diff options
Diffstat (limited to 'metadata/glsa/glsa-200911-02.xml')
-rw-r--r-- | metadata/glsa/glsa-200911-02.xml | 237 |
1 files changed, 237 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-200911-02.xml b/metadata/glsa/glsa-200911-02.xml new file mode 100644 index 000000000000..e89f9700b6e0 --- /dev/null +++ b/metadata/glsa/glsa-200911-02.xml @@ -0,0 +1,237 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> +<glsa id="200911-02"> + <title>Sun JDK/JRE: Multiple vulnerabilities</title> + <synopsis> + Multiple vulnerabilities in the Sun JDK and JRE allow for several attacks, + including the remote execution of arbitrary code. + </synopsis> + <product type="ebuild">sun-jre-bin sun-jdk emul-linux-x86-java blackdown-jre blackdown-jdk</product> + <announced>2009-11-17</announced> + <revised count="01">2009-11-17</revised> + <bug>182824</bug> + <bug>231337</bug> + <bug>250012</bug> + <bug>263810</bug> + <bug>280409</bug> + <bug>291817</bug> + <access>remote</access> + <affected> + <package name="dev-java/sun-jre-bin" auto="yes" arch="*"> + <unaffected range="rge">1.5.0.22</unaffected> + <unaffected range="ge">1.6.0.17</unaffected> + <vulnerable range="lt">1.6.0.17</vulnerable> + </package> + <package name="dev-java/sun-jdk" auto="yes" arch="*"> + <unaffected range="rge">1.5.0.22</unaffected> + <unaffected range="ge">1.6.0.17</unaffected> + <vulnerable range="lt">1.6.0.17</vulnerable> + </package> + <package name="dev-java/blackdown-jre" auto="yes" arch="*"> + <vulnerable range="le">1.4.2.03-r14</vulnerable> + </package> + <package name="dev-java/blackdown-jdk" auto="yes" arch="*"> + <vulnerable range="le">1.4.2.03-r16</vulnerable> + </package> + <package name="app-emulation/emul-linux-x86-java" auto="yes" arch="*"> + <unaffected range="rge">1.5.0.22</unaffected> + <unaffected range="ge">1.6.0.17</unaffected> + <vulnerable range="lt">1.6.0.17</vulnerable> + </package> + </affected> + <background> + <p> + The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment + (JRE) provide the Sun Java platform. + </p> + </background> + <description> + <p> + Multiple vulnerabilities have been reported in the Sun Java + implementation. Please review the CVE identifiers referenced below and + the associated Sun Alerts for details. + </p> + </description> + <impact type="normal"> + <p> + A remote attacker could entice a user to open a specially crafted JAR + archive, applet, or Java Web Start application, possibly resulting in + the execution of arbitrary code with the privileges of the user running + the application. Furthermore, a remote attacker could cause a Denial of + Service affecting multiple services via several vectors, disclose + information and memory contents, write or execute local files, conduct + session hijacking attacks via GIFAR files, steal cookies, bypass the + same-origin policy, load untrusted JAR files, establish network + connections to arbitrary hosts and posts via several vectors, modify + the list of supported graphics configurations, bypass HMAC-based + authentication systems, escalate privileges via several vectors and + cause applet code to be executed with older, possibly vulnerable + versions of the JRE. + </p> + <p> + NOTE: Some vulnerabilities require a trusted environment, user + interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack. + </p> + </impact> + <workaround> + <p> + There is no known workaround at this time. + </p> + </workaround> + <resolution> + <p> + All Sun JRE 1.5.x users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.22"</code> + <p> + All Sun JRE 1.6.x users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.17"</code> + <p> + All Sun JDK 1.5.x users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.22"</code> + <p> + All Sun JDK 1.6.x users should upgrade to the latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.17"</code> + <p> + All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the + latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.22"</code> + <p> + All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the + latest version: + </p> + <code> + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.17"</code> + <p> + All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and + precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge + Java 1.4: + </p> + <code> + # emerge --unmerge =app-emulation/emul-linux-x86-java-1.4* + # emerge --unmerge =dev-java/sun-jre-bin-1.4* + # emerge --unmerge =dev-java/sun-jdk-1.4* + # emerge --unmerge dev-java/blackdown-jdk + # emerge --unmerge dev-java/blackdown-jre</code> + <p> + Gentoo is ceasing support for the 1.4 generation of the Sun Java + Platform in accordance with upstream. All 1.4 JRE and JDK versions are + masked and will be removed shortly. + </p> + </resolution> + <references> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2086">CVE-2008-2086</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103">CVE-2008-3103</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104">CVE-2008-3104</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105">CVE-2008-3105</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106">CVE-2008-3106</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107">CVE-2008-3107</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108">CVE-2008-3108</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109">CVE-2008-3109</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110">CVE-2008-3110</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111">CVE-2008-3111</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112">CVE-2008-3112</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113">CVE-2008-3113</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114">CVE-2008-3114</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3115">CVE-2008-3115</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5