237 lines
14 KiB
XML
237 lines
14 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<glsa id="200911-02">
|
|
<title>Sun JDK/JRE: Multiple vulnerabilities</title>
|
|
<synopsis>
|
|
Multiple vulnerabilities in the Sun JDK and JRE allow for several attacks,
|
|
including the remote execution of arbitrary code.
|
|
</synopsis>
|
|
<product type="ebuild">sun-jre-bin sun-jdk emul-linux-x86-java blackdown-jre blackdown-jdk</product>
|
|
<announced>2009-11-17</announced>
|
|
<revised count="01">2009-11-17</revised>
|
|
<bug>182824</bug>
|
|
<bug>231337</bug>
|
|
<bug>250012</bug>
|
|
<bug>263810</bug>
|
|
<bug>280409</bug>
|
|
<bug>291817</bug>
|
|
<access>remote</access>
|
|
<affected>
|
|
<package name="dev-java/sun-jre-bin" auto="yes" arch="*">
|
|
<unaffected range="rge">1.5.0.22</unaffected>
|
|
<unaffected range="ge">1.6.0.17</unaffected>
|
|
<vulnerable range="lt">1.6.0.17</vulnerable>
|
|
</package>
|
|
<package name="dev-java/sun-jdk" auto="yes" arch="*">
|
|
<unaffected range="rge">1.5.0.22</unaffected>
|
|
<unaffected range="ge">1.6.0.17</unaffected>
|
|
<vulnerable range="lt">1.6.0.17</vulnerable>
|
|
</package>
|
|
<package name="dev-java/blackdown-jre" auto="yes" arch="*">
|
|
<vulnerable range="le">1.4.2.03-r14</vulnerable>
|
|
</package>
|
|
<package name="dev-java/blackdown-jdk" auto="yes" arch="*">
|
|
<vulnerable range="le">1.4.2.03-r16</vulnerable>
|
|
</package>
|
|
<package name="app-emulation/emul-linux-x86-java" auto="yes" arch="*">
|
|
<unaffected range="rge">1.5.0.22</unaffected>
|
|
<unaffected range="ge">1.6.0.17</unaffected>
|
|
<vulnerable range="lt">1.6.0.17</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
|
|
(JRE) provide the Sun Java platform.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
Multiple vulnerabilities have been reported in the Sun Java
|
|
implementation. Please review the CVE identifiers referenced below and
|
|
the associated Sun Alerts for details.
|
|
</p>
|
|
</description>
|
|
<impact type="normal">
|
|
<p>
|
|
A remote attacker could entice a user to open a specially crafted JAR
|
|
archive, applet, or Java Web Start application, possibly resulting in
|
|
the execution of arbitrary code with the privileges of the user running
|
|
the application. Furthermore, a remote attacker could cause a Denial of
|
|
Service affecting multiple services via several vectors, disclose
|
|
information and memory contents, write or execute local files, conduct
|
|
session hijacking attacks via GIFAR files, steal cookies, bypass the
|
|
same-origin policy, load untrusted JAR files, establish network
|
|
connections to arbitrary hosts and posts via several vectors, modify
|
|
the list of supported graphics configurations, bypass HMAC-based
|
|
authentication systems, escalate privileges via several vectors and
|
|
cause applet code to be executed with older, possibly vulnerable
|
|
versions of the JRE.
|
|
</p>
|
|
<p>
|
|
NOTE: Some vulnerabilities require a trusted environment, user
|
|
interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
There is no known workaround at this time.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
All Sun JRE 1.5.x users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.22"</code>
|
|
<p>
|
|
All Sun JRE 1.6.x users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.17"</code>
|
|
<p>
|
|
All Sun JDK 1.5.x users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.22"</code>
|
|
<p>
|
|
All Sun JDK 1.6.x users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.17"</code>
|
|
<p>
|
|
All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the
|
|
latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.22"</code>
|
|
<p>
|
|
All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the
|
|
latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.17"</code>
|
|
<p>
|
|
All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and
|
|
precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge
|
|
Java 1.4:
|
|
</p>
|
|
<code>
|
|
# emerge --unmerge =app-emulation/emul-linux-x86-java-1.4*
|
|
# emerge --unmerge =dev-java/sun-jre-bin-1.4*
|
|
# emerge --unmerge =dev-java/sun-jdk-1.4*
|
|
# emerge --unmerge dev-java/blackdown-jdk
|
|
# emerge --unmerge dev-java/blackdown-jre</code>
|
|
<p>
|
|
Gentoo is ceasing support for the 1.4 generation of the Sun Java
|
|
Platform in accordance with upstream. All 1.4 JRE and JDK versions are
|
|
masked and will be removed shortly.
