From: | Alex Legler <a3li@g.o> |
---|---|
To: | gentoo-announce@l.g.o |
Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] [ GLSA 201111-02 ] Oracle JRE/JDK: Multiple vulnerabilities |
Date: | Sat, 05 Nov 2011 10:32:05 |
Message-Id: | 201111051124.30530.a3li@gentoo.org |
1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 | Gentoo Linux Security Advisory GLSA 201111-02 |
3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 | http://security.gentoo.org/ |
5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 | |
7 | Severity: Normal |
8 | Title: Oracle JRE/JDK: Multiple vulnerabilities |
9 | Date: November 05, 2011 |
10 | Bugs: #340421, #354213, #370559, #387851 |
11 | ID: 201111-02 |
12 | |
13 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 | |
15 | Synopsis |
16 | ======== |
17 | |
18 | Multiple vulnerabilities have been found in the Oracle JRE/JDK, |
19 | allowing attackers to cause unspecified impact. |
20 | |
21 | Background |
22 | ========== |
23 | |
24 | The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and |
25 | the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) |
26 | provide the Oracle Java platform (formerly known as Sun Java Platform). |
27 | |
28 | Affected packages |
29 | ================= |
30 | |
31 | ------------------------------------------------------------------- |
32 | Package / Vulnerable / Unaffected |
33 | ------------------------------------------------------------------- |
34 | 1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 * |
35 | 2 app-emulation/emul-linux-x86-java |
36 | < 1.6.0.29 >= 1.6.0.29 * |
37 | 3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 * |
38 | ------------------------------------------------------------------- |
39 | NOTE: Packages marked with asterisks require manual intervention! |
40 | ------------------------------------------------------------------- |
41 | 3 affected packages |
42 | ------------------------------------------------------------------- |
43 | |
44 | Description |
45 | =========== |
46 | |
47 | Multiple vulnerabilities have been reported in the Oracle Java |
48 | implementation. Please review the CVE identifiers referenced below and |
49 | the associated Oracle Critical Patch Update Advisory for details. |
50 | |
51 | Impact |
52 | ====== |
53 | |
54 | A remote attacker could exploit these vulnerabilities to cause |
55 | unspecified impact, possibly including remote execution of arbitrary |
56 | code. |
57 | |
58 | Workaround |
59 | ========== |
60 | |
61 | There is no known workaround at this time. |
62 | |
63 | Resolution |
64 | ========== |
65 | |
66 | All Oracle JDK 1.6 users should upgrade to the latest version: |
67 | |
68 | # emerge --sync |
69 | # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29" |
70 | |
71 | All Oracle JRE 1.6 users should upgrade to the latest version: |
72 | |
73 | # emerge --sync |
74 | # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29" |
75 | |
76 | All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to |
77 | the latest version: |
78 | |
79 | # emerge --sync |
80 | # emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29" |
81 | |
82 | NOTE: As Oracle has revoked the DLJ license for its Java |
83 | implementation, the packages can no longer be updated automatically. |
84 | This limitation is not present on a non-fetch restricted implementation |
85 | such as dev-java/icedtea-bin. |
86 | |
87 | References |
88 | ========== |
89 | |
90 | [ 1 ] CVE-2010-3541 |
91 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541 |
92 | [ 2 ] CVE-2010-3548 |
93 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548 |
94 | [ 3 ] CVE-2010-3549 |
95 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549 |
96 | [ 4 ] CVE-2010-3550 |
97 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550 |
98 | [ 5 ] CVE-2010-3551 |
99 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551 |
100 | [ 6 ] CVE-2010-3552 |
101 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552 |
102 | [ 7 ] CVE-2010-3553 |
103 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553 |
104 | [ 8 ] CVE-2010-3554 |
105 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554 |
106 | [ 9 ] CVE-2010-3555 |
107 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555 |
108 | [ 10 ] CVE-2010-3556 |
109 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556 |
110 | [ 11 ] CVE-2010-3557 |
111 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557 |
112 | [ 12 ] CVE-2010-3558 |
113 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558 |
114 | [ 13 ] CVE-2010-3559 |
115 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559 |
116 | [ 14 ] CVE-2010-3560 |
117 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560 |
118 | [ 15 ] CVE-2010-3561 |
119 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561 |
120 | [ 16 ] CVE-2010-3562 |
121 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562 |
122 | [ 17 ] CVE-2010-3563 |
123 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563 |
124 | [ 18 ] CVE-2010-3565 |
125 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565 |
126 | [ 19 ] CVE-2010-3566 |
127 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566 |
128 | [ 20 ] CVE-2010-3567 |
129 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567 |
130 | [ 21 ] CVE-2010-3568 |
131 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568 |
132 | [ 22 ] CVE-2010-3569 |
133 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569 |
134 | [ 23 ] CVE-2010-3570 |
135 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570 |
136 | [ 24 ] CVE-2010-3571 |
137 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571 |
138 | [ 25 ] CVE-2010-3572 |
139 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572 |
140 | [ 26 ] CVE-2010-3573 |
141 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573 |
142 | [ 27 ] CVE-2010-3574 |
143 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574 |
144 | [ 28 ] CVE-2010-4422 |
