Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-18 ] Oracle JRE/JDK: Multiple vulnerabilities
Date: Fri, 04 Jun 2010 06:11:06
Message-Id: 20100604071218.533d642a@mail.a3li.li
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-18
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Oracle JRE/JDK: Multiple vulnerabilities
9 Date: June 04, 2010
10 Bugs: #306579, #314531
11 ID: 201006-18
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The Oracle JDK and JRE are vulnerable to multiple unspecified
19 vulnerabilities.
20
21 Background
22 ==========
23
24 The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
25 the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
26 provide the Oracle Java platform (formerly known as Sun Java Platform).
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-java/sun-jre-bin < 1.6.0.20 >= 1.6.0.20
35 2 dev-java/sun-jdk < 1.6.0.20 >= 1.6.0.20
36 3 app-emulation/emul-linux-x86-java < 1.6.0.20 >= 1.6.0.20
37 -------------------------------------------------------------------
38 3 affected packages on all of their supported architectures.
39 -------------------------------------------------------------------
40
41 Description
42 ===========
43
44 Multiple vulnerabilities have been reported in the Oracle Java
45 implementation. Please review the CVE identifiers referenced below and
46 the associated Oracle Critical Patch Update Advisory for details.
47
48 Impact
49 ======
50
51 A remote attacker could exploit these vulnerabilities to cause
52 unspecified impact, possibly including remote execution of arbitrary
53 code.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All Oracle JRE 1.6.x users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20"
67
68 All Oracle JDK 1.6.x users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20"
72
73 All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to
74 the latest version:
75
76 # emerge --sync
77 # emerge --ask --oneshot --verbose
78 ">=app-emulation/emul-linux-x86-java-1.6.0.20"
79
80 All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle
81 JRE 1.5.x users are strongly advised to unmerge Java 1.5:
82
83 # emerge --unmerge =app-emulation/emul-linux-x86-java-1.5*
84 # emerge --unmerge =dev-java/sun-jre-bin-1.5*
85 # emerge --unmerge =dev-java/sun-jdk-1.5*
86
87 Gentoo is ceasing support for the 1.5 generation of the Oracle Java
88 Platform in accordance with upstream. All 1.5 JRE versions are masked
89 and will be removed shortly. All 1.5 JDK versions are marked as
90 "build-only" and will be masked for removal shortly. Users are advised
91 to change their default user and system Java implementation to an
92 unaffected version. For example:
93
94 # java-config --set-system-vm sun-jdk-1.6
95
96 For more information, please consult the Gentoo Linux Java
97 documentation.
98
99 References
100 ==========
101
102 [ 1 ] CVE-2009-3555
103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
104 [ 2 ] CVE-2010-0082
105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
106 [ 3 ] CVE-2010-0084
107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
108 [ 4 ] CVE-2010-0085
109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
110 [ 5 ] CVE-2010-0087
111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087
112 [ 6 ] CVE-2010-0088
113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
114 [ 7 ] CVE-2010-0089
115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089
116 [ 8 ] CVE-2010-0090
117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090
118 [ 9 ] CVE-2010-0091
119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
120 [ 10 ] CVE-2010-0092
121 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
122 [ 11 ] CVE-2010-0093
123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
124 [ 12 ] CVE-2010-0094
125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
126 [ 13 ] CVE-2010-0095
127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
128 [ 14 ] CVE-2010-0837
129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
130 [ 15 ] CVE-2010-0838
131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
132 [ 16 ] CVE-2010-0839
133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839
134 [ 17 ] CVE-2010-0840
135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
136 [ 18 ] CVE-2010-0841
137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841
138 [ 19 ] CVE-2010-0842
139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842
140 [ 20 ] CVE-2010-0843
141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843
142 [ 21 ] CVE-2010-0844
143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844
144 [ 22 ] CVE-2010-0845
145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
146 [ 23 ] CVE-2010-0846
147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846
148 [ 24 ] CVE-2010-0847
149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
150 [ 25 ] CVE-2010-0848
151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
152 [ 26 ] CVE-2010-0849
153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849
154 [ 27 ] CVE-2010-0850
155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850
156 [ 28 ] CVE-2010-0886
157 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886
158 [ 29 ] CVE-2010-0887
159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0887
160 [ 30 ] Gentoo Linux Java documentation
161 http://www.gentoo.org/doc/en/java.xml#doc_chap4
162 [ 31 ] Oracle Java SE and Java for Business Critical Patch Update
163 Advisory - March 2010
164 http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
165
166 Availability
167 ============
168
169 This GLSA and any updates to it are available for viewing at
170 the Gentoo Security Website:
171
172 http://security.gentoo.org/glsa/glsa-201006-18.xml
173
174 Concerns?
175 =========
176
177 Security is a primary focus of Gentoo Linux and ensuring the
178 confidentiality and security of our users machines is of utmost
179 importance to us. Any security concerns should be addressed to
180 security@g.o or alternatively, you may file a bug at
181 https://bugs.gentoo.org.
182
183 License
184 =======
185
186 Copyright 2010 Gentoo Foundation, Inc; referenced text
187 belongs to its owner(s).
188
189 The contents of this document are licensed under the
190 Creative Commons - Attribution / Share Alike license.
191
192 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups