Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200506-14 ] Sun and Blackdown Java: Applet privilege escalation
Date: Sun, 19 Jun 2005 16:54:24
Message-Id: 200506191830.49336.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200506-14
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Sun and Blackdown Java: Applet privilege escalation
9 Date: June 19, 2005
10 Bugs: #96092, #96229
11 ID: 200506-14
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Sun's and Blackdown's JDK or JRE may allow untrusted applets to elevate
19 their privileges.
20
21 Background
22 ==========
23
24 Sun and Blackdown both provide implementations of the Java Development
25 Kit (JDK) and Java Runtime Environment (JRE).
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-java/sun-jdk < 1.4.2.08 >= 1.4.2.08
34 2 dev-java/sun-jre-bin < 1.4.2.08 >= 1.4.2.08
35 3 dev-java/blackdown-jdk < 1.4.2.02 >= 1.4.2.02
36 4 dev-java/blackdown-jre < 1.4.2.02 >= 1.4.2.02
37 -------------------------------------------------------------------
38 4 affected packages on all of their supported architectures.
39 -------------------------------------------------------------------
40
41 Description
42 ===========
43
44 Both Sun's and Blackdown's JDK and JRE may allow untrusted applets to
45 elevate privileges.
46
47 Impact
48 ======
49
50 A remote attacker could embed a malicious Java applet in a web page and
51 entice a victim to view it. This applet can then bypass security
52 restrictions and execute any command or access any file with the rights
53 of the user running the web browser.
54
55 Workaround
56 ==========
57
58 There are no known workarounds at this time.
59
60 Resolution
61 ==========
62
63 All Sun JDK users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.08"
67
68 All Sun JRE users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.08"
72
73 All Blackdown JDK users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jdk-1.4.2.02"
77
78 All Blackdown JRE users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02"
82
83 Note to SPARC users: There is no stable secure Blackdown Java for the
84 SPARC architecture. Affected users should remove the package until a
85 SPARC package is released.
86
87 References
88 ==========
89
90 [ 1 ] Sun Security Alert ID 101749
91 http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1
92 [ 2 ] Blackdown Java Security Advisory
93 http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-02.txt
94
95 Availability
96 ============
97
98 This GLSA and any updates to it are available for viewing at
99 the Gentoo Security Website:
100
101 http://security.gentoo.org/glsa/glsa-200506-14.xml
102
103 Concerns?
104 =========
105
106 Security is a primary focus of Gentoo Linux and ensuring the
107 confidentiality and security of our users machines is of utmost
108 importance to us. Any security concerns should be addressed to
109 security@g.o or alternatively, you may file a bug at
110 http://bugs.gentoo.org.
111
112 License
113 =======
114
115 Copyright 2005 Gentoo Foundation, Inc; referenced text
116 belongs to its owner(s).
117
118 The contents of this document are licensed under the
119 Creative Commons - Attribution / Share Alike license.
120
121 http://creativecommons.org/licenses/by-sa/2.0