Hi, On 9/10/2012 10:51 AM, Andrew Worsley wrote:
1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below
In the past I have found that a vulnerability has been patched when it didn't seem apparent. However, your use of debsecan makes me wonder... so I'm installing it and running against all the systems I look after.
2. Is there a version of java plugin that I can run under iceweasel/firefox that I can install in debian stable? My firefox warns me that Java Plug-in 1.6.0_26 (disabled) is known to cause security or stability issues...
That one is probably better for debian-user list, see below.
If there is a better mailing list for these debian specific questions - please let me know but there may be others who are might interested in these answers as well.
http://www.debian.org/MailingLists/
Item 1: install the debsecan package and scan your box ....
On an up to date debian squeeze system I have:
debsecan | grep iceweasel CVE-2011-1187 iceweasel (remotely exploitable, low urgency) CVE-2011-1202 iceweasel (remotely exploitable, medium urgency) CVE-2011-3658 iceweasel (remotely exploitable, high urgency) CVE-2012-0475 iceweasel (remotely exploitable, low urgency) CVE-2012-1939 iceweasel (remotely exploitable, high urgency) CVE-2012-1941 iceweasel (remotely exploitable, high urgency) CVE-2012-1945 iceweasel (remotely exploitable, low urgency) CVE-2012-1946 iceweasel (remotely exploitable, high urgency) CVE-2012-1951 iceweasel (remotely exploitable, high urgency) CVE-2012-1952 iceweasel (remotely exploitable, high urgency) CVE-2012-1953 iceweasel (remotely exploitable, high urgency) CVE-2012-1955 iceweasel (remotely exploitable, medium urgency) CVE-2012-1957 iceweasel (remotely exploitable, medium urgency) CVE-2012-1958 iceweasel (remotely exploitable, high urgency) CVE-2012-1959 iceweasel (remotely exploitable, medium urgency) CVE-2012-1961 iceweasel (remotely exploitable, medium urgency) CVE-2012-1962 iceweasel (remotely exploitable, high urgency) CVE-2012-1964 iceweasel (remotely exploitable, medium urgency) CVE-2012-1965 iceweasel (remotely exploitable, medium urgency) CVE-2012-3105 iceweasel (remotely exploitable, high urgency)
iceweasel is up to date
apt-show-versions -a iceweasel iceweasel 3.5.16-18 install ok installed iceweasel 3.5.16-17 squeeze ftp.au.debian.org iceweasel 3.5.16-18 squeeze security.debian.org iceweasel/squeeze uptodate 3.5.16-18
Looking at the first CVE via debian security tracker shows squeeze is still vulnerable... - See http://security-tracker.debian.org/tracker/CVE-2011-3658
Item 2: Under plugins on my iceweasel it has Java plugin disabled for security / stability issues.
I believe I have the latest jre/plugins installed apt-show-versions -a sun-java6-jre sun-java6-jre 6.26-0squeeze1 install ok installed sun-java6-jre 6.26-0squeeze1 squeeze ftp.au.debian.org sun-java6-jre 6.26-0squeeze1 unknown ftp.tw.debian.org sun-java6-jre 6.26-0squeeze1 unknown http.debian.net sun-java6-jre/squeeze uptodate 6.26-0squeeze1
Do the debian people just expect me to not run java in the browser (too dangerous?) Am I suppose to switch to java7 (no package for debian squeeze) and manually install it? If so is there any guidance on manual installation?
I notice in wheezy we have java-package (see http://wiki.debian.org/JavaPackage) which lets you install the Oracle binary distributions by putting it into a .deb for you (e.g. http://forums.debian.net/viewtopic.php?f=6&t=84672)
Searching around on the debian web site didn't find any obvious guidance on these issues and numerous old looking Wiki pages.
Thanks in advance for any help.
Andrew _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
-- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://affinityvision.com.au http://securemywireless.com.au http://adsl2choice.net.au In Case of Emergency -- http://affinityvision.com.au/ice.html