[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [ MDVSA-2011:054 ] java-1.6.0-openjdk
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] [ MDVSA-2011:054 ] java-1.6.0-openjdk
- From: security@xxxxxxxxxxxx
- Date: Sun, 27 Mar 2011 23:49:00 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:054
http://www.mandriva.com/security/
_______________________________________________________________________
Package : java-1.6.0-openjdk
Date : March 27, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in
java-1.6.0-openjdk:
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
the checkPermission method instead of throwing an exception in certain
circumstances, which might allow context-dependent attackers to bypass
the intended security policy by creating instances of ClassLoader
(CVE-2010-4351).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier for
Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux;
and 1.4.2_29 and earlier for Solaris and Linux allows local standalone
applications to affect confidentiality, integrity, and availability via
unknown vectors related to Launcher. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect confidentiality, integrity, and availability via unknown vectors
related to Swing. NOTE: the previous information was obtained from the
February 2011 CPU. Oracle has not commented on claims from a downstream
vendor that this issue is related to the lack of framework support by
AWT event dispatch, and/or clipboard access in Applets. (CVE-2010-4465)
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect confidentiality, integrity, and availability via unknown vectors
related to HotSpot. NOTE: the previous information was obtained from
the February 2011 CPU. Oracle has not commented on claims from a
downstream vendor that this issue is heap corruption related to the
Verifier and backward jsrs. (CVE-2010-4469)
Unspecified vulnerability in the Java Runtime Environment (JRE) in
Oracle Java SE and Java for Business 6 Update 23, and, and earlier
allows remote attackers to affect availability via unknown vectors
related to JAXP and unspecified APIs. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented on
claims from a downstream vendor that this issue is related to Features
set on SchemaFactory not inherited by Validator. (CVE-2010-4470)
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
and 5.0 Update 27 and earlier allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to 2D. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented
on claims from a downstream vendor that this issue is related to the
exposure of system properties via vectors related to Font.createFont
and exception text (CVE-2010-4471).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier
allows remote attackers to affect availability, related to
XML Digital Signature and unspecified APIs. NOTE: the previous
information was obtained from the February 2011 CPU. Oracle has
not commented on claims from a downstream vendor that this issue
involves the replacement of the XML DSig Transform or C14N algorithm
implementations. (CVE-2010-4472)
The Double.parseDouble method in Java Runtime Environment (JRE) in
Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0
Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK,
Apache, JBossweb, and other products, allows remote attackers to cause
a denial of service via a crafted string that triggers an infinite
loop of estimations during conversion to a double-precision binary
floating-point number, as demonstrated using 2.2250738585072012e-308
(CVE-2010-4476).
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
remote attackers to trick users into executing code that appears to
come from a trusted source (CVE-2011-0025).
The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain
privileges via unknown vectors related to multiple signers and the
assignment of an inappropriate security descriptor. (CVE-2011-0706)
Additionally the java-1.5.0-gcj packages were not rebuilt with the
shipped version on GCC for 2009.0 and Enterprise Server 5 which
caused problems while building the java-1.6.0-openjdk updates,
therefore rebuilt java-1.5.0-gcj packages are being provided with
this advisory as well.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0706
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
cfea90f1f20d28bf5a2f628e0a910eaa
2009.0/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d3188bf2f1da126b4d04e920e331d831
2009.0/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
1b4994018478f335d49531d9d5e60642
2009.0/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
078af1b826c27ea3c7befc88ace7ebd5
2009.0/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d1c6cba2035f8eada4e351310ebf7be2
2009.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
8b53c26f88092819346654a339b44622
2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc8af257ef8db0d37f3bfff954740c0b
2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
6cd5f5cdb27e4c8936292aef0aa5010c
2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
03fdab84535710ac263c08b3870cb062
2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
0232ce60d1d6e1072e50a13f2b416fcc
2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc94465e0b7e5fe50095c15726d38699
2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8
2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
5728fe31661213beab52fe97f9af91ad
2009.0/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
bd5a2a20d168ddcebe29bb109fea38c2
2009.0/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
