[Ubuntu-BR] Firefox x java x consumo

Nelson Corrêa nelson.ubuntu em gmail.com
Sexta Março 27 17:42:38 UTC 2009 

Salles wrote:
> Em Sex, 2009-03-27 às 11:18 -0300, Nelson Corrêa escreveu:
>   
>> Salles wrote:
>>     
>>> Pessoal,
>>> Notei hoje um comportamento estranho ao tentar acessar o gerenciador
>>> financeiro do BB (que por sinal não entrou):
>>> Somente abertos o Monitor do sistema e o Firefox abrindo o gerenciador:
>>>  - CPU 100%, RAM 280Mb, Swap 36Mb;
>>> Firefox fechado, só o monitor do sitema e o editor de texto padrão:
>>>  - CPU 29%, RAM 220Mb, Swap 36Mb.
>>> Estou usando o 8.04 e FF 3.0.7.
>>> Alguém tem uma idéia do porquê disto?
>>>       
>
>   
>> Esse é, na minha opinião, o ponto mais fraco para o Linux virar 
>> realidade. Essas atualizações que matam a usabilidade do sistema. Ontem, 
>> depois da atualização do Java, meu Firefox deixou de apresentar algumas 
>> páginas, como por exemplo, o Google Analytics. Sinceramente, não sei se 
>> é de propósito que alguns sites fazem isso, mas imagine uma empresa, mil 
>> pessoas abrindo seus desktops, acessando a web e as páginas não 
>> carregando. Imagine que você é o CIO... tá bom, não precisa imaginar 
>> mais nada.
>> Nelson
>>     
>
> Interessante, uns 30 minutos após o ocorrido, realizei nova tentativa de
> acesso ao BB com sucesso e tudo estava normal, CPU 30%, RAM 220Mb, Swap
> 36Mb.
> Pareceu-me que o problema foi gerado pelo aplet Java no carregamento, no
> entanto não tive atualizações de Java no 8.04, permanecem os mesmos
> pacotes e versão há muito tempo.
> Bem, vou presumir que o problema pode ter sido no acesso ao BB, alguma
> instabilidade do sistema deles, pois voltou ao normal.
>
> PS: Qual tua versão do Ubuntu e do FF? Estranhei falares da atualização
> do Java, pois não tive nenhuma aqui.
>
>   

Salles,

Essa aqui:

==============================
=============================
Ubuntu Security Notice USN-748-1             March 26, 2009
openjdk-6 vulnerabilities
CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1100,
CVE-2009-1101, CVE-2009-1102
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
 icedtea6-plugin                 6b12-0ubuntu6.4
 openjdk-6-jdk                   6b12-0ubuntu6.4
 openjdk-6-jre                   6b12-0ubuntu6.4
 openjdk-6-jre-headless          6b12-0ubuntu6.4
 openjdk-6-jre-lib               6b12-0ubuntu6.4

After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.

Details follow:

It was discovered that font creation could leak temporary files.
If a user were tricked into loading a malicious program or applet,
a remote attacker could consume disk space, leading to a denial of
service. (CVE-2006-2426, CVE-2009-1100)

It was discovered that the lightweight HttpServer did not correctly close
files on dataless connections.  A remote attacker could send specially
crafted requests, leading to a denial of service. (CVE-2009-1101)

Certain 64bit Java actions would crash an application.  A local attacker
might be able to cause a denial of service. (CVE-2009-1102)

It was discovered that LDAP connections did not close correctly.
A remote attacker could send specially crafted requests, leading to a
denial of service.  (CVE-2009-1093)

Java LDAP routines did not unserialize certain data correctly.  A remote
attacker could send specially crafted requests that could lead to
arbitrary code execution. (CVE-2009-1094)

Java did not correctly check certain JAR headers.  If a user or
automated system were tricked into processing a malicious JAR file,
a remote attacker could crash the application, leading to a denial of
service. (CVE-2009-1095, CVE-2009-1096)

It was discovered that PNG and GIF decoding in Java could lead to memory
corruption.  If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could crash the application,
leading to a denial of service. (CVE-2009-1097, CVE-2009-1098)

More information about the ubuntu-br mailing list