339">CVE-2008-5339</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5340">CVE-2008-5340</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5341">CVE-2008-5341</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5342">CVE-2008-5342</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5343">CVE-2008-5343</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5344">CVE-2008-5344</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5345">CVE-2008-5345</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5346">CVE-2008-5346</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5347">CVE-2008-5347</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5348">CVE-2008-5348</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5349">CVE-2008-5349</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5350">CVE-2008-5350</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5351">CVE-2008-5351</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5352">CVE-2008-5352</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353">CVE-2008-5353</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5354">CVE-2008-5354</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5355">CVE-2008-5355</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5356">CVE-2008-5356</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357">CVE-2008-5357</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5358">CVE-2008-5358</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5359">CVE-2008-5359</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5360">CVE-2008-5360</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093">CVE-2009-1093</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094">CVE-2009-1094</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095">CVE-2009-1095</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096">CVE-2009-1096</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097">CVE-2009-1097</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098">CVE-2009-1098</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099">CVE-2009-1099</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100">CVE-2009-1100</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101">CVE-2009-1101</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102">CVE-2009-1102</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103">CVE-2009-1103</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104">CVE-2009-1104</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105">CVE-2009-1105</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106">CVE-2009-1106</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107">CVE-2009-1107</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409">CVE-2009-2409</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475">CVE-2009-2475</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2476">CVE-2009-2476</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670">CVE-2009-2670</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671">CVE-2009-2671</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672">CVE-2009-2672</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673">CVE-2009-2673</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2674">CVE-2009-2674</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675">CVE-2009-2675</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676">CVE-2009-2676</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689">CVE-2009-2689</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2690">CVE-2009-2690</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716">CVE-2009-2716</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718">CVE-2009-2718</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719">CVE-2009-2719</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720">CVE-2009-2720</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721">CVE-2009-2721</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722">CVE-2009-2722</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723">CVE-2009-2723</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724">CVE-2009-2724</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728">CVE-2009-3728</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3729">CVE-2009-3729</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3865">CVE-2009-3865</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3866">CVE-2009-3866</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3867">CVE-2009-3867</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3868">CVE-2009-3868</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869">CVE-2009-3869</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871">CVE-2009-3871</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3872">CVE-2009-3872</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873">CVE-2009-3873</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874">CVE-2009-3874</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875">CVE-2009-3875</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876">CVE-2009-3876</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877">CVE-2009-3877</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879">CVE-2009-3879</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880">CVE-2009-3880</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881">CVE-2009-3881</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882">CVE-2009-3882</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883">CVE-2009-3883</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884">CVE-2009-3884</uri> + <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3886">CVE-2009-3886</uri> + </references> + <metadata tag="submitter" timestamp="2009-04-07T06:55:57Z"> + a3li + </metadata> + <metadata tag="bugReady" timestamp="2009-11-17T19:42:31Z"> + a3li + </metadata> +</glsa> |