Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201111-02 ] Oracle JRE/JDK: Multiple vulnerabilities
Date: Sat, 05 Nov 2011 10:32:05
Message-Id: 201111051124.30530.a3li@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201111-02
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Oracle JRE/JDK: Multiple vulnerabilities
9 Date: November 05, 2011
10 Bugs: #340421, #354213, #370559, #387851
11 ID: 201111-02
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in the Oracle JRE/JDK,
19 allowing attackers to cause unspecified impact.
20
21 Background
22 ==========
23
24 The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
25 the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
26 provide the Oracle Java platform (formerly known as Sun Java Platform).
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 *
35 2 app-emulation/emul-linux-x86-java
36 < 1.6.0.29 >= 1.6.0.29 *
37 3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 *
38 -------------------------------------------------------------------
39 NOTE: Packages marked with asterisks require manual intervention!
40 -------------------------------------------------------------------
41 3 affected packages
42 -------------------------------------------------------------------
43
44 Description
45 ===========
46
47 Multiple vulnerabilities have been reported in the Oracle Java
48 implementation. Please review the CVE identifiers referenced below and
49 the associated Oracle Critical Patch Update Advisory for details.
50
51 Impact
52 ======
53
54 A remote attacker could exploit these vulnerabilities to cause
55 unspecified impact, possibly including remote execution of arbitrary
56 code.
57
58 Workaround
59 ==========
60
61 There is no known workaround at this time.
62
63 Resolution
64 ==========
65
66 All Oracle JDK 1.6 users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"
70
71 All Oracle JRE 1.6 users should upgrade to the latest version:
72
73 # emerge --sync
74 # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"
75
76 All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
77 the latest version:
78
79 # emerge --sync
80 # emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"
81
82 NOTE: As Oracle has revoked the DLJ license for its Java
83 implementation, the packages can no longer be updated automatically.
84 This limitation is not present on a non-fetch restricted implementation
85 such as dev-java/icedtea-bin.
86
87 References
88 ==========
89
90 [ 1 ] CVE-2010-3541
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
92 [ 2 ] CVE-2010-3548
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
94 [ 3 ] CVE-2010-3549
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
96 [ 4 ] CVE-2010-3550
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
98 [ 5 ] CVE-2010-3551
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
100 [ 6 ] CVE-2010-3552
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
102 [ 7 ] CVE-2010-3553
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
104 [ 8 ] CVE-2010-3554
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
106 [ 9 ] CVE-2010-3555
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
108 [ 10 ] CVE-2010-3556
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
110 [ 11 ] CVE-2010-3557
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
112 [ 12 ] CVE-2010-3558
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
114 [ 13 ] CVE-2010-3559
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
116 [ 14 ] CVE-2010-3560
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
118 [ 15 ] CVE-2010-3561
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
120 [ 16 ] CVE-2010-3562
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
122 [ 17 ] CVE-2010-3563
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
124 [ 18 ] CVE-2010-3565
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
126 [ 19 ] CVE-2010-3566
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
128 [ 20 ] CVE-2010-3567
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
130 [ 21 ] CVE-2010-3568
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
132 [ 22 ] CVE-2010-3569
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
134 [ 23 ] CVE-2010-3570
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
136 [ 24 ] CVE-2010-3571
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
138 [ 25 ] CVE-2010-3572
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
140 [ 26 ] CVE-2010-3573
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
142 [ 27 ] CVE-2010-3574
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
144 [ 28 ] CVE-2010-4422
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
146 [ 29 ] CVE-2010-4447
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
148 [ 30 ] CVE-2010-4448
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
150 [ 31 ] CVE-2010-4450
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
152 [ 32 ] CVE-2010-4451
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
154 [ 33 ] CVE-2010-4452
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
156 [ 34 ] CVE-2010-4454
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
158 [ 35 ] CVE-2010-4462
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
160 [ 36 ] CVE-2010-4463
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
162 [ 37 ] CVE-2010-4465
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
164 [ 38 ] CVE-2010-4466
165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
166 [ 39 ] CVE-2010-4467
167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
168 [ 40 ] CVE-2010-4468
169 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
170 [ 41 ] CVE-2010-4469
171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
172 [ 42 ] CVE-2010-4470
173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
174 [ 43 ] CVE-2010-4471
175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
176 [ 44 ] CVE-2010-4472
177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
178 [ 45 ] CVE-2010-4473
179 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
180 [ 46 ] CVE-2010-4474
181 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
182 [ 47 ] CVE-2010-4475
183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
184 [ 48 ] CVE-2010-4476
185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
186 [ 49 ] CVE-2011-0802
187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
188 [ 50 ] CVE-2011-0814
189 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
190 [ 51 ] CVE-2011-0815
191 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
192 [ 52 ] CVE-2011-0862
193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
194 [ 53 ] CVE-2011-0863
195 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
196 [ 54 ] CVE-2011-0864
197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
198 [ 55 ] CVE-2011-0865
199 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
200 [ 56 ] CVE-2011-0867
201 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
202 [ 57 ] CVE-2011-0868
203 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
204 [ 58 ] CVE-2011-0869
205 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
206 [ 59 ] CVE-2011-0871
207 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
208 [ 60 ] CVE-2011-0872
209 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
210 [ 61 ] CVE-2011-0873
211 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
212 [ 62 ] CVE-2011-3389
213 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
214 [ 63 ] CVE-2011-3516
215 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
216 [ 64 ] CVE-2011-3521
217 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
218 [ 65 ] CVE-2011-3544
219 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
220 [ 66 ] CVE-2011-3545
221 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
222 [ 67 ] CVE-2011-3546
223 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
224 [ 68 ] CVE-2011-3547
225 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
226 [ 69 ] CVE-2011-3548
227 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
228 [ 70 ] CVE-2011-3549
229 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
230 [ 71 ] CVE-2011-3550
231 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
232 [ 72 ] CVE-2011-3551
233 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
234 [ 73 ] CVE-2011-3552
235 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
236 [ 74 ] CVE-2011-3553
237 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
238 [ 75 ] CVE-2011-3554
239 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
240 [ 76 ] CVE-2011-3555
241 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
242 [ 77 ] CVE-2011-3556
243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
244 [ 78 ] CVE-2011-3557
245 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
246 [ 79 ] CVE-2011-3558
247 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
248 [ 80 ] CVE-2011-3560
249 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
250 [ 81 ] CVE-2011-3561
251 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561
252
253 Availability
254 ============
255
256 This GLSA and any updates to it are available for viewing at
257 the Gentoo Security Website:
258
259 http://security.gentoo.org/glsa/glsa-201111-02.xml
260
261 Concerns?
262 =========
263
264 Security is a primary focus of Gentoo Linux and ensuring the
265 confidentiality and security of our users' machines is of utmost
266 importance to us. Any security concerns should be addressed to
267 security@g.o or alternatively, you may file a bug at
268 https://bugs.gentoo.org.
269
270 License
271 =======
272
273 Copyright 2011 Gentoo Foundation, Inc; referenced text
274 belongs to its owner(s).
275
276 The contents of this document are licensed under the
277 Creative Commons - Attribution / Share Alike license.
278
279 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature