[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090811055445.GK7316@outflux.net>
Date: Mon, 10 Aug 2009 22:54:45 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-814-1] openjdk-6 vulnerabilities
===========================================================
Ubuntu Security Notice USN-814-1 August 11, 2009
openjdk-6 vulnerabilities
CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625,
CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673,
CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2690
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
icedtea6-plugin 6b12-0ubuntu6.5
openjdk-6-jre 6b12-0ubuntu6.5
openjdk-6-jre-lib 6b12-0ubuntu6.5
Ubuntu 9.04:
icedtea6-plugin 6b14-1.4.1-0ubuntu11
openjdk-6-jre 6b14-1.4.1-0ubuntu11
openjdk-6-jre-lib 6b14-1.4.1-0ubuntu11
After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.
Details follow:
It was discovered that the XML HMAC signature system did not
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)
It was discovered that certain variables could leak information. If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)
A flaw was discovered the OpenType checking. If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
access restrictions. (CVE-2009-2476)
It was discovered that the XML processor did not correctly check
recursion. If a user or automated system were tricked into processing
a specially crafted XML, the system could crash, leading to a denial of
service. (CVE-2009-2625)
It was discovered that the Java audio subsystem did not correctly validate
certain parameters. If a user were tricked into running an untrusted
applet, a remote attacker could read system properties. (CVE-2009-2670)
Multiple flaws were discovered in the proxy subsystem. If a user
were tricked into running an untrusted applet, a remote attacker could
discover local user names, obtain access to sensitive information, or
bypass socket restrictions, leading to a loss of privacy. (CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673)
Flaws were discovered in the handling of JPEG images, Unpack200 archives,
and JDK13Services. If a user were tricked into running an untrusted
applet, a remote attacker could load a specially crafted file that would
bypass local file access protections and run arbitrary code with user
privileges. (CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.5.diff.gz
Size/MD5: 1291365 2036bde9f3c71b58dafc7612dc78804d
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.5.dsc
Size/MD5: 2358 01847c41f69f85e687dd0ed8c049fdec
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12.orig.tar.gz
Size/MD5: 54363262 f3aa01206f2192464b998fb7cc550686
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b12-0ubuntu6.5_all.deb
Size/MD5: 8469856 653355e1ce8f94aeaffe12c60861d398
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b12-0ubuntu6.5_all.deb
Size/MD5: 4710580 f593a6254fca5a1668c847d0422cdbd7
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b12-0ubuntu6.5_all.deb
Size/MD5: 25626358 073f5463f8ed680bd8a7562fd3dd945f
http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b12-0ubuntu6.5_all.deb
Size/MD5: 49155070 c12e075a52646a6389d708917efef472
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 81022 43cecad6c640c20a0b3268ae282c8a50
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 47372846 d751aea9e5b00d5341fd715ce81142a0
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 2366088 584d1f98645b73ba9487a78d9b7e75a5
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 9975740 d7fe73ef6e95a4b13f140adebc0ef1f4
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 24283634 d663c65d160821ce445f96b003a5aa22
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_amd64.deb
Size/MD5: 241766 17b8652623624b34be1e5f6012a4636c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_i386.deb
Size/MD5: 71520 efc731a14f2dc867d70310a952159759
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_i386.deb
Size/MD5: 101847250 db09b5ee63bdc20ad663822ee482e9e3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_i386.deb
Size/MD5: 2348644 875d7540053a3082e88402ec4fe42eac
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_i386.deb
Size/MD5: 9987626 5440a122d08bccaf51ffafa4a5a0f37a
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_i386.deb
Size/MD5: 25366632 ceccbc28af3e9880377913cf247c0e5a
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_i386.deb
Size/MD5: 230912 7a8a9962fac26847e86b6fefad75f39b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 72100 7629f365dbd63697308b66d10675ced9
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 101930650 ad21d10f39e2f963a46770fd2eebd855
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 2345422 ff42a936452c10b997f69bebcbcabf40
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 9979098 d4d58ce7457ed47cbde5b981a088ba37
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 25392450 97bde9a6461a40177f69aebba1a9b58b
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_lpia.deb
Size/MD5: 227676 c84f20c18775453c0f4357b2a644598e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 77050 5740aba6d61974e0a026f6eeb3013bf9
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 35898558 19b7064c15a1f67c7e5ae124c889fc29
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 2392996 894085b0fed0994da3ace7de5127dc1c
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 8629918 1889d7bd755b715325179e885353661c
