Oracle JRE/JDK: Multiple vulnerabilities The Oracle JDK and JRE are vulnerable to multiple unspecified vulnerabilities. sun-jre-bin sun-jdk emul-linux-x86-java June 04, 2010 June 04, 2010: 01 306579 314531 remote 1.6.0.20 1.6.0.20 1.6.0.20 1.6.0.20 1.6.0.20 1.6.0.20

The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform).

Multiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details.

A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code.

There is no known workaround at this time.

All Oracle JRE 1.6.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20"

All Oracle JDK 1.6.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20"

All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.20"

All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle JRE 1.5.x users are strongly advised to unmerge Java 1.5:

# emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* # emerge --unmerge =dev-java/sun-jre-bin-1.5* # emerge --unmerge =dev-java/sun-jdk-1.5*

Gentoo is ceasing support for the 1.5 generation of the Oracle Java Platform in accordance with upstream. All 1.5 JRE versions are masked and will be removed shortly. All 1.5 JDK versions are marked as "build-only" and will be masked for removal shortly. Users are advised to change their default user and system Java implementation to an unaffected version. For example:

# java-config --set-system-vm sun-jdk-1.6

For more information, please consult the Gentoo Linux Java documentation.

CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0087 CVE-2010-0088 CVE-2010-0089 CVE-2010-0090 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0839 CVE-2010-0840 CVE-2010-0841 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 CVE-2010-0845 CVE-2010-0846 CVE-2010-0847 CVE-2010-0848 CVE-2010-0849 CVE-2010-0850 CVE-2010-0886 CVE-2010-0887 Gentoo Linux Java documentation Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010 a3li a3li a3li