summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/glsa/glsa-200911-02.xml')
-rw-r--r--metadata/glsa/glsa-200911-02.xml237
1 files changed, 237 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200911-02.xml b/metadata/glsa/glsa-200911-02.xml
new file mode 100644
index 000000000000..e89f9700b6e0
--- /dev/null
+++ b/metadata/glsa/glsa-200911-02.xml
@@ -0,0 +1,237 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="200911-02">
+ <title>Sun JDK/JRE: Multiple vulnerabilities</title>
+ <synopsis>
+ Multiple vulnerabilities in the Sun JDK and JRE allow for several attacks,
+ including the remote execution of arbitrary code.
+ </synopsis>
+ <product type="ebuild">sun-jre-bin sun-jdk emul-linux-x86-java blackdown-jre blackdown-jdk</product>
+ <announced>2009-11-17</announced>
+ <revised count="01">2009-11-17</revised>
+ <bug>182824</bug>
+ <bug>231337</bug>
+ <bug>250012</bug>
+ <bug>263810</bug>
+ <bug>280409</bug>
+ <bug>291817</bug>
+ <access>remote</access>
+ <affected>
+ <package name="dev-java/sun-jre-bin" auto="yes" arch="*">
+ <unaffected range="rge">1.5.0.22</unaffected>
+ <unaffected range="ge">1.6.0.17</unaffected>
+ <vulnerable range="lt">1.6.0.17</vulnerable>
+ </package>
+ <package name="dev-java/sun-jdk" auto="yes" arch="*">
+ <unaffected range="rge">1.5.0.22</unaffected>
+ <unaffected range="ge">1.6.0.17</unaffected>
+ <vulnerable range="lt">1.6.0.17</vulnerable>
+ </package>
+ <package name="dev-java/blackdown-jre" auto="yes" arch="*">
+ <vulnerable range="le">1.4.2.03-r14</vulnerable>
+ </package>
+ <package name="dev-java/blackdown-jdk" auto="yes" arch="*">
+ <vulnerable range="le">1.4.2.03-r16</vulnerable>
+ </package>
+ <package name="app-emulation/emul-linux-x86-java" auto="yes" arch="*">
+ <unaffected range="rge">1.5.0.22</unaffected>
+ <unaffected range="ge">1.6.0.17</unaffected>
+ <vulnerable range="lt">1.6.0.17</vulnerable>
+ </package>
+ </affected>
+ <background>
+ <p>
+ The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment
+ (JRE) provide the Sun Java platform.
+ </p>
+ </background>
+ <description>
+ <p>
+ Multiple vulnerabilities have been reported in the Sun Java
+ implementation. Please review the CVE identifiers referenced below and
+ the associated Sun Alerts for details.
+ </p>
+ </description>
+ <impact type="normal">
+ <p>
+ A remote attacker could entice a user to open a specially crafted JAR
+ archive, applet, or Java Web Start application, possibly resulting in
+ the execution of arbitrary code with the privileges of the user running
+ the application. Furthermore, a remote attacker could cause a Denial of
+ Service affecting multiple services via several vectors, disclose
+ information and memory contents, write or execute local files, conduct
+ session hijacking attacks via GIFAR files, steal cookies, bypass the
+ same-origin policy, load untrusted JAR files, establish network
+ connections to arbitrary hosts and posts via several vectors, modify
+ the list of supported graphics configurations, bypass HMAC-based
+ authentication systems, escalate privileges via several vectors and
+ cause applet code to be executed with older, possibly vulnerable
+ versions of the JRE.
+ </p>
+ <p>
+ NOTE: Some vulnerabilities require a trusted environment, user
+ interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.
+ </p>
+ </impact>
+ <workaround>
+ <p>
+ There is no known workaround at this time.
