1 |
On Friday 26 November 2004 23:07, Venkat Manakkal wrote: |
2 |
> Nasty bug: http://www.securityfocus.com/bid/8879/info/ |
3 |
> |
4 |
> "A vulnerability has been identified in the Sun Java Virtual Machine |
5 |
> packaged with JRE and SDK. This issue results in the circumvention of the |
6 |
> Java Security Model, and can permit an attacker to execute arbitrary code |
7 |
> on vulnerable hosts." |
8 |
> |
9 |
> Hushmail warns about this on their site - possible arbitrary code execution |
10 |
> by browsing hostile site with java enabled. |
11 |
> |
12 |
> Upgrade to dev-java/sun-jdk-1.4.2.06 and clean - there is a downgrade |
13 |
> exploit as well. |
14 |
> |
15 |
> I found it in bugzilla as well: |
16 |
> http://bugs.gentoo.org/show_bug.cgi?id=72172 |
17 |
> |
18 |
> So I guess a GLSA is pending. |
19 |
> |
20 |
> Best regards, |
21 |
> |
22 |
> ---Venkat. |
23 |
|
24 |
heise. de put up a browser-check some days ago. |
25 |
If it tells you, that you are vulnerable, you have a problem, if it says, that |
26 |
you are save, it may be a test-bug. |
27 |
|
28 |
The page is here: |
29 |
http://www.heise.de/security/dienste/browsercheck/tests/java.shtml |
30 |
|
31 |
The page is in german, the relevant part is this paragraph: |
32 |
|
33 |
Am 23.11.2004 wurde ein Problem bekannt, dass bei Suns Java-Plug-ins |
34 |
JavaScript auf Java-Objekte zugreifen und dabei die Beschränkungen der |
35 |
Sandbox umgehen kann. Sie können dies hier testen. Geht beim Klick auf den |
36 |
Link ein Fenster auf, mit dem Hinweis "Sie sind verwundbar", sollten Sie eine |
37 |
neuere Java-Version installieren. Sun hat den Fehler in Version 1.4.2_06 |
38 |
beseitigt. |
39 |
|
40 |
click on the 'hier' and a popup will pop up. |
41 |
|
42 |
Glück Auf |
43 |
Volker |
44 |
|
45 |
|
46 |
ps. konqueror 3.3.1 +java.1.5 is recogniced as vulnerable - the editor of the |
47 |
aricle/check has contacted the kde people. |
48 |
|
49 |
-- |
50 |
gentoo-security@g.o mailing list |