Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200911-02 ] Sun JDK/JRE: Multiple vulnerabilites
Date: Wed, 18 Nov 2009 00:22:34
Message-Id: 20091117235948.6851a476@mail.netloc.info
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200911-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Sun JDK/JRE: Multiple vulnerabilites
9 Date: November 17, 2009
10 Bugs: #182824, #231337, #250012, #263810, #280409, #291817
11 ID: 200911-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilites in the Sun JDK and JRE allow for several
19 attacks, including the remote execution of arbitrary code.
20
21 Background
22 ==========
23
24 The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
25 (JRE) provide the Sun Java platform.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 sun-jre-bin < 1.6.0.17 *>= 1.5.0.22
34 >= 1.6.0.17
35 2 sun-jdk < 1.6.0.17 *>= 1.5.0.22
36 >= 1.6.0.17
37 3 blackdown-jre <= 1.4.2.03-r14 Vulnerable!
38 4 blackdown-jdk <= 1.4.2.03-r16 Vulnerable!
39 5 emul-linux-x86-java < 1.6.0.17 *>= 1.5.0.22
40 >= 1.6.0.17
41 -------------------------------------------------------------------
42 NOTE: Certain packages are still vulnerable. Users should migrate
43 to another package if one is available or wait for the
44 existing packages to be marked stable by their
45 architecture maintainers.
46 -------------------------------------------------------------------
47 5 affected packages on all of their supported architectures.
48 -------------------------------------------------------------------
49
50 Description
51 ===========
52
53 Multiple vulnerabilites have been reported in the Sun Java
54 implementation. Please review the CVE identifiers referenced below and
55 the associated Sun Alerts for details.
56
57 Impact
58 ======
59
60 A remote attacker could entice a user to open a specially crafted JAR
61 archive, applet, or Java Web Start application, possibly resulting in
62 the execution of arbitrary code with the privileges of the user running
63 the application. Furthermore, a remote attacker could cause a Denial of
64 Service affecting multiple services via several vectors, disclose
65 information and memory contents, write or execute local files, conduct
66 session hijacking attacks via GIFAR files, steal cookies, bypass the
67 same-origin policy, load untrusted JAR files, establish network
68 connections to arbitrary hosts and posts via several vectors, modify
69 the list of supported graphics configurations, bypass HMAC-based
70 authentication systems, escalate privileges via several vectors and
71 cause applet code to be executed with older, possibly vulnerable
72 versions of the JRE.
73
74 NOTE: Some vulnerabilities require a trusted environment, user
75 interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.
76
77 Workaround
78 ==========
79
80 There is no known workaround at this time.
81
82 Resolution
83 ==========
84
85 All Sun JRE 1.5.x users should upgrade to the latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.5.0.22
89
90 All Sun JRE 1.6.x users should upgrade to the latest version:
91
92 # emerge --sync
93 # emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.6.0.17
94
95 All Sun JDK 1.5.x users should upgrade to the latest version:
96
97 # emerge --sync
98 # emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.5.0.22
99
100 All Sun JDK 1.6.x users should upgrade to the latest version:
101
102 # emerge --sync
103 # emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.6.0.17
104
105 All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the
106 latest version:
107
108 # emerge --sync
109 # emerge --ask --oneshot --verbose
110 =app-emulation/emul-linux-x86-java-1.5.0.22
111
112 All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the
113 latest version:
114
115 # emerge --sync
116 # emerge --ask --oneshot --verbose
117 =app-emulation/emul-linux-x86-java-1.6.0.17
118
119 All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and
120 precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge
121 Java 1.4:
122
123 # emerge --unmerge =app-emulation/emul-linux-x86-java-1.4*
124 # emerge --unmerge =dev-java/sun-jre-bin-1.4*
125 # emerge --unmerge =dev-java/sun-jdk-1.4*
126 # emerge --unmerge dev-java/blackdown-jdk
127 # emerge --unmerge dev-java/blackdown-jre
128
129 Gentoo is ceasing support for the 1.4 generation of the Sun Java
130 Platform in accordance with upstream. All 1.4 JRE and JDK versions are
131 masked and will be removed shortly.
