rudis dot net

Apple updated Java on OS X today (they updated Quicktime and GarageBand as well). Unfortunately, we're not getting Java 6 yet, just performance and bug fixes.

From Software Update:

Java for Mac OS X 10.4, Release 6 delivers improved reliability and compatibility for Java 2 Platform Standard Edition 5.0 and Java 1.4 on Mac OS X 10.4.10 and later. This release updates J2SE 5.0 to version 1.5.0_13 and Java 1.4 to version 1.4.2_16.

For more details on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=307051

As of the time this was posted, the details link did not work, but the update installs without a hitch.

UPDATE: A different link http://docs.info.apple.com/article.html?artnum=307177 now provides information on the security content and it's significant! Test & update as soon as possible (though Leopard is fairly patched already w/r/t these vulns)!

• CVE-ID: CVE-2007-5862

  Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

  Impact: A malicious webpage can remove or insert items in the keychain

  Description: An access check may be bypassed for Keychain updates. A specially crafted Java applet may be able to add or remove items from a user's Keychain, without prompting the user. This update addresses the issue through an improved access check. This issue does not affect systems running Mac OS X v10.5 and later. Credit to Bruno Harbulot of the University of Manchester for reporting this issue.

• CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-3004, CVE-2007-3005, CVE-2007-3504, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232

  Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

  Impact: Multiple vulnerabilities exist in Java 1.4

  Description: Multiple vulnerabilities exist in Java 1.4, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating Java 1.4 to version 1.4.2_16. These issues are already addressed in systems running Mac OS X v10.5 and later.

• CVE-ID: CVE-2006-4339, CVE-2006-6731, CVE-2006-6745, CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3503, CVE-2007-3504, CVE-2007-3655, CVE-2007-3698, CVE-2007-3922, CVE-2007-4381, CVE-2007-5232

  Available for: Mac OS X v10.4.10 and later, Mac OS X Server v10.4.10 and later

  Impact: Multiple vulnerabilities exist in J2SE 5.0

  Description: Multiple vulnerabilities exist in J2SE 5.0, the most serious of which may lead to arbitrary code execution and privilege escalation. These are addressed by updating J2SE 5.0 to version 1.5.0_13. These issues are already addressed in systems running Mac OS X v10.5 and later.

New post over @ The Apple Blog on Java 6 & OS X.

Need some inspiration/leads for some new posts.

I was getting a "Java HotSpot(TM) Client VM warning: Can't detect initial thread stack location" error after an install of the Sun-provided Linux Java running under FreeBSD Linux compatibility mode.

Turns out that it's an error caused by FreeBSD only kinda-sorta enabling Linux compatibility mode and not mounting linprocfs in order for threads to work (in this Java, at least).

You have to do the following to make it all play nice:

kldload linprocfs
mount -t linprocfs linprocfs /compat/linux/proc

You can add:

   linprocfs               /compat/linux/proc   linprocfs   rw     0       0

to /etc/fstab to make this happen at boot.

It's been covered before (just Google it), but now it's in my notes as well.