On Tue, Jun 18, 2013 at 11:29 PM, Dhiru Kholia <dhiru.kholia@xxxxxxxxx> wrote: > Some recent news, > > http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/ > > "The majority are vulnerable through browser plugins, 11 of which are > exploitable for complete control of the underlying operating system," > said Ross Barrett, senior manager of security engineering at Rapid7. I can see how a vulnerability in Java running in user space can cause all sorts of problems for the user, but unless someone is running a browser as superuser, how can it possibly take "complete control of the underlying operating system"? Surely that would require a privilege escalation vulnerability in the kernel or a setuid program, and such a vulnerability is the fault of that package, not of Java. Eric -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