a37818a53a8dbfa85d82bcf3bf83e08f
2009.0/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
ed9d1baa365606c512783863da3e0bd8
2009.0/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
b5e70c75ecc67f8f1f7f22ca55059a8b
2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
071df613e884a9faf3525661280b19d6
2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
81b79e0a8ae29c5bcff3fa6872ad52e9
2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
b5818cbad798514f02ee26c346d1e077
2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d80e3970d9279df1f9dddd46bcb01380
2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d72298b296819ab6791e28449d3cf475
2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
fc94465e0b7e5fe50095c15726d38699
2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8
2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2010.0:
bbe3a5e4538edd269e8e8c846d02ec50
2010.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
825fa39b02a627993df166acad99e002
2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
b30390e1d4457964f60630c95b36e768
2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f6123d9a0852fabdf596850979b58e4d
2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f2ec2f80944f1f401154d2fb2c2ad64d
2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
68ed360de6ee490d80906fd561459faa
2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f7cb05087b53d464084c1d9975f914b1
2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
11e65a4c18288572327dd4c4f8841f94
2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
58bdac45685c3146adb44cb2c006811f
2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
e9dfc0bd42192c92b2a788809226ff27
2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
afcef69bfa7804c70df2684b2ed19634
2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
64ea6c5ab1b71b8a0f163aa1f7581c69
2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
beb768b3e0714331050baf31a8e88bc9
2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
f7cb05087b53d464084c1d9975f914b1
2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.1:
c2736e4b08921bb5de8dbad3e13bb988
2010.1/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
884207fa52ea3e168710dfb3988229d5
2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
a0d0a86bbc5dcc9d2eff2dc2e14ae083
2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
dc1dd774b5eb1efb1a785b0ff4bc8f94
2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
41cffbd28ed3d467e465328d8369116a
2010.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
ae4064b170d4e2fcd0b4949cd53af79e
2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
f44cc336bcd85dbfd7c589b1b34e1907
2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
556d72a8cf60df24274bb49938a2791c
2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
e7e183d456383ad562cdb9da84e0f899
2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
035fccb2950b8a87cd4b597c866d5831
2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
a76c326c10b87a62be32100d0eddd75f
2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
09ad2b77e3c48b3e16010c8c93fa8f9b
2010.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
042beb49ddd872902a8faea3e425b792
2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
f44cc336bcd85dbfd7c589b1b34e1907
2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
2bf537286d1406c491061e07a73c96ec
mes5/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fb125806cc547d2c69cf13ae67c835d5
mes5/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
657a9fb9b644be8f8a49442a8210d56a
mes5/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fff64cbf465a2a701c248ad5cc4c89c6
mes5/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
8ba9fe5adad781d341ba764b661c8c92
mes5/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
75de95d6064fe9d552795deb0768dfca
mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
9f5ccbfff9afb405baadfc67f8173617
mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
70de70d7adaccff5397814d31bd51a96
mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
94b138e8a423f2f8c2ad137577bb4d42
mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
fd7dc4b050b6e07ea7686a72c2704ccd
mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
2899dfa5a7491a13e85736bf588913d9
mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26
mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
11c7cdc078dcd9cf30e818f4fb4c4e1f
mes5/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
6c6185f429a1672255e30cf00c2af065
mes5/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
f194361aa7a5cfeec17745f0ee158962
mes5/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
7d2679d156a618d7ba847ba2ebcede4b
mes5/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
8ae3d0065764f69d1546a61b895a4244
mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
8ef4ab6f5f8f421c1b36dfae807350a5
mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
d504a7493fc86d5750c849f738bb6167
mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3c044a087cc5225fd9ad138dcea5fa7d
mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
b89fa5785567340525aa5b57c8b9440c
mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3dc504dbf7161b1026bf41298118a819
mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
2899dfa5a7491a13e85736bf588913d9
mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26
mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNj4A1mqjQ0CJFipgRAqd9AKDH+zN9xFfcPlQmGWMRSOqb+xjI4QCfbvvt
DHgr6vgcxh6XXAElZkDBIws=
=7L47
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/