"Gentoo Linux Security Advisory GLSA 200911-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Sun JDK/JRE: Multiple vulnerabilites
Date: November 17, 2009
Bugs: #182824, #231337, #250012, #263810, #280409, #291817
ID: 200911-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilites in the Sun JDK and JRE allow for several
attacks, including the remote execution of arbitrary code.
Background
==========
The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
(JRE) provide the Sun Java platform.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sun-jre-bin = 1.5.0.22
>= 1.6.0.17
2 sun-jdk = 1.5.0.22
>= 1.6.0.17
3 blackdown-jre = 1.6.0.17
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
5 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilites have been reported in the Sun Java
implementation. Please review the CVE identifiers referenced below and
the associated Sun Alerts for details.
Impact
======
A remote attacker could entice a user to open a specially crafted JAR
archive, applet, or Java Web Start application, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
same-origin policy, load untrusted JAR files, establish network
connections to arbitrary hosts and posts via several vectors, modify
the list of supported graphics configurations, bypass HMAC-based
authentication systems, escalate privileges via several vectors and
cause applet code to be executed with older, possibly vulnerable
versions of the JRE.
NOTE: Some vulnerabilities require a trusted environment, user
interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Sun JRE 1.5.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.5.0.22
All Sun JRE 1.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-java/sun-jre-bin-1.6.0.17
All Sun JDK 1.5.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.5.0.22
All Sun JDK 1.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =dev-java/sun-jdk-1.6.0.17
All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
=app-emulation/emul-linux-x86-java-1.5.0.22
All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
=app-emulation/emul-linux-x86-java-1.6.0.17
All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and
precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge
Java 1.4:
# emerge --unmerge =app-emulation/emul-linux-x86-java-1.4*
# emerge --unmerge =dev-java/sun-jre-bin-1.4*
# emerge --unmerge =dev-java/sun-jdk-1.4*
# emerge --unmerge dev-java/blackdown-jdk
# emerge --unmerge dev-java/blackdown-jre
Gentoo is ceasing support for the 1.4 generation of the Sun Java
Platform in accordance with upstream. All 1.4 JRE and JDK versions are
masked and will be removed shortly.
References
==========
[ 1 ] CVE-2008-2086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086
[ 2 ] CVE-2008-3103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
[ 3 ] CVE-2008-3104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
[ 4 ] CVE-2008-3105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
[ 5 ] CVE-2008-3106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
[ 6 ] CVE-2008-3107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
[ 7 ] CVE-2008-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
[ 8 ] CVE-2008-3109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
[ 9 ] CVE-2008-3110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
[ 10 ] CVE-2008-3111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
[ 11 ] CVE-2008-3112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
[ 12 ] CVE-2008-3113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
[ 13 ] CVE-2008-3114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
[ 14 ] CVE-2008-3115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115
[ 15 ] CVE-2008-5339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339
[ 16 ] CVE-2008-5340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340
[ 17 ] CVE-2008-5341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341
[ 18 ] CVE-2008-5342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342
[ 19 ] CVE-2008-5343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343
[ 20 ] CVE-2008-5344
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344
[ 21 ] CVE-2008-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345
[ 22 ] CVE-2008-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346
[ 23 ] CVE-2008-5347
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347
[ 24 ] CVE-2008-5348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348
[ 25 ] CVE-2008-5349
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349
[ 26 ] CVE-2008-5350
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350
[ 27 ] CVE-2008-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351
[ 28 ] CVE-2008-5352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352
[ 29 ] CVE-2008-5353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353
[ 30 ] CVE-2008-5354
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354
[ 31 ] CVE-2008-5355
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355
[ 32 ] CVE-2008-5356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356
[ 33 ] CVE-2008-5357
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357
[ 34 ] CVE-2008-5358
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358
[ 35 ] CVE-2008-5359
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359
[ 36 ] CVE-2008-5360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360
[ 37 ] CVE-2009-1093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
[ 38 ] CVE-2009-1094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
[ 39 ] CVE-2009-1095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
[ 40 ] CVE-2009-1096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
[ 41 ] CVE-2009-1097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
[ 42 ] CVE-2009-1098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
[ 43 ] CVE-2009-1099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
[ 44 ] CVE-2009-1100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100
[ 45 ] CVE-2009-1101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
[ 46 ] CVE-2009-1102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
