.0_01 has a security bug in it and when I did install
> j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
> from the older version.  As I compiled it may have been opening a
> security hole and letting stuff in.
> 
> So you may want to check that your environment variables are set
> properly and also uninstall Java 1.4.0.
> 

Re: Maven/Java 1.4.0 security issues

[Brennan Stehling <of...@gmail.com>]

I actually pulled down the latest 1.4.2 and 1.5 installations and
removed every other Java SDK/Runtime excep the 1.3.1 SDK so I can
still build other backwards compatible projects.

So far so good.  

I am also on Windows 2000.  I wonder if the MacOS X Java Runtime is
immune to the problem.

Brennan

On Sun, 06 Feb 2005 12:14:59 -0500, Alex Karasulu <ao...@bellsouth.net> wrote:
> Niclas Hedhman wrote:
> 
> >On Sunday 06 February 2005 19:28, Brennan Stehling wrote:
> >
> >
> >>An interesting problem any Windows might have is the bad JAVA_HOME
> >>settings.  When I started to try Apache DS I suddenly got a ton of
> >>virus problems.  Today I am working on running many Maven compiles and
> >>now that I have Norton AntiVirus installed I am seeing it is blocking
> >>this Trojan virus.
> >>
> >>It seems j2sdk1.4.0_01 has a security bug in it and when I did install
> >>j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
> >>from the older version.  As I compiled it may have been opening a
> >>security hole and letting stuff in.
> >>
> >>So you may want to check that your environment variables are set
> >>properly and also uninstall Java 1.4.0.
> >>
> >>
> >
> >I don't know if it is related; My rt.jar was modified a few days ago. The
> >MessageFormat class (of all!) had been replaced.
> >
> >
> No way is this on Linux Niclas?
> Alex
> 


-- 
Brennan Stehling
 + http://brennan.offwhite.net/blog/

Re: Maven/Java 1.4.0 security issues

[Alex Karasulu <ao...@bellsouth.net>]

Niclas Hedhman wrote:

>On Sunday 06 February 2005 19:28, Brennan Stehling wrote:
>  
>
>>An interesting problem any Windows might have is the bad JAVA_HOME
>>settings.  When I started to try Apache DS I suddenly got a ton of
>>virus problems.  Today I am working on running many Maven compiles and
>>now that I have Norton AntiVirus installed I am seeing it is blocking
>>this Trojan virus.
>>
>>It seems j2sdk1.4.0_01 has a security bug in it and when I did install
>>j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
>>from the older version.  As I compiled it may have been opening a
>>security hole and letting stuff in.
>>
>>So you may want to check that your environment variables are set
>>properly and also uninstall Java 1.4.0.
>>    
>>
>
>I don't know if it is related; My rt.jar was modified a few days ago. The 
>MessageFormat class (of all!) had been replaced.
>  
>
No way is this on Linux Niclas?
Alex

Re: Maven/Java 1.4.0 security issues

[Niclas Hedhman <ni...@hedhman.org>]

On Sunday 06 February 2005 19:28, Brennan Stehling wrote:
> An interesting problem any Windows might have is the bad JAVA_HOME
> settings.  When I started to try Apache DS I suddenly got a ton of
> virus problems.  Today I am working on running many Maven compiles and
> now that I have Norton AntiVirus installed I am seeing it is blocking
> this Trojan virus.
>
> It seems j2sdk1.4.0_01 has a security bug in it and when I did install
> j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
> from the older version.  As I compiled it may have been opening a
> security hole and letting stuff in.
>
> So you may want to check that your environment variables are set
> properly and also uninstall Java 1.4.0.

I don't know if it is related; My rt.jar was modified a few days ago. The 
MessageFormat class (of all!) had been replaced.

Cheers
Niclas

Re: Maven/Java 1.4.0 security issues

[Trustin Lee <tr...@gmail.com>]

Thanks Brenn for the good information!

Trustin

On Sun, 6 Feb 2005 05:28:07 -0600, Brennan Stehling <of...@gmail.com> wrote:
> An interesting problem any Windows might have is the bad JAVA_HOME
> settings.  When I started to try Apache DS I suddenly got a ton of
> virus problems.  Today I am working on running many Maven compiles and
> now that I have Norton AntiVirus installed I am seeing it is blocking
> this Trojan virus.
> 
> It seems j2sdk1.4.0_01 has a security bug in it and when I did install
> j2sdk1.4.2_04 the new JAVA_HOME and PATH settings were not changed
> from the older version.  As I compiled it may have been opening a
> security hole and letting stuff in.
> 
> So you may want to check that your environment variables are set
> properly and also uninstall Java 1.4.0.
> 
> --
> Brennan Stehling
>  + http://brennan.offwhite.net/blog/
> 


-- 
what we call human nature is actually human habit
--
http://gleamynode.net/