Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[gentoo-announce] [ GLSA 200911-02 ] Sun JDK/JRE: Multiple vulnerabilites

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 200911-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Sun JDK/JRE: Multiple vulnerabilites

Date: November 17, 2009

Bugs: #182824, #231337, #250012, #263810, #280409, #291817

ID: 200911-02

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilites in the Sun JDK and JRE allow for several

attacks, including the remote execution of arbitrary code.

 

Background

==========

 

The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment

(JRE) provide the Sun Java platform.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 sun-jre-bin < 1.6.0.17 *>= 1.5.0.22

>= 1.6.0.17

2 sun-jdk < 1.6.0.17 *>= 1.5.0.22

>= 1.6.0.17

3 blackdown-jre <= 1.4.2.03-r14 Vulnerable!

4 blackdown-jdk <= 1.4.2.03-r16 Vulnerable!

5 emul-linux-x86-java < 1.6.0.17 *>= 1.5.0.22

>= 1.6.0.17

-------------------------------------------------------------------

NOTE: Certain packages are still vulnerable. Users should migrate

to another package if one is available or wait for the

existing packages to be marked stable by their

architecture maintainers.

-------------------------------------------------------------------

5 affected packages on all of their supported architectures.

-------------------------------------------------------------------

 

Description

===========

 

Multiple vulnerabilites have been reported in the Sun Java

implementation. Please review the CVE identifiers referenced below and

the associated Sun Alerts for details.

 

Impact

======

 

A remote attacker could entice a user to open a specially crafted JAR

archive, applet, or Java Web Start application, possibly resulting in

the execution of arbitrary code with the privileges of the user running

the application. Furthermore, a remote attacker could cause a Denial of

Service affecting multiple services via several vectors, disclose

information and memory contents, write or execute local files, conduct

session hijacking attacks via GIFAR files, steal cookies, bypass the

same-origin policy, load untrusted JAR files, establish network

connections to arbitrary hosts and posts via several vectors, modify

the list of supported graphics configurations, bypass HMAC-based

authentication systems, escalate privileges via several vectors and

cause applet code to be executed with older, possibly vulnerable

versions of the JRE.

 

NOTE: Some vulnerabilities require a trusted environment, user

interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Sun JRE 1.5.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.5.0.22

 

All Sun JRE 1.6.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.6.0.17

 

All Sun JDK 1.5.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.5.0.22

 

All Sun JDK 1.6.x users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.6.0.17

 

All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the

latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose

=app-emulation/emul-linux-x86-java-1.5.0.22

 

All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the

latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose

=app-emulation/emul-linux-x86-java-1.6.0.17

 

All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and

precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge

Java 1.4:

 

# emerge --unmerge =app-emulation/emul-linux-x86-java-1.4*

# emerge --unmerge =dev-java/sun-jre-bin-1.4*

# emerge --unmerge =dev-java/sun-jdk-1.4*

# emerge --unmerge dev-java/blackdown-jdk

# emerge --unmerge dev-java/blackdown-jre

 

Gentoo is ceasing support for the 1.4 generation of the Sun Java

Platform in accordance with upstream. All 1.4 JRE and JDK versions are

masked and will be removed shortly.

 

References

==========

 