[ 47 ] CVE-2009-1103
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
[ 48 ] CVE-2009-1104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
[ 49 ] CVE-2009-1105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
[ 50 ] CVE-2009-1106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
[ 51 ] CVE-2009-1107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
[ 52 ] CVE-2009-2409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
[ 53 ] CVE-2009-2475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475
[ 54 ] CVE-2009-2476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476
[ 55 ] CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
[ 56 ] CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
[ 57 ] CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
[ 58 ] CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
[ 59 ] CVE-2009-2674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674
[ 60 ] CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
[ 61 ] CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
[ 62 ] CVE-2009-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689
[ 63 ] CVE-2009-2690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690
[ 64 ] CVE-2009-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716
[ 65 ] CVE-2009-2718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718
[ 66 ] CVE-2009-2719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719
[ 67 ] CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
[ 68 ] CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
[ 69 ] CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
[ 70 ] CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
[ 71 ] CVE-2009-2724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
[ 72 ] CVE-2009-3728
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
[ 73 ] CVE-2009-3729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729
[ 74 ] CVE-2009-3865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865
[ 75 ] CVE-2009-3866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866
[ 76 ] CVE-2009-3867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867
[ 77 ] CVE-2009-3868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868
[ 78 ] CVE-2009-3869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
[ 79 ] CVE-2009-3871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
[ 80 ] CVE-2009-3872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872
[ 81 ] CVE-2009-3873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
[ 82 ] CVE-2009-3874
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
[ 83 ] CVE-2009-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
[ 84 ] CVE-2009-3876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
[ 85 ] CVE-2009-3877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
[ 86 ] CVE-2009-3879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
[ 87 ] CVE-2009-3880
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
[ 88 ] CVE-2009-3881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
[ 89 ] CVE-2009-3882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
[ 90 ] CVE-2009-3883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
[ 91 ] CVE-2009-3884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
[ 92 ] CVE-2009-3886
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200911-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
"
.music set to reshape the online music landscapeGLSA 200910-03 Adobe Reader: Multiple vulnerabilities
This entry was posted
on 4:17 PM
.
Archives
-
▼
2009
(488)
-
▼
November
(49)
- RHSA-2009:1620-01 Moderate: bind security update
- RHSA-2009:1615-01 Moderate: xerces-j2 security update
- DSA 1942-1: New wireshark packages fix several vul...
- GLSA 200911-04 dstat: Untrusted search path
- GLSA 200911-06 PEAR Net_Traceroute: Command injec...
- DSA 1939-1: New libvorbis packages fix several vul...
- DSA 1941-1: New poppler packages fix several vulne...
- RHSA-2009:1601-01 Critical: kdelibs security update
- GLSA 200911-05 Wireshark: Multiple vulnerabilities
- USN-861-1: libvorbis vulnerabilities
- DSA 1938-1: New php-mail packages fix insufficient...
- DSA 1937-1: New gforge packages fix cross-site scr...
- DSA-1934-1: New apache2 packages fix several issues
- USN-859-1: OpenJDK vulnerabilities
- USN-860-1: Apache vulnerabilities
- RHSA-2009:1595-01 Moderate: cups security update
- RHSA-2009:1587-01 Important: kernel security and b...
- GLSA 200911-02 Sun JDK/JRE: Multiple vulnerabilites
- DSA 1936-1: New libgd2 packages fix several vulner...
- RHSA-2009:1588-02 Important: kernel security update
- DSA 1935-1: New gnutls23/gnutls26 packages fix SSL...
- RHSA-2009:1585-01 Moderate: samba3x security and b...
- RHSA-2009:1584-01 Important: java-1.6.0-openjdk se...
- RHSA-2009:1580-02 Moderate: httpd security update
- DSA 1933-1: New cups packages fix cross-site scrip...
- USN-858-1: OpenLDAP vulnerability
- DSA 1932-1: New pidgin packages fix arbitrary code...
- RHSA-2009:1582-01 Critical: java-1.6.0-ibm securit...
- RHSA-2009:1561-01 Important: libvorbis security up...
- RHSA-2009:1562-01 Important: tomcat security update
- USN-853-2: Firefox and Xulrunner regression
- USN-854-1: GD library vulnerabilities
- DSA 1928-1: New Linux 2.6.24 packages fix several ...
- RHSA-2009:1540-01 Important: kernel-rt security, b...
- RHSA-2009:1550-01 Important: kernel security and b...
- RHSA-2009:1541-01 Important: kernel security update
- USN-850-3: poppler vulnerabilities
- DSA 1927-1: New Linux 2.6.26 packages fix several ...
- USN-855-1: libhtml-parser-perl vulnerability
- RHSA-2009:1548-01 Important: kernel security and b...
- RHSA-2009:1530-01 Critical: firefox security update
- DSA 1924-1: New mahara packages fix several vulner...
- USN-853-1: Firefox and Xulrunner vulnerabilities
- RHSA-2009:1528-01 Moderate: samba security and bug...
- RHSA-2009:1531-01 Critical: seamonkey security update
- DSA 1922-1: New xulrunner packages fix several vul...
- DSA 1923-1: New libhtml-parser-perl packages fix d...
- RHSA-2009:1535-01 Moderate: pidgin security update
- DSA 1921-1: New expat packages fix denial of service
-
▼
November
(49)