From: | Alex Legler <a3li@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] [ GLSA 201006-18 ] Oracle JRE/JDK: Multiple vulnerabilities |
Date: | Fri, 04 Jun 2010 06:11:06 |
Message-Id: | 20100604071218.533d642a@mail.a3li.li |
1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 | Gentoo Linux Security Advisory GLSA 201006-18 |
3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 | http://security.gentoo.org/ |
5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 | |
7 | Severity: Normal |
8 | Title: Oracle JRE/JDK: Multiple vulnerabilities |
9 | Date: June 04, 2010 |
10 | Bugs: #306579, #314531 |
11 | ID: 201006-18 |
12 | |
13 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 | |
15 | Synopsis |
16 | ======== |
17 | |
18 | The Oracle JDK and JRE are vulnerable to multiple unspecified |
19 | vulnerabilities. |
20 | |
21 | Background |
22 | ========== |
23 | |
24 | The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and |
25 | the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) |
26 | provide the Oracle Java platform (formerly known as Sun Java Platform). |
27 | |
28 | Affected packages |
29 | ================= |
30 | |
31 | ------------------------------------------------------------------- |
32 | Package / Vulnerable / Unaffected |
33 | ------------------------------------------------------------------- |
34 | 1 dev-java/sun-jre-bin < 1.6.0.20 >= 1.6.0.20 |
35 | 2 dev-java/sun-jdk < 1.6.0.20 >= 1.6.0.20 |
36 | 3 app-emulation/emul-linux-x86-java < 1.6.0.20 >= 1.6.0.20 |
37 | ------------------------------------------------------------------- |
38 | 3 affected packages on all of their supported architectures. |
39 | ------------------------------------------------------------------- |
40 | |
41 | Description |
42 | =========== |
43 | |
44 | Multiple vulnerabilities have been reported in the Oracle Java |
45 | implementation. Please review the CVE identifiers referenced below and |
46 | the associated Oracle Critical Patch Update Advisory for details. |
47 | |
48 | Impact |
49 | ====== |
50 | |
51 | A remote attacker could exploit these vulnerabilities to cause |
52 | unspecified impact, possibly including remote execution of arbitrary |
53 | code. |
54 | |
55 | Workaround |
56 | ========== |
57 | |
58 | There is no known workaround at this time. |
59 | |
60 | Resolution |
61 | ========== |
62 | |
63 | All Oracle JRE 1.6.x users should upgrade to the latest version: |
64 | |
65 | # emerge --sync |
66 | # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20" |
67 | |
68 | All Oracle JDK 1.6.x users should upgrade to the latest version: |
69 | |
70 | # emerge --sync |
71 | # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20" |
72 | |
73 | All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to |
74 | the latest version: |
75 | |
76 | # emerge --sync |
77 | # emerge --ask --oneshot --verbose |
78 | ">=app-emulation/emul-linux-x86-java-1.6.0.20" |
79 | |
80 | All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle |
81 | JRE 1.5.x users are strongly advised to unmerge Java 1.5: |
82 | |
83 | # emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* |
84 | # emerge --unmerge =dev-java/sun-jre-bin-1.5* |
85 | # emerge --unmerge =dev-java/sun-jdk-1.5* |
86 | |
87 | Gentoo is ceasing support for the 1.5 generation of the Oracle Java |
88 | Platform in accordance with upstream. All 1.5 JRE versions are masked |
89 | and will be removed shortly. All 1.5 JDK versions are marked as |
90 | "build-only" and will be masked for removal shortly. Users are advised |
91 | to change their default user and system Java implementation to an |
92 | unaffected version. For example: |
93 | |
94 | # java-config --set-system-vm sun-jdk-1.6 |
95 | |
96 | For more information, please consult the Gentoo Linux Java |
97 | documentation. |
98 | |
99 | References |
100 | ========== |
101 | |
102 | [ 1 ] CVE-2009-3555 |
103 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 |
104 | [ 2 ] CVE-2010-0082 |
105 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082 |
106 | [ 3 ] CVE-2010-0084 |
107 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084 |
108 | [ 4 ] CVE-2010-0085 |
109 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085 |
110 | [ 5 ] CVE-2010-0087 |
111 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087 |
112 | [ 6 ] CVE-2010-0088 |
113 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088 |
114 | [ 7 ] CVE-2010-0089 |
115 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089 |
116 | [ 8 ] CVE-2010-0090 |
117 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090 |
118 | [ 9 ] CVE-2010-0091 |
119 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091 |
120 | [ 10 ] CVE-2010-0092 |
121 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092 |
122 | [ 11 ] CVE-2010-0093 |
123 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093 |
124 | [ 12 ] CVE-2010-0094 |
125 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094 |
126 | [ 13 ] CVE-2010-0095 |
127 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095 |
128 | [ 14 ] CVE-2010-0837 |
129 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837 |
130 | [ 15 ] CVE-2010-0838 |
131 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838 |
132 | [ 16 ] CVE-2010-0839 |
133 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839 |
134 | [ 17 ] CVE-2010-0840 |
135 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840 |
136 | [ 18 ] CVE-2010-0841 |
137 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841 |
138 | [ 19 ] CVE-2010-0842 |
139 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842 |
140 | [ 20 ] CVE-2010-0843 |
141 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843 |
142 | [ 21 ] CVE-2010-0844 |
143 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844 |
144 | [ 22 ] CVE-2010-0845 |
145 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845 |
146 | [ 23 ] CVE-2010-0846 |
147 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846 |
148 | [ 24 ] CVE-2010-0847 |
149 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847 |
150 | [ 25 ] CVE-2010-0848 |
151 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848 |
152 | [ 26 ] CVE-2010-0849 |
153 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849 |
154 | [ 27 ] CVE-2010-0850 |
155 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850 |
156 | [ 28 ] CVE-2010-0886 |
157 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886 |
158 | [ 29 ] CVE-2010-0887 |
159 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0887 |
160 | [ 30 ] Gentoo Linux Java documentation |
161 | http://www.gentoo.org/doc/en/java.xml#doc_chap4 |
162 | [ 31 ] Oracle Java SE and Java for Business Critical Patch Update |
163 | Advisory - March 2010 |
164 | http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html |
165 | |
166 | Availability |
167 | ============ |
168 | |
169 | This GLSA and any updates to it are available for viewing at |
170 | the Gentoo Security Website: |
171 | |
172 | http://security.gentoo.org/glsa/glsa-201006-18.xml |
173 | |
174 | Concerns? |
175 | ========= |
176 | |
177 | Security is a primary focus of Gentoo Linux and ensuring the |
178 | confidentiality and security of our users machines is of utmost |
179 | importance to us. Any security concerns should be addressed to |
180 | security@g.o or alternatively, you may file a bug at |
181 | https://bugs.gentoo.org. |
182 | |
183 | License |
184 | ======= |
185 | |
186 | Copyright 2010 Gentoo Foundation, Inc; referenced text |
187 | belongs to its owner(s). |
188 | |
189 | The contents of this document are licensed under the |
190 | Creative Commons - Attribution / Share Alike license. |
191 | |
192 | http://creativecommons.org/licenses/by-sa/2.5 |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |