What is the status of Java security vs. LibreOffice?

classic Classic list List threaded Threaded
13 messages Options
Fabián Rodríguez-3 Fabián Rodríguez-3
Reply | Threaded
Open this post in threaded view
|

What is the status of Java security vs. LibreOffice?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

I saw this a few days ago, I'd like to know what should I make of it?:
http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/

I never install Java when I install LibreOffice, but a few people end up
installing it.

I have seen a few threads about it in the fr-discuss list, but nothing
clear/concise (although I may have missed a post or two).

Thanks for any information.

Cheers,

Fabian Rodriguez
http://libreoffice.magicfab.ca



- --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA/rXIACgkQfUcTXFrypNXJOACcDs0YJHO+yhWBA2p/kMaUzRp0
W0wAnjYmH9iPtp74HZsHyglBFernR0cw
=NWFH
-----END PGP SIGNATURE-----


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Mirosław Zalewski Mirosław Zalewski
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

On 30/08/2012 at 20:14, Fabian Rodriguez <[hidden email]> wrote:

> I saw this a few days ago, I'd like to know what should I make of it?:
> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-p
> rompts-calls-to-disable-java/

This article already explains it:
"Those who need Java to run applications such as Open Office or Freemind can
still protect themselves by disabling Java in their browser to prevent drive-
by attacks on booby-trapped websites."

Until patch is provided, it might be wise to not open office documents from
uncertain source (that is: all but your own). Most likely it is not needed,
but it won't harm.
--
Best regards
Mirosław Zalewski

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Jay Lozier Jay Lozier
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

In reply to this post by Fabián Rodríguez-3
On 08/30/2012 02:14 PM, Fabian Rodriguez wrote:

>
> Hi all
>
> I saw this a few days ago, I'd like to know what should I make of it?:
> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>
> I never install Java when I install LibreOffice, but a few people end up
> installing it.
>
> I have seen a few threads about it in the fr-discuss list, but nothing
> clear/concise (although I may have missed a post or two).
>
> Thanks for any information.
>
> Cheers,
>
> Fabian Rodriguez
> http://libreoffice.magicfab.ca
>
>
>
AFAIK Java is primarily used by the embedded Base engine and possibly
some extensions. If you use a non-Java database (MySQL, Postgres,
MariaDB, etc) that does not use Java you do not need Java.

The security problems are Java problems and are not OS or app related
and can affect any computer running the unpatched Java version(s). My
understanding is the transmission is likely via rogue or corrupted
websites that use Java rather than via a downloaded Java app.

I do not know if this issue affects the openJRE project.

--
Jay Lozier
[hidden email]


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

In reply to this post by Fabián Rodríguez-3
Hi :)
It's the same old story. 


"All this has happened before and will happen again"  (any Battlestar Galactica fans out there?). 


Oracle tell us all that their new version of java is ultra safe and really is safe this time and that all their previous versions are horribly flawed and likely to cause widespread plagues and death etc to anyone that continues to use them.  Then their new "ultra safe" one is found to also have horrible flaws in it. 


As it happens it seems very few people actually seem to suffer or at least we never hear of it.  Still we keep advising people to update to the most recent possible version but to try avoiding it completely if they can.  For us the 1.6_32 is currently the most usable as the 1.7 has never really worked well with LO. 


As time goes on it seems that java is compromised faster and faster.  Each new release lasting less and less time until some horror story emerges.   Their 1.7 branch was supposed to be their best ever taking the whole thing to a new plateau of rock solid stability and sfaety but the 1st 4 versions got compromised even before release! 


Meanwhile the TDF devs working on LO have removed just about all dependancy on java.  There are still a few Wizards and Extensions that need it and, of course, the database program (but only if you use the internal embedded back-end) and all the Accessibility stuff.

So, the User List stance is to try to get people to try not using Java at all but if they do need it to use the one that does work with LO - which i don't think has been compromised just yet although that's probably just because it hasn't reached the mainstream media yet because it's considered an 'old' version even though it was released after the latest in the 1.7 branch. 