132
133 References
134 ==========
135
136 [ 1 ] CVE-2008-2086
137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086
138 [ 2 ] CVE-2008-3103
139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
140 [ 3 ] CVE-2008-3104
141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
142 [ 4 ] CVE-2008-3105
143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
144 [ 5 ] CVE-2008-3106
145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
146 [ 6 ] CVE-2008-3107
147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
148 [ 7 ] CVE-2008-3108
149 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
150 [ 8 ] CVE-2008-3109
151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
152 [ 9 ] CVE-2008-3110
153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
154 [ 10 ] CVE-2008-3111
155 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
156 [ 11 ] CVE-2008-3112
157 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
158 [ 12 ] CVE-2008-3113
159 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
160 [ 13 ] CVE-2008-3114
161 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
162 [ 14 ] CVE-2008-3115
163 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115
164 [ 15 ] CVE-2008-5339
165 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339
166 [ 16 ] CVE-2008-5340
167 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340
168 [ 17 ] CVE-2008-5341
169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341
170 [ 18 ] CVE-2008-5342
171 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342
172 [ 19 ] CVE-2008-5343
173 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343
174 [ 20 ] CVE-2008-5344
175 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344
176 [ 21 ] CVE-2008-5345
177 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345
178 [ 22 ] CVE-2008-5346
179 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346
180 [ 23 ] CVE-2008-5347
181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347
182 [ 24 ] CVE-2008-5348
183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348
184 [ 25 ] CVE-2008-5349
185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349
186 [ 26 ] CVE-2008-5350
187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350
188 [ 27 ] CVE-2008-5351
189 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351
190 [ 28 ] CVE-2008-5352
191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352
192 [ 29 ] CVE-2008-5353
193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353
194 [ 30 ] CVE-2008-5354
195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354
196 [ 31 ] CVE-2008-5355
197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355
198 [ 32 ] CVE-2008-5356
199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356
200 [ 33 ] CVE-2008-5357
201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357
202 [ 34 ] CVE-2008-5358
203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358
204 [ 35 ] CVE-2008-5359
205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359
206 [ 36 ] CVE-2008-5360
207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360
208 [ 37 ] CVE-2009-1093
209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
210 [ 38 ] CVE-2009-1094
211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
212 [ 39 ] CVE-2009-1095
213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
214 [ 40 ] CVE-2009-1096
215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
216 [ 41 ] CVE-2009-1097
217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
218 [ 42 ] CVE-2009-1098
219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
220 [ 43 ] CVE-2009-1099
221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
222 [ 44 ] CVE-2009-1100
223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
224 [ 45 ] CVE-2009-1101
225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
226 [ 46 ] CVE-2009-1102
227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
228 [ 47 ] CVE-2009-1103
229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
230 [ 48 ] CVE-2009-1104
231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
232 [ 49 ] CVE-2009-1105
233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
234 [ 50 ] CVE-2009-1106
235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
236 [ 51 ] CVE-2009-1107
237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
238 [ 52 ] CVE-2009-2409
239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
240 [ 53 ] CVE-2009-2475
241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475
242 [ 54 ] CVE-2009-2476
243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476
244 [ 55 ] CVE-2009-2670
245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
246 [ 56 ] CVE-2009-2671
247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
248 [ 57 ] CVE-2009-2672
249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
250 [ 58 ] CVE-2009-2673
251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
252 [ 59 ] CVE-2009-2674
253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674
254 [ 60 ] CVE-2009-2675
255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
256 [ 61 ] CVE-2009-2676
257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
258 [ 62 ] CVE-2009-2689
259 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689
260 [ 63 ] CVE-2009-2690
261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690
262 [ 64 ] CVE-2009-2716
263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
264 [ 65 ] CVE-2009-2718
265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
266 [ 66 ] CVE-2009-2719
267 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
268 [ 67 ] CVE-2009-2720
269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
270 [ 68 ] CVE-2009-2721
271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
272 [ 69 ] CVE-2009-2722
273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
274 [ 70 ] CVE-2009-2723
275 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
276 [ 71 ] CVE-2009-2724
277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
278 [ 72 ] CVE-2009-3728
279 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
280 [ 73 ] CVE-2009-3729
281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729
282 [ 74 ] CVE-2009-3865
283 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865
284 [ 75 ] CVE-2009-3866
285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866
286 [ 76 ] CVE-2009-3867
287 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867
288 [ 77 ] CVE-2009-3868
289 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868
290 [ 78 ] CVE-2009-3869
291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
292 [ 79 ] CVE-2009-3871
293 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
294 [ 80 ] CVE-2009-3872
295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872
296 [ 81 ] CVE-2009-3873
297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
298 [ 82 ] CVE-2009-3874
299 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
300 [ 83 ] CVE-2009-3875
301 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
302 [ 84 ] CVE-2009-3876
303 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
304 [ 85 ] CVE-2009-3877
305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
306 [ 86 ] CVE-2009-3879
307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
308 [ 87 ] CVE-2009-3880
309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
310 [ 88 ] CVE-2009-3881
311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
312 [ 89 ] CVE-2009-3882
313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
314 [ 90 ] CVE-2009-3883
315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
316 [ 91 ] CVE-2009-3884
317 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
318 [ 92 ] CVE-2009-3886
319 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886
320
321 Availability
322 ============
323
324 This GLSA and any updates to it are available for viewing at
325 the Gentoo Security Website:
326
327 http://security.gentoo.org/glsa/glsa-200911-02.xml
328
329 Concerns?
330 =========
331
332 Security is a primary focus of Gentoo Linux and ensuring the
333 confidentiality and security of our users machines is of utmost
334 importance to us. Any security concerns should be addressed to
335 security@g.o or alternatively, you may file a bug at
336 https://bugs.gentoo.org.
337
338 License
339 =======
340
341 Copyright 2009 Gentoo Foundation, Inc; referenced text
342 belongs to its owner(s).
343
344 The contents of this document are licensed under the
345 Creative Commons - Attribution / Share Alike license.
346
347 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups