lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201111051124.30530.a3li@gentoo.org>
Date: Sat, 5 Nov 2011 11:24:29 +0100
From: Alex Legler <a3li@...too.org>
To: gentoo-announce@...ts.gentoo.org
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
  security-alerts@...uxsecurity.com
Subject: [ GLSA 201111-02 ] Oracle JRE/JDK: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: Oracle JRE/JDK: Multiple vulnerabilities
     Date: November 05, 2011
     Bugs: #340421, #354213, #370559, #387851
       ID: 201111-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.

Background
==========

The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
provide the Oracle Java platform (formerly known as Sun Java Platform).

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  dev-java/sun-jre-bin        < 1.6.0.29              >= 1.6.0.29 *
  2  app-emulation/emul-linux-x86-java
                                 < 1.6.0.29              >= 1.6.0.29 *
  3  dev-java/sun-jdk            < 1.6.0.29              >= 1.6.0.29 *
    -------------------------------------------------------------------
     NOTE: Packages marked with asterisks require manual intervention!
    -------------------------------------------------------------------
     3 affected packages
    -------------------------------------------------------------------

Description
===========

Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below and
the associated Oracle Critical Patch Update Advisory for details.

Impact
======

A remote attacker could exploit these vulnerabilities to cause
unspecified impact, possibly including remote execution of arbitrary
code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Oracle JDK 1.6 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"

All Oracle JRE 1.6 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"

All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
the latest version:

  # emerge --sync
  # emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"

NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
This limitation is not present on a non-fetch restricted implementation
such as dev-java/icedtea-bin.

References
==========

[  1 ] CVE-2010-3541
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[  2 ] CVE-2010-3548
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[  3 ] CVE-2010-3549
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[  4 ] CVE-2010-3550
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
[  5 ] CVE-2010-3551
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[  6 ] CVE-2010-3552
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
[  7 ] CVE-2010-3553
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[  8 ] CVE-2010-3554
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[  9 ] CVE-2010-3555
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
[ 10 ] CVE-2010-3556
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
[ 11 ] CVE-2010-3557
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 12 ] CVE-2010-3558
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
[ 13 ] CVE-2010-3559
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
[ 14 ] CVE-2010-3560
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
[ 15 ] CVE-2010-3561
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 16 ] CVE-2010-3562
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 17 ] CVE-2010-3563
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
[ 18 ] CVE-2010-3565
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 19 ] CVE-2010-3566
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 20 ] CVE-2010-3567
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 21 ] CVE-2010-3568
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 22 ] CVE-2010-3569
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 23 ] CVE-2010-3570
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
[ 24 ] CVE-2010-3571
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
[ 25 ] CVE-2010-3572
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
[ 26 ] CVE-2010-3573
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 27 ] CVE-2010-3574
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 28 ] CVE-2010-4422
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
[ 29 ] CVE-2010-4447
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
[ 30 ] CVE-2010-4448
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 31 ] CVE-2010-4450
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 32 ] CVE-2010-4451
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
[ 33 ] CVE-2010-4452
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
[ 34 ] CVE-2010-4454
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
[ 35 ] CVE-2010-4462
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
[ 36 ] CVE-2010-4463
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
[ 37 ] CVE-2010-4465
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 38 ] CVE-2010-4466
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
[ 39 ] CVE-2010-4467
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 40 ] CVE-2010-4468
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
[ 41 ] CVE-2010-4469
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 42 ] CVE-2010-4470
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 43 ] CVE-2010-4471
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 44 ] CVE-2010-4472
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 45 ] CVE-2010-4473
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
[ 46 ] CVE-2010-4474
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
[ 47 ] CVE-2010-4475
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
[ 48 ] CVE-2010-4476
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 49 ] CVE-2011-0802
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
[ 50 ] CVE-2011-0814
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
[ 51 ] CVE-2011-0815
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 52 ] CVE-2011-0862
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 53 ] CVE-2011-0863
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
[ 54 ] CVE-2011-0864
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 55 ] CVE-2011-0865
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 56 ] CVE-2011-0867
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
[ 57 ] CVE-2011-0868
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 58 ] CVE-2011-0869
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 59 ] CVE-2011-0871
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 60 ] CVE-2011-0872
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 61 ] CVE-2011-0873
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
[ 62 ] CVE-2011-3389
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 63 ] CVE-2011-3516
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
[ 64 ] CVE-2011-3521
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 65 ] CVE-2011-3544
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 66 ] CVE-2011-3545
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
[ 67 ] CVE-2011-3546
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
[ 68 ] CVE-2011-3547
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 69 ] CVE-2011-3548
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 70 ] CVE-2011-3549
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
[ 71 ] CVE-2011-3550
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
[ 72 ] CVE-2011-3551
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 73 ] CVE-2011-3552
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 74 ] CVE-2011-3553
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 75 ] CVE-2011-3554
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 76 ] CVE-2011-3555
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
[ 77 ] CVE-2011-3556
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 78 ] CVE-2011-3557
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 79 ] CVE-2011-3558
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 80 ] CVE-2011-3560
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 81 ] CVE-2011-3561
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201111-02.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@...too.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