Regards from
Tom :) 






>________________________________
> From: Fabian Rodriguez <[hidden email]>
>To: [hidden email]
>Sent: Thursday, 30 August 2012, 19:14
>Subject: [libreoffice-users] What is the status of Java security vs. LibreOffice?
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi all
>
>I saw this a few days ago, I'd like to know what should I make of it?:
>http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>
>I never install Java when I install LibreOffice, but a few people end up
>installing it.
>
>I have seen a few threads about it in the fr-discuss list, but nothing
>clear/concise (although I may have missed a post or two).
>
>Thanks for any information.
>
>Cheers,
>
>Fabian Rodriguez
>http://libreoffice.magicfab.ca
>
>
>
>- --
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.11 (GNU/Linux)
>Comment: PGP/Mime available upon request
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iEYEARECAAYFAlA/rXIACgkQfUcTXFrypNXJOACcDs0YJHO+yhWBA2p/kMaUzRp0
>W0wAnjYmH9iPtp74HZsHyglBFernR0cw
>=NWFH
>-----END PGP SIGNATURE-----
>
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Mirosław Zalewski Mirosław Zalewski
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

In reply to this post by Jay Lozier
On 30/08/2012 at 20:33, Jay Lozier <[hidden email]> wrote:

> I do not know if this issue affects the openJRE project.

I have not tested myself, but people say it does not. Users of openJRE are
safe from this one.
--
Best regards
Mirosław Zalewski

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

Hi :)
Even though both openJRE and standard java are both run by Oracle it seems that openJRE tends to be a bit safer.  Possibly something to do with running it through a community in a more OpenSource way. 

Regards from
Tom :) 






>________________________________
> From: Mirosław Zalewski <[hidden email]>
>To: [hidden email]
>Sent: Thursday, 30 August 2012, 19:39
>Subject: Re: [libreoffice-users] What is the status of Java security vs. LibreOffice?
>
>On 30/08/2012 at 20:33, Jay Lozier <[hidden email]> wrote:
>
>> I do not know if this issue affects the openJRE project.
>
>I have not tested myself, but people say it does not. Users of openJRE are
>safe from this one.
>--
>Best regards
>Mirosław Zalewski
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
NoOp NoOp
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

In reply to this post by Fabián Rodríguez-3
On 08/30/2012 11:14 AM, Fabian Rodriguez wrote:

>
> Hi all
>
> I saw this a few days ago, I'd like to know what should I make of
> it?:
> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>
>  I never install Java when I install LibreOffice, but a few people
> end up installing it.
>
> I have seen a few threads about it in the fr-discuss list, but
> nothing clear/concise (although I may have missed a post or two).
...

Update to Java 7u7:
<http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html>
<https://www.java.com/en/download/manual.jsp>

and as an FYI, openjdk-6, openjdk-7 *are* vulnerable according to this:
<http://security-tracker.debian.org/tracker/CVE-2012-4681>



--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Fabián Rodríguez-3 Fabián Rodríguez-3
Reply | Threaded
Open this post in threaded view
|

Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?

In reply to this post by Fabián Rodríguez-3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/30/2012 02:14 PM, Fabian Rodriguez wrote:
>
> Hi all
>
> I saw this a few days ago, I'd like to know what should I make of it?:
>
http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>
> I never install Java when I install LibreOffice, but a few people end up
> installing it.
[..]

I asked about this to Canonical support. Here is their reply with
regards to Ubuntu:
"OpenJDK 7 is affected too. Please note that in Precise and Oneiric,
openjdk-7 is in universe, so updating it is not a priority [ for
Canonical]. So in the meantime use OpenJDK 6."

Knowing Oracle's strict updates schedule, version 7 won't have updates
before next month, which may then take some time to reach the proper
community channels.

This echoes the recommendations I've seen here to user version 6 as its
more stable with LibO.

Thanks for all the replies,

Fabián Rodríguez
http://libreoffice.magicfab.ca


- --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: PGP/Mime available upon request
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlBAknwACgkQfUcTXFrypNUtpQCg831BoIezIlECGXh2cL7yEDiN
Q/wAoLngvJiln/jgTsH/v8lGFrAQNE8I
=XaSV
-----END PGP SIGNATURE-----


--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Mirosław Zalewski Mirosław Zalewski
Reply | Threaded
Open this post in threaded view
|

Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?

On 31/08/2012 at 12:31, Fabian Rodriguez <[hidden email]> wrote:

> Knowing Oracle's strict updates schedule, version 7 won't have updates
> before next month

They decided to give up usual schedule and released patch yesterday. You can
download updates from their website [0].

Oh, and by the way, Oracle knew about these issues since April [1].

[0] http://www.oracle.com/technetwork/java/javase/downloads/index.html
[1] http://goo.gl/PsCso
--
Best regards
Mirosław Zalewski

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
krackedpress krackedpress
Reply | Threaded
Open this post in threaded view
|

Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?

On 08/31/2012 06:43 AM, Mirosław Zalewski wrote:

> On 31/08/2012 at 12:31, Fabian Rodriguez <[hidden email]> wrote:
>
>> Knowing Oracle's strict updates schedule, version 7 won't have updates
>> before next month
> They decided to give up usual schedule and released patch yesterday. You can
> download updates from their website [0].
>
> Oh, and by the way, Oracle knew about these issues since April [1].
>
> [0] http://www.oracle.com/technetwork/java/javase/downloads/index.html
> [1] http://goo.gl/PsCso

On the NA-DVD site and [media version], I tell the users to use/install
6u34 as the preferred version and 7u06 after the "6u" file is installed,
if the want that series.  But I do say the "6u" file name series is the
preferred one to use for Windows.  I also tell then to use the
repository version of "JRE/OpenJDK" for Linux users.  I use "OpenJDK
6.x" for my Ubuntu systems.


.

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
NoOp NoOp
Reply | Threaded
Open this post in threaded view
|

[Don't] Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?

In reply to this post by Fabián Rodríguez-3
On 08/31/2012 03:31 AM, Fabian Rodriguez wrote:

>
> On 08/30/2012 02:14 PM, Fabian Rodriguez wrote:
>
>> Hi all
>
>> I saw this a few days ago, I'd like to know what should I make of it?:
>
> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>
>> I never install Java when I install LibreOffice, but a few people end up
>> installing it.
> [..]
>
> I asked about this to Canonical support. Here is their reply with
> regards to Ubuntu:
> "OpenJDK 7 is affected too. Please note that in Precise and Oneiric,
> openjdk-7 is in universe, so updating it is not a priority [ for
> Canonical]. So in the meantime use OpenJDK 6."

So file a security bug as iced-tea has been updated:
<http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html>
<http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/>
<https://bugzilla.redhat.com/show_bug.cgi?id=852051>
<http://gnu.wildebeest.org/blog/mjw/2012/08/30/java-bug-cve-2012-4681/>

>
> Knowing Oracle's strict updates schedule, version 7 won't have updates
> before next month, which may then take some time to reach the proper
> community channels.

From my reponse in this thread yesterday:
Update to Java 7u7:
<http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html>
<https://www.java.com/en/download/manual.jsp>

>
> This echoes the recommendations I've seen here to user version 6 as its
> more stable with LibO.

And recommending that brings up other well known security issues. You
are much better off turning off java until you've installed the current
updates (released yesterday).

Note:
<http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html>
<quote>
Description

This Security Alert addresses security issues CVE-2012-4681 (US-CERT
Alert TA12-240A and Vulnerability Note VU#636312) and two other
vulnerabilities affecting Java running in web browsers on desktops.
These vulnerabilities are not applicable to Java running on servers or
standalone Java desktop applications. They also do not affect Oracle
server-based software.
</quote>

>
> Thanks for all the replies,
>
> Fabián Rodríguez
> http://libreoffice.magicfab.ca
>
>
>
>



--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted
Tom Tom
Reply | Threaded
Open this post in threaded view
|

Re: [Don't] Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?

