Bug#267040: gcjwebplugin runs untrusted code without sandbox
Moritz Muehlenhoff
jmm at inutil.org
Mon Sep 29 15:09:43 UTC 2008
On Sun, Sep 07, 2008 at 05:39:28PM +0100, Ben Hutchings wrote:
> gcjwebplugin is a Java plugin for web browsers. It does not include the
> security manager which is a crucial part of the "sandboxing" of Java
> applets. The maintainers have "fixed" this bug (#267040) merely by
> adding a warning prompt before running applets, which is well known to
> be an insufficient means of protecting users from malware. Please do
> not include it in lenny. (Unfortunately it is built from the classpath
> source package, so that will have to be modified to remove it.)
I had discussed this with Michael Koch some time ago; the version
in Lenny implements a security manager, but it's not yet clear whether
it's fully appropriate. We didn't reach a final conclusion, but I guess
the warning is sufficient for Lenny.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list