|
|
</p>
|
|
</resolution>
|
|
<references>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086">CVE-2008-2086</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103">CVE-2008-3103</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104">CVE-2008-3104</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105">CVE-2008-3105</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106">CVE-2008-3106</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107">CVE-2008-3107</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108">CVE-2008-3108</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109">CVE-2008-3109</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110">CVE-2008-3110</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111">CVE-2008-3111</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112">CVE-2008-3112</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113">CVE-2008-3113</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114">CVE-2008-3114</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115">CVE-2008-3115</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339">CVE-2008-5339</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340">CVE-2008-5340</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341">CVE-2008-5341</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342">CVE-2008-5342</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343">CVE-2008-5343</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344">CVE-2008-5344</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345">CVE-2008-5345</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346">CVE-2008-5346</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347">CVE-2008-5347</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348">CVE-2008-5348</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349">CVE-2008-5349</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350">CVE-2008-5350</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351">CVE-2008-5351</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352">CVE-2008-5352</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353">CVE-2008-5353</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354">CVE-2008-5354</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355">CVE-2008-5355</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356">CVE-2008-5356</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357">CVE-2008-5357</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358">CVE-2008-5358</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359">CVE-2008-5359</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360">CVE-2008-5360</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093">CVE-2009-1093</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094">CVE-2009-1094</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095">CVE-2009-1095</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096">CVE-2009-1096</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097">CVE-2009-1097</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098">CVE-2009-1098</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099">CVE-2009-1099</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100">CVE-2009-1100</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101">CVE-2009-1101</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102">CVE-2009-1102</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103">CVE-2009-1103</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104">CVE-2009-1104</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105">CVE-2009-1105</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106">CVE-2009-1106</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107">CVE-2009-1107</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409">CVE-2009-2409</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475">CVE-2009-2475</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476">CVE-2009-2476</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670">CVE-2009-2670</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671">CVE-2009-2671</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672">CVE-2009-2672</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673">CVE-2009-2673</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674">CVE-2009-2674</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675">CVE-2009-2675</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676">CVE-2009-2676</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689">CVE-2009-2689</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690">CVE-2009-2690</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716">CVE-2009-2716</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718">CVE-2009-2718</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719">CVE-2009-2719</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720">CVE-2009-2720</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721">CVE-2009-2721</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722">CVE-2009-2722</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723">CVE-2009-2723</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724">CVE-2009-2724</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728">CVE-2009-3728</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729">CVE-2009-3729</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865">CVE-2009-3865</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866">CVE-2009-3866</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867">CVE-2009-3867</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868">CVE-2009-3868</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869">CVE-2009-3869</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871">CVE-2009-3871</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872">CVE-2009-3872</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873">CVE-2009-3873</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874">CVE-2009-3874</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875">CVE-2009-3875</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876">CVE-2009-3876</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877">CVE-2009-3877</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879">CVE-2009-3879</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880">CVE-2009-3880</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881">CVE-2009-3881</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882">CVE-2009-3882</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883">CVE-2009-3883</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884">CVE-2009-3884</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886">CVE-2009-3886</uri>
|
|
</references>
|
|
<metadata tag="submitter" timestamp="2009-04-07T06:55:57Z">
|
|
a3li
|
|
</metadata>
|
|
<metadata tag="bugReady" timestamp="2009-11-17T19:42:31Z">
|
|
a3li
|
|
</metadata>
|
|
</glsa>
|