[gentoo-announce] [ GLSA 200806-11 ] IBM JDK/JRE: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200806-11 ] IBM JDK/JRE: Multiple vulnerabilities
Date:	Wed, 25 Jun 2008 10:38:06
Message-Id:	`48621F74.1090705@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200806-11

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: IBM JDK/JRE: Multiple vulnerabilities

9

      Date: June 25, 2008

10

      Bugs: #186277, #198644, #216112

11

        ID: 200806-11

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in IBM Java Development Kit

19

(JDK) and Java Runtime Environment (JRE), resulting in the execution of

20

arbitrary code.

21

22

Background

23

==========

24

25

The IBM Java Development Kit (JDK) and the IBM Java Runtime Environment

26

(JRE) provide the IBM Java platform.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package               /  Vulnerable  /                 Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-java/ibm-jdk-bin      < 1.5.0.7                    >= 1.5.0.7

35

                                                          *>= 1.4.2.11

36

  2  dev-java/ibm-jre-bin      < 1.5.0.7                    >= 1.5.0.7

37

                                                          *>= 1.4.2.11

38

    -------------------------------------------------------------------

39

     2 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

Because of sharing the same codebase, IBM JDK and JRE are affected by

46

the vulnerabilities mentioned in GLSA 200804-20.

47

48

Impact

49

======

50

51

A remote attacker could entice a user to run a specially crafted applet

52

on a website or start an application in Java Web Start to execute

53

arbitrary code outside of the Java sandbox and of the Java security

54

restrictions with the privileges of the user running Java. The attacker

55

could also obtain sensitive information, create, modify, rename and

56

read local files, execute local applications, establish connections in

57

the local network, bypass the same origin policy, and cause a Denial of

58

Service via multiple vectors.

59

60

Workaround

61

==========

62

63

There is no known workaround at this time.

64

65

Resolution

66

==========

67

68

All IBM JDK 1.5 users should upgrade to the latest version:

69

70

    # emerge --sync

71

    # emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.5.0.7"

72

73

All IBM JDK 1.4 users should upgrade to the latest version:

74

75

    # emerge --sync

76

    # emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.4.2.11"

77

78

All IBM JRE 1.5 users should upgrade to the latest version:

79

80

    # emerge --sync

81

    # emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.5.0.7"

82

83

All IBM JRE 1.4 users should upgrade to the latest version:

84

85

    # emerge --sync

86

    # emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.4.2.11"

87

88

References

89

==========

90

91

  [ 1 ] GLSA 200804-20

92

        http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml

93

94

Availability

95

============

96

97

This GLSA and any updates to it are available for viewing at

98

the Gentoo Security Website:

99

100

  http://security.gentoo.org/glsa/glsa-200806-11.xml

101

102

Concerns?

103

=========

104

105

Security is a primary focus of Gentoo Linux and ensuring the

106

confidentiality and security of our users machines is of utmost

107

importance to us. Any security concerns should be addressed to

108

security@g.o or alternatively, you may file a bug at

109

http://bugs.gentoo.org.

110

111

License

112

=======

113

114

Copyright 2008 Gentoo Foundation, Inc; referenced text

115

belongs to its owner(s).

116

117

The contents of this document are licensed under the

118

Creative Commons - Attribution / Share Alike license.

119

120

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200806-11
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: IBM JDK/JRE: Multiple vulnerabilities
9	Date: June 25, 2008
10	Bugs: #186277, #198644, #216112
11	ID: 200806-11
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in IBM Java Development Kit
19	(JDK) and Java Runtime Environment (JRE), resulting in the execution of
20	arbitrary code.
21
22	Background
23	==========
24
25	The IBM Java Development Kit (JDK) and the IBM Java Runtime Environment
26	(JRE) provide the IBM Java platform.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-java/ibm-jdk-bin < 1.5.0.7 >= 1.5.0.7
35	*>= 1.4.2.11
36	2 dev-java/ibm-jre-bin < 1.5.0.7 >= 1.5.0.7
37	*>= 1.4.2.11
38	-------------------------------------------------------------------
39	2 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	Because of sharing the same codebase, IBM JDK and JRE are affected by
46	the vulnerabilities mentioned in GLSA 200804-20.
47
48	Impact
49	======
50
51	A remote attacker could entice a user to run a specially crafted applet
52	on a website or start an application in Java Web Start to execute
53	arbitrary code outside of the Java sandbox and of the Java security
54	restrictions with the privileges of the user running Java. The attacker
55	could also obtain sensitive information, create, modify, rename and
56	read local files, execute local applications, establish connections in
57	the local network, bypass the same origin policy, and cause a Denial of
58	Service via multiple vectors.
59
60	Workaround
61	==========
62
63	There is no known workaround at this time.
64
65	Resolution
66	==========
67
68	All IBM JDK 1.5 users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.5.0.7"
72
73	All IBM JDK 1.4 users should upgrade to the latest version:
74
75	# emerge --sync
76	# emerge --ask --oneshot --verbose ">=dev-java/ibm-jdk-bin-1.4.2.11"
77
78	All IBM JRE 1.5 users should upgrade to the latest version:
79
80	# emerge --sync
81	# emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.5.0.7"
82
83	All IBM JRE 1.4 users should upgrade to the latest version:
84
85	# emerge --sync
86	# emerge --ask --oneshot --verbose ">=dev-java/ibm-jre-bin-1.4.2.11"
87
88	References
89	==========
90
91	[ 1 ] GLSA 200804-20
92	http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
93
94	Availability
95	============
96
97	This GLSA and any updates to it are available for viewing at
98	the Gentoo Security Website:
99
100	http://security.gentoo.org/glsa/glsa-200806-11.xml
101
102	Concerns?
103	=========
104
105	Security is a primary focus of Gentoo Linux and ensuring the
106	confidentiality and security of our users machines is of utmost
107	importance to us. Any security concerns should be addressed to
108	security@g.o or alternatively, you may file a bug at
109	http://bugs.gentoo.org.
110
111	License
112	=======
113
114	Copyright 2008 Gentoo Foundation, Inc; referenced text
115	belongs to its owner(s).
116
117	The contents of this document are licensed under the
118	Creative Commons - Attribution / Share Alike license.
119
120	http://creativecommons.org/licenses/by-sa/2.5