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 23175880 1ae119c83fad9f2c4149e121f5c03b9a
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_powerpc.deb
Size/MD5: 255684 0450cf1cebaf4a430e02b9f46eee0722
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 70102 3ea0d9213bb1afd2a1cb96d1c683b199
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 103688618 18ddc8100c3265248fa5fd1abfd73c65
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 2355140 83e72fb7750a6f24972d4189cde3f0bc
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 9970610 ed109eef7b9db0539392b609b145ae03
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 25377008 af9b1d9449a43928efa2b225b2113bd3
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_sparc.deb
Size/MD5: 233168 13b21b918e9b3b142af7d08bb6882fb8
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1-0ubuntu11.diff.gz
Size/MD5: 4250833 d97d0484ceb3bed407aba9e46f794b8a
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1-0ubuntu11.dsc
Size/MD5: 2414 708730addb584aba0060aa5534acbd42
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1.orig.tar.gz
Size/MD5: 65306137 071e4d08171b577d3cb35ae3a09f4cb8
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b14-1.4.1-0ubuntu11_all.deb
Size/MD5: 8470784 bc7493fc50a5575b6aa5805ff42bc13d
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b14-1.4.1-0ubuntu11_all.deb
Size/MD5: 4771886 23cd1c09251ed2a34d7879dca866def3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b14-1.4.1-0ubuntu11_all.deb
Size/MD5: 25673152 bbb76e5389b8fa0b6397765c341aa26b
http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b14-1.4.1-0ubuntu11_all.deb
Size/MD5: 57002484 64fab1290660fda00dda0a379bf8bfca
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 430874 3a03131f06a6c34ea8f1f1537655d1f5
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 87812 fb658d364a062bae3653637d66482f88
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 87537106 29a8fba73a7b49d0963c5c6e1646a3b3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 2365524 a893530738b0f8f12d0029b68d24f71b
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 10809402 550b9b6cad86605b170d041a4a75ab41
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 24660014 a89cc78edbc31d2dbcd34242e0f50feb
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 267412 592d4af0ed6c45b77897ef720f809632
http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_amd64.deb
Size/MD5: 1779570 bd27e789263c51517f8277ca2e4bfeb7
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 398116 4f3daf01aff7e32bf6965073758b133e
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 76840 4be635b96021b1d73588292b9a0395db
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 149232570 ba16a4d6a2fcd0caa01b77fdf47b221f
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 2348268 92866c39b651bceeedb106a5af9c82ab
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 10815154 65ebd8f3e02956d8461cf9a8a73f24c3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 25884038 5fd2aa1052a0528fbb87c08c16e57177
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 253254 dc14700392c209af17f7ae504b65b1d5
http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_i386.deb
Size/MD5: 1457488 295509ed90a14683e1cec72f6b49326d
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 405234 f7b3cdbbba1022d2dd14b92da462082f
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 77322 48aaf0d901139b95d04d9df9c465c8cb
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 149407550 f3bc7215a54235b3d6402c27eda4ecfe
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 2345110 57e2359f2815ae76281a6bc6e52bc2a7
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 10812010 38cb312c75279105a3aee6586d634f8e
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 25911508 4c08ac1638c8ed34532ff9d9498f84fd
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 249582 230866f520357a50574f71bce2eb4e33
http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_lpia.deb
Size/MD5: 1443798 e41d939ed6dceb40dbf2ada9ceaf6a0c
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 452444 33530c6a9ea1d0cae92329501565f627
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 82190 add7533846deb3de27850f1f5e062c42
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 41323902 0dd5565751d09669b8f6a82709da08a2
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 2393222 c6dd4098d764c3775137ccb4e6365cf6
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 8650042 76e69c1ffa2af71f4da150d3aed9ee48
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 23418626 382f06972ca3df4618e366140f870878
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_powerpc.deb
Size/MD5: 282852 0c1db0ccd38fd2a27a85b659a3c41e7f
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 75358 bf8b1454c82566e73d616929c4955a08
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 117247650 e91e6633971c12f18fa6e3abb0dc24e1
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 2354868 6415e71c3fb5fed1c79a60f4b878d0d3
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 10818558 e1bb502255aedc6994eab01f2d67fe05
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 25884374 b2016f8819d0ee8c53e9165d6d12e039
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_sparc.deb
Size/MD5: 255400 a30ce340f8eb073b0a0a349e672da868
Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)
Powered by blists - more mailing lists