Hi :)
Really the only way to void potential problems with Java is to NOT use it at all.  Sadly that means all our Accessibility stuff would be completely wrecked.  A few Wizards, Extensions, embedded Base backends would also be affected but almost all of that has work-arounds that improve the quality of the LO experience anyway.  The only thing that has no work-around is Accessibility.

Btw anyone enjoying the paralympics?
Regards from
Tom :)





>________________________________
> From: NoOp <[hidden email]>
>To: [hidden email]
>Sent: Friday, 31 August 2012, 20:39
>Subject: [libreoffice-users] [Don't] Re: Java & LibO: use version 6 for now if you must - was: What is the status of Java security?
>
>On 08/31/2012 03:31 AM, Fabian Rodriguez wrote:
>>
>> On 08/30/2012 02:14 PM, Fabian Rodriguez wrote:
>>
>>> Hi all
>>
>>> I saw this a few days ago, I'd like to know what should I make of it?:
>>
>> http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
>>
>>> I never install Java when I install LibreOffice, but a few people end up
>>> installing it.
>> [..]
>>
>> I asked about this to Canonical support. Here is their reply with
>> regards to Ubuntu:
>> "OpenJDK 7 is affected too. Please note that in Precise and Oneiric,
>> openjdk-7 is in universe, so updating it is not a priority [ for
>> Canonical]. So in the meantime use OpenJDK 6."
>
>So file a security bug as iced-tea has been updated:
><http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020083.html>
><http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/>
><https://bugzilla.redhat.com/show_bug.cgi?id=852051>
><http://gnu.wildebeest.org/blog/mjw/2012/08/30/java-bug-cve-2012-4681/>
>
>>
>> Knowing Oracle's strict updates schedule, version 7 won't have updates
>> before next month, which may then take some time to reach the proper
>> community channels.
>
>From my reponse in this thread yesterday:
>Update to Java 7u7:
><http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html>
><https://www.java.com/en/download/manual.jsp>
>
>>
>> This echoes the recommendations I've seen here to user version 6 as its
>> more stable with LibO.
>
>And recommending that brings up other well known security issues. You
>are much better off turning off java until you've installed the current
>updates (released yesterday).
>
>Note:
><http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html>
><quote>
>Description
>
>This Security Alert addresses security issues CVE-2012-4681 (US-CERT
>Alert TA12-240A and Vulnerability Note VU#636312) and two other
>vulnerabilities affecting Java running in web browsers on desktops.
>These vulnerabilities are not applicable to Java running on servers or
>standalone Java desktop applications. They also do not affect Oracle
>server-based software.
></quote>
>
>>
>> Thanks for all the replies,
>>
>> Fabián Rodríguez
>> http://libreoffice.magicfab.ca
>>
>>
>>
>>
>
>
>
>--
>For unsubscribe instructions e-mail to: [hidden email]
>Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
>Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
>List archive: http://listarchives.libreoffice.org/global/users/
>All messages sent to this list will be publicly archived and cannot be deleted
>
>
>
--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Tanstaafl Tanstaafl
Reply | Threaded
Open this post in threaded view
|

Re: What is the status of Java security vs. LibreOffice?

In reply to this post by Jay Lozier
On 8/30/2012 2:33 PM, Jay Lozier <[hidden email]> wrote:
> The security problems are Java problems and are not OS or app related
> and can affect any computer running the unpatched Java version(s). My
> understanding is the transmission is likely via rogue or corrupted
> websites that use Java rather than via a downloaded Java app.

Or you can use Firefox+NoScript, and only selectively allow java for
trusted sites (just like it does for javascript)...

--
For unsubscribe instructions e-mail to: [hidden email]
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted