1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below 2. Is there a version of java plugin that I can run under iceweasel/firefox that I can install in debian stable? My firefox warns me that Java Plug-in 1.6.0_26 (disabled) is known to cause security or stability issues... If there is a better mailing list for these debian specific questions - please let me know but there may be others who are might interested in these answers as well. Item 1: install the debsecan package and scan your box .... On an up to date debian squeeze system I have: debsecan | grep iceweasel CVE-2011-1187 iceweasel (remotely exploitable, low urgency) CVE-2011-1202 iceweasel (remotely exploitable, medium urgency) CVE-2011-3658 iceweasel (remotely exploitable, high urgency) CVE-2012-0475 iceweasel (remotely exploitable, low urgency) CVE-2012-1939 iceweasel (remotely exploitable, high urgency) CVE-2012-1941 iceweasel (remotely exploitable, high urgency) CVE-2012-1945 iceweasel (remotely exploitable, low urgency) CVE-2012-1946 iceweasel (remotely exploitable, high urgency) CVE-2012-1951 iceweasel (remotely exploitable, high urgency) CVE-2012-1952 iceweasel (remotely exploitable, high urgency) CVE-2012-1953 iceweasel (remotely exploitable, high urgency) CVE-2012-1955 iceweasel (remotely exploitable, medium urgency) CVE-2012-1957 iceweasel (remotely exploitable, medium urgency) CVE-2012-1958 iceweasel (remotely exploitable, high urgency) CVE-2012-1959 iceweasel (remotely exploitable, medium urgency) CVE-2012-1961 iceweasel (remotely exploitable, medium urgency) CVE-2012-1962 iceweasel (remotely exploitable, high urgency) CVE-2012-1964 iceweasel (remotely exploitable, medium urgency) CVE-2012-1965 iceweasel (remotely exploitable, medium urgency) CVE-2012-3105 iceweasel (remotely exploitable, high urgency) iceweasel is up to date apt-show-versions -a iceweasel iceweasel 3.5.16-18 install ok installed iceweasel 3.5.16-17 squeeze ftp.au.debian.org iceweasel 3.5.16-18 squeeze security.debian.org iceweasel/squeeze uptodate 3.5.16-18 Looking at the first CVE via debian security tracker shows squeeze is still vulnerable... - See http://security-tracker.debian.org/tracker/CVE-2011-3658 Item 2: Under plugins on my iceweasel it has Java plugin disabled for security / stability issues. I believe I have the latest jre/plugins installed apt-show-versions -a sun-java6-jre sun-java6-jre 6.26-0squeeze1 install ok installed sun-java6-jre 6.26-0squeeze1 squeeze ftp.au.debian.org sun-java6-jre 6.26-0squeeze1 unknown ftp.tw.debian.org sun-java6-jre 6.26-0squeeze1 unknown http.debian.net sun-java6-jre/squeeze uptodate 6.26-0squeeze1 Do the debian people just expect me to not run java in the browser (too dangerous?) Am I suppose to switch to java7 (no package for debian squeeze) and manually install it? If so is there any guidance on manual installation? I notice in wheezy we have java-package (see http://wiki.debian.org/JavaPackage) which lets you install the Oracle binary distributions by putting it into a .deb for you (e.g. http://forums.debian.net/viewtopic.php?f=6&t=84672) Searching around on the debian web site didn't find any obvious guidance on these issues and numerous old looking Wiki pages. Thanks in advance for any help. Andrew