1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200804-20 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Sun JDK/JRE: Multiple vulnerabilities |
9 |
Date: April 17, 2008 |
10 |
Bugs: #178851, #178962, #183580, #185256, #194711, #212425 |
11 |
ID: 200804-20 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Multiple vulnerabilities have been identified in Sun Java Development |
19 |
Kit (JDK) and Java Runtime Environment (JRE). |
20 |
|
21 |
Background |
22 |
========== |
23 |
|
24 |
The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment |
25 |
(JRE) provide the Sun Java platform. |
26 |
|
27 |
Affected packages |
28 |
================= |
29 |
|
30 |
------------------------------------------------------------------- |
31 |
Package / Vulnerable / Unaffected |
32 |
------------------------------------------------------------------- |
33 |
1 dev-java/sun-jre-bin < 1.6.0.05 >= 1.6.0.05 |
34 |
*>= 1.5.0.15 |
35 |
*>= 1.4.2.17 |
36 |
2 dev-java/sun-jdk < 1.6.0.05 >= 1.6.0.05 |
37 |
*>= 1.5.0.15 |
38 |
*>= 1.4.2.17 |
39 |
3 app-emulation/emul-linux-x86-java < 1.6.0.05 >= 1.6.0.05 |
40 |
*>= 1.5.0.15 |
41 |
*>= 1.4.2.17 |
42 |
------------------------------------------------------------------- |
43 |
3 affected packages on all of their supported architectures. |
44 |
------------------------------------------------------------------- |
45 |
|
46 |
Description |
47 |
=========== |
48 |
|
49 |
Multiple vulnerabilities have been discovered in Sun Java: |
50 |
|
51 |
* Daniel Soeder discovered that a long codebase attribute string in a |
52 |
JNLP file will overflow a stack variable when launched by Java |
53 |
WebStart (CVE-2007-3655). |
54 |
|
55 |
* Multiple vulnerabilities (CVE-2007-2435, CVE-2007-2788, |
56 |
CVE-2007-2789) that were previously reported as GLSA 200705-23 and |
57 |
GLSA 200706-08 also affect 1.4 and 1.6 SLOTs, which was not mentioned |
58 |
in the initial revision of said GLSAs. |
59 |
|
60 |
* The Zero Day Initiative, TippingPoint and John Heasman reported |
61 |
multiple buffer overflows and unspecified vulnerabilities in Java Web |
62 |
Start (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191). |
63 |
|
64 |
* Hisashi Kojima of Fujitsu and JPCERT/CC reported a security issue |
65 |
when performing XSLT transformations (CVE-2008-1187). |
66 |
|
67 |
* CERT/CC reported a Stack-based buffer overflow in Java Web Start |
68 |
when using JNLP files (CVE-2008-1196). |
69 |
|
70 |
* Azul Systems reported an unspecified vulnerability that allows |
71 |
applets to escalate their privileges (CVE-2007-5689). |
72 |
|
73 |
* Billy Rios, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, |
74 |
Weidong Shao, and David Byrne discovered multiple instances where |
75 |
Java applets or JavaScript programs run within browsers do not pin |
76 |
DNS hostnames to a single IP address, allowing for DNS rebinding |
77 |
attacks (CVE-2007-5232, CVE-2007-5273, CVE-2007-5274). |
78 |
|
79 |
* Peter Csepely reported that Java Web Start does not properly |
80 |
enforce access restrictions for untrusted applications |
81 |
(CVE-2007-5237, CVE-2007-5238). |
82 |
|
83 |
* Java Web Start does not properly enforce access restrictions for |
84 |
untrusted Java applications and applets, when handling drag-and-drop |
85 |
operations (CVE-2007-5239). |
86 |
|
87 |
* Giorgio Maone discovered that warnings for untrusted code can be |
88 |
hidden under applications' windows (CVE-2007-5240). |
89 |
|
90 |
* Fujitsu reported two security issues where security restrictions of |
91 |
web applets and applications were not properly enforced |
92 |
(CVE-2008-1185, CVE-2008-1186). |
93 |
|
94 |
* John Heasman of NGSSoftware discovered that the Java Plug-in does |
95 |
not properly enforce the same origin policy (CVE-2008-1192). |
96 |
|
97 |
* Chris Evans of the Google Security Team discovered multiple |
98 |
unspecified vulnerabilities within the Java Runtime Environment Image |
99 |
Parsing Library (CVE-2008-1193, CVE-2008-1194). |
100 |
|
101 |
* Gregory Fleischer reported that web content fetched via the "jar:" |
102 |
protocol was not subject to network access restrictions |
103 |
(CVE-2008-1195). |
104 |
|
105 |
* Chris Evans and Johannes Henkel of the Google Security Team |
106 |
reported that the XML parsing code retrieves external entities even |
107 |
when that feature is disabled (CVE-2008-0628). |
108 |
|
109 |
* Multiple unspecified vulnerabilities might allow for escalation of |
110 |
privileges (CVE-2008-0657). |
111 |
|
112 |
Impact |
113 |
====== |
114 |
|
115 |
A remote attacker could entice a user to run a specially crafted applet |
116 |
on a website or start an application in Java Web Start to execute |
