[gentoo-announce] [ GLSA 200701-15 ] Sun JDK/JRE: Multiple vulnerabilities - gentoo-announce

From:	Raphael Marichez <falco@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200701-15 ] Sun JDK/JRE: Multiple vulnerabilities
Date:	Mon, 22 Jan 2007 23:33:36
Message-Id:	`20070122231313.GJ8994@falco.falcal.net`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200701-15

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Sun JDK/JRE: Multiple vulnerabilities

9

      Date: January 22, 2007

10

      Bugs: #158659

11

        ID: 200701-15

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple unspecified vulnerabilities have been identified in Sun Java

19

Development Kit (JDK) and Java Runtime Environment (JRE).

20

21

Background

22

==========

23

24

The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment

25

(JRE) provide the Sun Java platform.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package               /  Vulnerable  /                 Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-java/sun-jdk         < 1.4.2.13                   >= 1.4.2.13

34

                                                           >= 1.5.0.09

35

     dev-java/sun-jdk         < 1.5.0.09                   >= 1.4.2.13

36

                                                           >= 1.5.0.09

37

  2  dev-java/sun-jre-bin     < 1.4.2.13                   >= 1.4.2.13

38

                                                           >= 1.5.0.09

39

     dev-java/sun-jre-bin     < 1.5.0.09                   >= 1.4.2.13

40

                                                           >= 1.5.0.09

41

    -------------------------------------------------------------------

42

     2 affected packages on all of their supported architectures.

43

    -------------------------------------------------------------------

44

45

Description

46

===========

47

48

Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun

49

JRE possibly related to various AWT or font layout functions. Tom

50

Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun

51

JRE relating to unintended applet data access. He has also discovered

52

multiple other unspecified vulnerabilities in Sun JDK and Sun JRE

53

allowing unintended Java applet or application resource acquisition.

54

55

Impact

56

======

57

58

An attacker could entice a user to run a specially crafted Java applet

59

or application that could read, write, or execute local files with the

60

privileges of the user running the JVM; access data maintained in other

61

Java applets; or escalate the privileges of the currently running Java

62

applet or application allowing for unauthorized access to system

63

resources.

64

65

Workaround

66

==========

67

68

There is no known workaround at this time.

69

70

Resolution

71

==========

72

73

All Sun Java Development Kit users should upgrade to the latest

74

version:

75

76

    # emerge --sync

77

    # emerge --ask --oneshot --verbose "dev-java/sun-jdk"

78

79

All Sun Java Runtime Environment users should upgrade to the latest

80

version:

81

82

    # emerge --sync

83

    # emerge --ask --oneshot --verbose "dev-java/sun-jre-bin"

84

85

References

86

==========

87

88

  [ 1 ] CVE-2006-6731

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731

90

  [ 2 ] CVE-2006-6736

91

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6736

92

  [ 3 ] CVE-2006-6737

93

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6737

94

  [ 4 ] CVE-2006-6745

95

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745

96

97

Availability

98

============

99

100

This GLSA and any updates to it are available for viewing at

101

the Gentoo Security Website:

102

103

  http://security.gentoo.org/glsa/glsa-200701-15.xml

104

105

Concerns?

106

=========

107

108

Security is a primary focus of Gentoo Linux and ensuring the

109

confidentiality and security of our users machines is of utmost

110

importance to us. Any security concerns should be addressed to

111

security@g.o or alternatively, you may file a bug at

112

http://bugs.gentoo.org.

113

114

License

115

=======

116

117

Copyright 2007 Gentoo Foundation, Inc; referenced text

118

belongs to its owner(s).

119

120

The contents of this document are licensed under the

121

Creative Commons - Attribution / Share Alike license.

122

123

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200701-15
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Sun JDK/JRE: Multiple vulnerabilities
9	Date: January 22, 2007
10	Bugs: #158659
11	ID: 200701-15
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple unspecified vulnerabilities have been identified in Sun Java
19	Development Kit (JDK) and Java Runtime Environment (JRE).
20
21	Background
22	==========
23
24	The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
25	(JRE) provide the Sun Java platform.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-java/sun-jdk < 1.4.2.13 >= 1.4.2.13
34	>= 1.5.0.09
35	dev-java/sun-jdk < 1.5.0.09 >= 1.4.2.13
36	>= 1.5.0.09
37	2 dev-java/sun-jre-bin < 1.4.2.13 >= 1.4.2.13
38	>= 1.5.0.09
39	dev-java/sun-jre-bin < 1.5.0.09 >= 1.4.2.13
40	>= 1.5.0.09
41	-------------------------------------------------------------------
42	2 affected packages on all of their supported architectures.
43	-------------------------------------------------------------------
44
45	Description
46	===========
47
48	Chris Evans has discovered multiple buffer overflows in Sun JDK and Sun
49	JRE possibly related to various AWT or font layout functions. Tom
50	Hawtin has discovered an unspecified vulnerability in Sun JDK and Sun
51	JRE relating to unintended applet data access. He has also discovered
52	multiple other unspecified vulnerabilities in Sun JDK and Sun JRE
53	allowing unintended Java applet or application resource acquisition.
54
55	Impact
56	======
57
58	An attacker could entice a user to run a specially crafted Java applet
59	or application that could read, write, or execute local files with the
60	privileges of the user running the JVM; access data maintained in other
61	Java applets; or escalate the privileges of the currently running Java
62	applet or application allowing for unauthorized access to system
63	resources.
64
65	Workaround
66	==========
67
68	There is no known workaround at this time.
69
70	Resolution
71	==========
72
73	All Sun Java Development Kit users should upgrade to the latest
74	version:
75
76	# emerge --sync
77	# emerge --ask --oneshot --verbose "dev-java/sun-jdk"
78
79	All Sun Java Runtime Environment users should upgrade to the latest
80	version:
81
82	# emerge --sync
83	# emerge --ask --oneshot --verbose "dev-java/sun-jre-bin"
84
85	References
86	==========
87
88	[ 1 ] CVE-2006-6731
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6731
90	[ 2 ] CVE-2006-6736
91	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6736
92	[ 3 ] CVE-2006-6737
93	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6737
94	[ 4 ] CVE-2006-6745
95	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6745
96
97	Availability
98	============
99
100	This GLSA and any updates to it are available for viewing at
101	the Gentoo Security Website:
102
103	http://security.gentoo.org/glsa/glsa-200701-15.xml
104
105	Concerns?
106	=========
107
108	Security is a primary focus of Gentoo Linux and ensuring the
109	confidentiality and security of our users machines is of utmost
110	importance to us. Any security concerns should be addressed to
111	security@g.o or alternatively, you may file a bug at
112	http://bugs.gentoo.org.
113
114	License
115	=======
116
117	Copyright 2007 Gentoo Foundation, Inc; referenced text
118	belongs to its owner(s).
119
120	The contents of this document are licensed under the
121	Creative Commons - Attribution / Share Alike license.
122
123	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce