lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090811055445.GK7316@outflux.net>
Date: Mon, 10 Aug 2009 22:54:45 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-814-1] openjdk-6 vulnerabilities

===========================================================
Ubuntu Security Notice USN-814-1            August 11, 2009
openjdk-6 vulnerabilities
CVE-2009-0217, CVE-2009-2475, CVE-2009-2476, CVE-2009-2625,
CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673,
CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2690
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  icedtea6-plugin                 6b12-0ubuntu6.5
  openjdk-6-jre                   6b12-0ubuntu6.5
  openjdk-6-jre-lib               6b12-0ubuntu6.5

Ubuntu 9.04:
  icedtea6-plugin                 6b14-1.4.1-0ubuntu11
  openjdk-6-jre                   6b14-1.4.1-0ubuntu11
  openjdk-6-jre-lib               6b14-1.4.1-0ubuntu11

After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.

Details follow:

It was discovered that the XML HMAC signature system did not
correctly check certain lengths.  If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)

It was discovered that certain variables could leak information.  If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)

A flaw was discovered the OpenType checking.  If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
access restrictions. (CVE-2009-2476)

It was discovered that the XML processor did not correctly check
recursion.  If a user or automated system were tricked into processing
a specially crafted XML, the system could crash, leading to a denial of
service. (CVE-2009-2625)

It was discovered that the Java audio subsystem did not correctly validate
certain parameters.  If a user were tricked into running an untrusted
applet, a remote attacker could read system properties.  (CVE-2009-2670)

Multiple flaws were discovered in the proxy subsystem.  If a user
were tricked into running an untrusted applet, a remote attacker could
discover local user names, obtain access to sensitive information, or
bypass socket restrictions, leading to a loss of privacy. (CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673)

Flaws were discovered in the handling of JPEG images, Unpack200 archives,
and JDK13Services.  If a user were tricked into running an untrusted
applet, a remote attacker could load a specially crafted file that would
bypass local file access protections and run arbitrary code with user
privileges. (CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.5.diff.gz
      Size/MD5:  1291365 2036bde9f3c71b58dafc7612dc78804d
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.5.dsc
      Size/MD5:     2358 01847c41f69f85e687dd0ed8c049fdec
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12.orig.tar.gz
      Size/MD5: 54363262 f3aa01206f2192464b998fb7cc550686

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b12-0ubuntu6.5_all.deb
      Size/MD5:  8469856 653355e1ce8f94aeaffe12c60861d398
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b12-0ubuntu6.5_all.deb
      Size/MD5:  4710580 f593a6254fca5a1668c847d0422cdbd7
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b12-0ubuntu6.5_all.deb
      Size/MD5: 25626358 073f5463f8ed680bd8a7562fd3dd945f
    http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b12-0ubuntu6.5_all.deb
      Size/MD5: 49155070 c12e075a52646a6389d708917efef472

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_amd64.deb
      Size/MD5:    81022 43cecad6c640c20a0b3268ae282c8a50
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_amd64.deb
      Size/MD5: 47372846 d751aea9e5b00d5341fd715ce81142a0
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_amd64.deb
      Size/MD5:  2366088 584d1f98645b73ba9487a78d9b7e75a5
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_amd64.deb
      Size/MD5:  9975740 d7fe73ef6e95a4b13f140adebc0ef1f4
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_amd64.deb
      Size/MD5: 24283634 d663c65d160821ce445f96b003a5aa22
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_amd64.deb
      Size/MD5:   241766 17b8652623624b34be1e5f6012a4636c

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_i386.deb
      Size/MD5:    71520 efc731a14f2dc867d70310a952159759
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_i386.deb
      Size/MD5: 101847250 db09b5ee63bdc20ad663822ee482e9e3
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_i386.deb
      Size/MD5:  2348644 875d7540053a3082e88402ec4fe42eac
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_i386.deb
      Size/MD5:  9987626 5440a122d08bccaf51ffafa4a5a0f37a
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_i386.deb
      Size/MD5: 25366632 ceccbc28af3e9880377913cf247c0e5a
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_i386.deb
      Size/MD5:   230912 7a8a9962fac26847e86b6fefad75f39b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_lpia.deb
      Size/MD5:    72100 7629f365dbd63697308b66d10675ced9
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_lpia.deb
      Size/MD5: 101930650 ad21d10f39e2f963a46770fd2eebd855
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_lpia.deb
      Size/MD5:  2345422 ff42a936452c10b997f69bebcbcabf40
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_lpia.deb
      Size/MD5:  9979098 d4d58ce7457ed47cbde5b981a088ba37
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_lpia.deb
      Size/MD5: 25392450 97bde9a6461a40177f69aebba1a9b58b
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_lpia.deb
      Size/MD5:   227676 c84f20c18775453c0f4357b2a644598e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5:    77050 5740aba6d61974e0a026f6eeb3013bf9
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5: 35898558 19b7064c15a1f67c7e5ae124c889fc29
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5:  2392996 894085b0fed0994da3ace7de5127dc1c
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5:  8629918 1889d7bd755b715325179e885353661c
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5: 23175880 1ae119c83fad9f2c4149e121f5c03b9a
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_powerpc.deb
      Size/MD5:   255684 0450cf1cebaf4a430e02b9f46eee0722

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.5_sparc.deb
      Size/MD5:    70102 3ea0d9213bb1afd2a1cb96d1c683b199
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.5_sparc.deb
      Size/MD5: 103688618 18ddc8100c3265248fa5fd1abfd73c65
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.5_sparc.deb
      Size/MD5:  2355140 83e72fb7750a6f24972d4189cde3f0bc
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.5_sparc.deb
      Size/MD5:  9970610 ed109eef7b9db0539392b609b145ae03
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.5_sparc.deb
      Size/MD5: 25377008 af9b1d9449a43928efa2b225b2113bd3
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.5_sparc.deb
      Size/MD5:   233168 13b21b918e9b3b142af7d08bb6882fb8

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1-0ubuntu11.diff.gz
      Size/MD5:  4250833 d97d0484ceb3bed407aba9e46f794b8a
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1-0ubuntu11.dsc
      Size/MD5:     2414 708730addb584aba0060aa5534acbd42
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b14-1.4.1.orig.tar.gz
      Size/MD5: 65306137 071e4d08171b577d3cb35ae3a09f4cb8

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b14-1.4.1-0ubuntu11_all.deb
      Size/MD5:  8470784 bc7493fc50a5575b6aa5805ff42bc13d
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b14-1.4.1-0ubuntu11_all.deb
      Size/MD5:  4771886 23cd1c09251ed2a34d7879dca866def3
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b14-1.4.1-0ubuntu11_all.deb
      Size/MD5: 25673152 bbb76e5389b8fa0b6397765c341aa26b
    http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b14-1.4.1-0ubuntu11_all.deb
      Size/MD5: 57002484 64fab1290660fda00dda0a379bf8bfca

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5:   430874 3a03131f06a6c34ea8f1f1537655d1f5
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5:    87812 fb658d364a062bae3653637d66482f88
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5: 87537106 29a8fba73a7b49d0963c5c6e1646a3b3
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5:  2365524 a893530738b0f8f12d0029b68d24f71b
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5: 10809402 550b9b6cad86605b170d041a4a75ab41
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5: 24660014 a89cc78edbc31d2dbcd34242e0f50feb
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5:   267412 592d4af0ed6c45b77897ef720f809632
    http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_amd64.deb
      Size/MD5:  1779570 bd27e789263c51517f8277ca2e4bfeb7

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5:   398116 4f3daf01aff7e32bf6965073758b133e
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5:    76840 4be635b96021b1d73588292b9a0395db
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5: 149232570 ba16a4d6a2fcd0caa01b77fdf47b221f
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5:  2348268 92866c39b651bceeedb106a5af9c82ab
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5: 10815154 65ebd8f3e02956d8461cf9a8a73f24c3
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5: 25884038 5fd2aa1052a0528fbb87c08c16e57177
    http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5:   253254 dc14700392c209af17f7ae504b65b1d5
    http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_i386.deb
      Size/MD5:  1457488 295509ed90a14683e1cec72f6b49326d

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5:   405234 f7b3cdbbba1022d2dd14b92da462082f
    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5:    77322 48aaf0d901139b95d04d9df9c465c8cb
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5: 149407550 f3bc7215a54235b3d6402c27eda4ecfe
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5:  2345110 57e2359f2815ae76281a6bc6e52bc2a7
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5: 10812010 38cb312c75279105a3aee6586d634f8e
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5: 25911508 4c08ac1638c8ed34532ff9d9498f84fd
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5:   249582 230866f520357a50574f71bce2eb4e33
    http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b14-1.4.1-0ubuntu11_lpia.deb
      Size/MD5:  1443798 e41d939ed6dceb40dbf2ada9ceaf6a0c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5:   452444 33530c6a9ea1d0cae92329501565f627
    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5:    82190 add7533846deb3de27850f1f5e062c42
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5: 41323902 0dd5565751d09669b8f6a82709da08a2
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5:  2393222 c6dd4098d764c3775137ccb4e6365cf6
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5:  8650042 76e69c1ffa2af71f4da150d3aed9ee48
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5: 23418626 382f06972ca3df4618e366140f870878
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_powerpc.deb
      Size/MD5:   282852 0c1db0ccd38fd2a27a85b659a3c41e7f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5:    75358 bf8b1454c82566e73d616929c4955a08
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5: 117247650 e91e6633971c12f18fa6e3abb0dc24e1
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5:  2354868 6415e71c3fb5fed1c79a60f4b878d0d3
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5: 10818558 e1bb502255aedc6994eab01f2d67fe05
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5: 25884374 b2016f8819d0ee8c53e9165d6d12e039
    http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b14-1.4.1-0ubuntu11_sparc.deb
      Size/MD5:   255400 a30ce340f8eb073b0a0a349e672da868


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