117 |
arbitrary code outside of the Java sandbox and of the Java security |
118 |
restrictions with the privileges of the user running Java. The attacker |
119 |
could also obtain sensitive information, create, modify, rename and |
120 |
read local files, execute local applications, establish connections in |
121 |
the local network, bypass the same origin policy, and cause a Denial of |
122 |
Service via multiple vectors. |
123 |
|
124 |
Workaround |
125 |
========== |
126 |
|
127 |
There is no known workaround at this time. |
128 |
|
129 |
Resolution |
130 |
========== |
131 |
|
132 |
All Sun JRE users should upgrade to the latest version: |
133 |
|
134 |
# emerge --sync |
135 |
# emerge --ask --oneshot --verbose "dev-java/sun-jre-bin" |
136 |
|
137 |
All Sun JDK users should upgrade to the latest version: |
138 |
|
139 |
# emerge --sync |
140 |
# emerge --ask --oneshot --verbose "dev-java/sun-jdk" |
141 |
|
142 |
All emul-linux-x86-java users should upgrade to the latest version: |
143 |
|
144 |
# emerge --sync |
145 |
# emerge --ask --oneshot --verbose "app-emulation/emul-linux-x86-java" |
146 |
|
147 |
References |
148 |
========== |
149 |
|
150 |
[ 1 ] CVE-2007-2435 |
151 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2435 |
152 |
[ 2 ] CVE-2007-2788 |
153 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788 |
154 |
[ 3 ] CVE-2007-2789 |
155 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789 |
156 |
[ 4 ] CVE-2007-3655 |
157 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3655 |
158 |
[ 5 ] CVE-2007-5232 |
159 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5232 |
160 |
[ 6 ] CVE-2007-5237 |
161 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5237 |
162 |
[ 7 ] CVE-2007-5238 |
163 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5238 |
164 |
[ 8 ] CVE-2007-5239 |
165 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5239 |
166 |
[ 9 ] CVE-2007-5240 |
167 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5240 |
168 |
[ 10 ] CVE-2007-5273 |
169 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5273 |
170 |
[ 11 ] CVE-2007-5274 |
171 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274 |
172 |
[ 12 ] CVE-2007-5689 |
173 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5689 |
174 |
[ 13 ] CVE-2008-0628 |
175 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0628 |
176 |
[ 14 ] CVE-2008-0657 |
177 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0657 |
178 |
[ 15 ] CVE-2008-1185 |
179 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1185 |
180 |
[ 16 ] CVE-2008-1186 |
181 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1186 |
182 |
[ 17 ] CVE-2008-1187 |
183 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187 |
184 |
[ 18 ] CVE-2008-1188 |
185 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1188 |
186 |
[ 19 ] CVE-2008-1189 |
187 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1189 |
188 |
[ 20 ] CVE-2008-1190 |
189 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1190 |
190 |
[ 21 ] CVE-2008-1191 |
191 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1191 |
192 |
[ 22 ] CVE-2008-1192 |
193 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1192 |
194 |
[ 23 ] CVE-2008-1193 |
195 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193 |
196 |
[ 24 ] CVE-2008-1194 |
197 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194 |
198 |
[ 25 ] CVE-2008-1195 |
199 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1195 |
200 |
[ 26 ] CVE-2008-1196 |
201 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196 |
202 |
[ 27 ] GLSA 200705-23 |
203 |
http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml |
204 |
[ 28 ] GLSA 200706-08 |
205 |
http://www.gentoo.org/security/en/glsa/glsa-200706-08.xml |
206 |
|
207 |
Availability |
208 |
============ |
209 |
|
210 |
This GLSA and any updates to it are available for viewing at |
211 |
the Gentoo Security Website: |
212 |
|
213 |
http://security.gentoo.org/glsa/glsa-200804-20.xml |
214 |
|
215 |
Concerns? |
216 |
========= |
217 |
|
218 |
Security is a primary focus of Gentoo Linux and ensuring the |
219 |
confidentiality and security of our users machines is of utmost |
220 |
importance to us. Any security concerns should be addressed to |
221 |
security@g.o or alternatively, you may file a bug at |
222 |
http://bugs.gentoo.org. |
223 |
|
224 |
License |
225 |
======= |
226 |
|
227 |
Copyright 2008 Gentoo Foundation, Inc; referenced text |
228 |
belongs to its owner(s). |
229 |
|
230 |
The contents of this document are licensed under the |
231 |
Creative Commons - Attribution / Share Alike license. |
232 |
|
233 |
http://creativecommons.org/licenses/by-sa/2.5 |