145 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422 |
146 | [ 29 ] CVE-2010-4447 |
147 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447 |
148 | [ 30 ] CVE-2010-4448 |
149 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448 |
150 | [ 31 ] CVE-2010-4450 |
151 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450 |
152 | [ 32 ] CVE-2010-4451 |
153 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451 |
154 | [ 33 ] CVE-2010-4452 |
155 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452 |
156 | [ 34 ] CVE-2010-4454 |
157 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454 |
158 | [ 35 ] CVE-2010-4462 |
159 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462 |
160 | [ 36 ] CVE-2010-4463 |
161 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463 |
162 | [ 37 ] CVE-2010-4465 |
163 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465 |
164 | [ 38 ] CVE-2010-4466 |
165 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466 |
166 | [ 39 ] CVE-2010-4467 |
167 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467 |
168 | [ 40 ] CVE-2010-4468 |
169 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468 |
170 | [ 41 ] CVE-2010-4469 |
171 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469 |
172 | [ 42 ] CVE-2010-4470 |
173 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470 |
174 | [ 43 ] CVE-2010-4471 |
175 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471 |
176 | [ 44 ] CVE-2010-4472 |
177 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472 |
178 | [ 45 ] CVE-2010-4473 |
179 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473 |
180 | [ 46 ] CVE-2010-4474 |
181 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474 |
182 | [ 47 ] CVE-2010-4475 |
183 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475 |
184 | [ 48 ] CVE-2010-4476 |
185 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476 |
186 | [ 49 ] CVE-2011-0802 |
187 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802 |
188 | [ 50 ] CVE-2011-0814 |
189 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814 |
190 | [ 51 ] CVE-2011-0815 |
191 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815 |
192 | [ 52 ] CVE-2011-0862 |
193 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862 |
194 | [ 53 ] CVE-2011-0863 |
195 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863 |
196 | [ 54 ] CVE-2011-0864 |
197 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864 |
198 | [ 55 ] CVE-2011-0865 |
199 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865 |
200 | [ 56 ] CVE-2011-0867 |
201 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867 |
202 | [ 57 ] CVE-2011-0868 |
203 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868 |
204 | [ 58 ] CVE-2011-0869 |
205 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869 |
206 | [ 59 ] CVE-2011-0871 |
207 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871 |
208 | [ 60 ] CVE-2011-0872 |
209 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872 |
210 | [ 61 ] CVE-2011-0873 |
211 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873 |
212 | [ 62 ] CVE-2011-3389 |
213 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389 |
214 | [ 63 ] CVE-2011-3516 |
215 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516 |
216 | [ 64 ] CVE-2011-3521 |
217 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521 |
218 | [ 65 ] CVE-2011-3544 |
219 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544 |
220 | [ 66 ] CVE-2011-3545 |
221 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545 |
222 | [ 67 ] CVE-2011-3546 |
223 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546 |
224 | [ 68 ] CVE-2011-3547 |
225 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547 |
226 | [ 69 ] CVE-2011-3548 |
227 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548 |
228 | [ 70 ] CVE-2011-3549 |
229 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549 |
230 | [ 71 ] CVE-2011-3550 |
231 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550 |
232 | [ 72 ] CVE-2011-3551 |
233 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551 |
234 | [ 73 ] CVE-2011-3552 |
235 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552 |
236 | [ 74 ] CVE-2011-3553 |
237 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553 |
238 | [ 75 ] CVE-2011-3554 |
239 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554 |
240 | [ 76 ] CVE-2011-3555 |
241 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555 |
242 | [ 77 ] CVE-2011-3556 |
243 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556 |
244 | [ 78 ] CVE-2011-3557 |
245 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557 |
246 | [ 79 ] CVE-2011-3558 |
247 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558 |
248 | [ 80 ] CVE-2011-3560 |
249 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560 |
250 | [ 81 ] CVE-2011-3561 |
251 | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561 |
252 | |
253 | Availability |
254 | ============ |
255 | |
256 | This GLSA and any updates to it are available for viewing at |
257 | the Gentoo Security Website: |
258 | |
259 | http://security.gentoo.org/glsa/glsa-201111-02.xml |
260 | |
261 | Concerns? |
262 | ========= |
263 | |
264 | Security is a primary focus of Gentoo Linux and ensuring the |
265 | confidentiality and security of our users' machines is of utmost |
266 | importance to us. Any security concerns should be addressed to |
267 | security@g.o or alternatively, you may file a bug at |
268 | https://bugs.gentoo.org. |
269 | |
270 | License |
271 | ======= |
272 | |
273 | Copyright 2011 Gentoo Foundation, Inc; referenced text |
274 | belongs to its owner(s). |
275 | |
276 | The contents of this document are licensed under the |
277 | Creative Commons - Attribution / Share Alike license. |
278 | |
279 | http://creativecommons.org/licenses/by-sa/2.5 |
File name | MIME type |
---|---|
signature.asc | application/pgp-signature |