[ 1 ] CVE-2008-2086

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086

[ 2 ] CVE-2008-3103

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103

[ 3 ] CVE-2008-3104

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104

[ 4 ] CVE-2008-3105

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105

[ 5 ] CVE-2008-3106

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106

[ 6 ] CVE-2008-3107

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107

[ 7 ] CVE-2008-3108

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108

[ 8 ] CVE-2008-3109

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109

[ 9 ] CVE-2008-3110

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110

[ 10 ] CVE-2008-3111

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111

[ 11 ] CVE-2008-3112

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112

[ 12 ] CVE-2008-3113

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113

[ 13 ] CVE-2008-3114

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114

[ 14 ] CVE-2008-3115

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115

[ 15 ] CVE-2008-5339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339

[ 16 ] CVE-2008-5340

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340

[ 17 ] CVE-2008-5341

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341

[ 18 ] CVE-2008-5342

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342

[ 19 ] CVE-2008-5343

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343

[ 20 ] CVE-2008-5344

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344

[ 21 ] CVE-2008-5345

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345

[ 22 ] CVE-2008-5346

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346

[ 23 ] CVE-2008-5347

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347

[ 24 ] CVE-2008-5348

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348

[ 25 ] CVE-2008-5349

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349

[ 26 ] CVE-2008-5350

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350

[ 27 ] CVE-2008-5351

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351

[ 28 ] CVE-2008-5352

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352

[ 29 ] CVE-2008-5353

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353

[ 30 ] CVE-2008-5354

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354

[ 31 ] CVE-2008-5355

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355

[ 32 ] CVE-2008-5356

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356

[ 33 ] CVE-2008-5357

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357

[ 34 ] CVE-2008-5358

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358

[ 35 ] CVE-2008-5359

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359

[ 36 ] CVE-2008-5360

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360

[ 37 ] CVE-2009-1093

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093

[ 38 ] CVE-2009-1094

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094

[ 39 ] CVE-2009-1095

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095

[ 40 ] CVE-2009-1096

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096

[ 41 ] CVE-2009-1097

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097

[ 42 ] CVE-2009-1098

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098

[ 43 ] CVE-2009-1099

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099

[ 44 ] CVE-2009-1100

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100

[ 45 ] CVE-2009-1101

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101

[ 46 ] CVE-2009-1102

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102

[ 47 ] CVE-2009-1103

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103

[ 48 ] CVE-2009-1104

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104

[ 49 ] CVE-2009-1105

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105

[ 50 ] CVE-2009-1106

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106

[ 51 ] CVE-2009-1107

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107

[ 52 ] CVE-2009-2409

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409

[ 53 ] CVE-2009-2475

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475

[ 54 ] CVE-2009-2476

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476

[ 55 ] CVE-2009-2670

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670

[ 56 ] CVE-2009-2671

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671

[ 57 ] CVE-2009-2672

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672

[ 58 ] CVE-2009-2673

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673

[ 59 ] CVE-2009-2674

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674

[ 60 ] CVE-2009-2675

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675

[ 61 ] CVE-2009-2676

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676

[ 62 ] CVE-2009-2689

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689

[ 63 ] CVE-2009-2690

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690

[ 64 ] CVE-2009-2716

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716

[ 65 ] CVE-2009-2718

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718

[ 66 ] CVE-2009-2719

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719

[ 67 ] CVE-2009-2720

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720

[ 68 ] CVE-2009-2721

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721

[ 69 ] CVE-2009-2722

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722

[ 70 ] CVE-2009-2723

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723

[ 71 ] CVE-2009-2724

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724

[ 72 ] CVE-2009-3728

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728

[ 73 ] CVE-2009-3729

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729

[ 74 ] CVE-2009-3865

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865

[ 75 ] CVE-2009-3866

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866

[ 76 ] CVE-2009-3867

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867

[ 77 ] CVE-2009-3868

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868

[ 78 ] CVE-2009-3869

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869

[ 79 ] CVE-2009-3871

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871

[ 80 ] CVE-2009-3872

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872

[ 81 ] CVE-2009-3873

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873

[ 82 ] CVE-2009-3874

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874

[ 83 ] CVE-2009-3875

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875

[ 84 ] CVE-2009-3876

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876

[ 85 ] CVE-2009-3877

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877

[ 86 ] CVE-2009-3879

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879

[ 87 ] CVE-2009-3880

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880

[ 88 ] CVE-2009-3881

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881

[ 89 ] CVE-2009-3882

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882

[ 90 ] CVE-2009-3883

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883

[ 91 ] CVE-2009-3884

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884

[ 92 ] CVE-2009-3886

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-200911-02.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

https://bugs.gentoo.org.

 

License

=======

 

Copyright 2009 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×