+ </p>
+ </workaround>
+ <resolution>
+ <p>
+ All Sun JRE 1.5.x users should upgrade to the latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-java/sun-jre-bin-1.5.0.22"</code>
+ <p>
+ All Sun JRE 1.6.x users should upgrade to the latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-java/sun-jre-bin-1.6.0.17"</code>
+ <p>
+ All Sun JDK 1.5.x users should upgrade to the latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-java/sun-jdk-1.5.0.22"</code>
+ <p>
+ All Sun JDK 1.6.x users should upgrade to the latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=dev-java/sun-jdk-1.6.0.17"</code>
+ <p>
+ All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the
+ latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/emul-linux-x86-java-1.5.0.22"</code>
+ <p>
+ All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the
+ latest version:
+ </p>
+ <code>
+ # emerge --sync
+ # emerge --ask --oneshot --verbose "&gt;=app-emulation/emul-linux-x86-java-1.6.0.17"</code>
+ <p>
+ All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and
+ precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge
+ Java 1.4:
+ </p>
+ <code>
+ # emerge --unmerge =app-emulation/emul-linux-x86-java-1.4*
+ # emerge --unmerge =dev-java/sun-jre-bin-1.4*
+ # emerge --unmerge =dev-java/sun-jdk-1.4*
+ # emerge --unmerge dev-java/blackdown-jdk
+ # emerge --unmerge dev-java/blackdown-jre</code>
+ <p>
+ Gentoo is ceasing support for the 1.4 generation of the Sun Java
+ Platform in accordance with upstream. All 1.4 JRE and JDK versions are
+ masked and will be removed shortly.
+ </p>
+ </resolution>
+ <references>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086">CVE-2008-2086</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103">CVE-2008-3103</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104">CVE-2008-3104</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105">CVE-2008-3105</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106">CVE-2008-3106</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107">CVE-2008-3107</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108">CVE-2008-3108</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109">CVE-2008-3109</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110">CVE-2008-3110</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111">CVE-2008-3111</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112">CVE-2008-3112</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113">CVE-2008-3113</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114">CVE-2008-3114</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115">CVE-2008-3115</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339">CVE-2008-5339</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340">CVE-2008-5340</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341">CVE-2008-5341</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342">CVE-2008-5342</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343">CVE-2008-5343</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344">CVE-2008-5344</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345">CVE-2008-5345</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346">CVE-2008-5346</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347">CVE-2008-5347</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348">CVE-2008-5348</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349">CVE-2008-5349</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350">CVE-2008-5350</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351">CVE-2008-5351</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352">CVE-2008-5352</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353">CVE-2008-5353</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354">CVE-2008-5354</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355">CVE-2008-5355</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356">CVE-2008-5356</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357">CVE-2008-5357</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358">CVE-2008-5358</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359">CVE-2008-5359</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360">CVE-2008-5360</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093">CVE-2009-1093</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094">CVE-2009-1094</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095">CVE-2009-1095</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096">CVE-2009-1096</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097">CVE-2009-1097</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098">CVE-2009-1098</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099">CVE-2009-1099</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100">CVE-2009-1100</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101">CVE-2009-1101</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102">CVE-2009-1102</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103">CVE-2009-1103</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104">CVE-2009-1104</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105">CVE-2009-1105</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106">CVE-2009-1106</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107">CVE-2009-1107</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409">CVE-2009-2409</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475">CVE-2009-2475</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476">CVE-2009-2476</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670">CVE-2009-2670</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671">CVE-2009-2671</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672">CVE-2009-2672</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673">CVE-2009-2673</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674">CVE-2009-2674</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675">CVE-2009-2675</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676">CVE-2009-2676</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689">CVE-2009-2689</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690">CVE-2009-2690</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716">CVE-2009-2716</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718">CVE-2009-2718</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719">CVE-2009-2719</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720">CVE-2009-2720</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721">CVE-2009-2721</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722">CVE-2009-2722</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723">CVE-2009-2723</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724">CVE-2009-2724</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728">CVE-2009-3728</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729">CVE-2009-3729</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865">CVE-2009-3865</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866">CVE-2009-3866</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867">CVE-2009-3867</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868">CVE-2009-3868</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869">CVE-2009-3869</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871">CVE-2009-3871</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872">CVE-2009-3872</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873">CVE-2009-3873</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874">CVE-2009-3874</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875">CVE-2009-3875</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876">CVE-2009-3876</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877">CVE-2009-3877</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879">CVE-2009-3879</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880">CVE-2009-3880</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881">CVE-2009-3881</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882">CVE-2009-3882</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883">CVE-2009-3883</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884">CVE-2009-3884</uri>
+ <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886">CVE-2009-3886</uri>
+ </references>
+ <metadata tag="submitter" timestamp="2009-04-07T06:55:57Z">
+ a3li
+ </metadata>
+ <metadata tag="bugReady" timestamp="2009-11-17T19:42:31Z">
+ a3li
+ </metadata>
+</glsa>