lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1O76Pt-0007Ni-GB@titan.mandriva.com>
Date: Wed, 28 Apr 2010 14:31:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:084 ] java-1.6.0-openjdk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:084
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : java-1.6.0-openjdk
 Date    : April 28, 2010
 Affected: 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple Java OpenJDK security vulnerabilities has been identified
 and fixed:
 
 - TLS: MITM attacks via session renegotiation (CVE-2009-3555).
 - Loader-constraint table allows arrays instead of only the b
 ase-classes (CVE-2010-0082).
 - Policy/PolicyFile leak dynamic ProtectionDomains. (CVE-2010-0084).
 - File TOCTOU deserialization vulnerability (CVE-2010-0085).
 - Inflater/Deflater clone issues (CVE-2010-0088).
 - Unsigned applet can retrieve the dragged information before drop
 action occurs (CVE-2010-0091).
 - AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error
 (CVE-2010-0092).
 - System.arraycopy unable to reference elements beyond
 Integer.MAX_VALUE bytes (CVE-2010-0093).
 - Deserialization of RMIConnectionImpl objects should enforce stricter
 checks (CVE-2010-0094).
 - Subclasses of InetAddress may incorrectly interpret network addresses
 (CVE-2010-0095).
 - JAR unpack200 must verify input parameters (CVE-2010-0837).
 - CMM readMabCurveData Buffer Overflow Vulnerability (CVE-2010-0838).
 - Applet Trusted Methods Chaining Privilege Escalation Vulner ability
 (CVE-2010-0840).
 - No ClassCastException for HashAttributeSet constructors if run with
 -Xcomp (CVE-2010-0845)
 - ImagingLib arbitrary code execution vulnerability (CVE-2010-0847).
 - AWT Library Invalid Index Vulnerability (CVE-2010-0848).
 
 Additional security issues that was fixed with IcedTea6 1.6.2:
 - deprecate MD2 in SSL cert validation (CVE-2009-2409).
 - ICC_Profile file existence detection information leak
 (CVE-2009-3728).
 - JRE AWT setDifflCM stack overflow (CVE-2009-3869).
 - JRE AWT setBytePixels heap overflow (CVE-2009-3871).
 - JPEG Image Writer quantization problem (CVE-2009-3873).
 - ImageI/O JPEG heap overflow (CVE-2009-3874).
 - MessageDigest.isEqual introduces timing attack vulnerabilities
 (CVE-2009-3875).
 - OpenJDK ASN.1/DER input stream parser denial of service
 (CVE-2009-3876, CVE-2009-3877)
 - GraphicsConfiguration information leak (CVE-2009-3879).
 - UI logging information leakage (CVE-2009-3880).
 - resurrected classloaders can still have children (CVE-2009-3881).
 - Numerous static security flaws in Swing (findbugs) (CVE-2009-3882).
 - Mutable statics in Windows PL&F (findbugs) (CVE-2009-3883).
 - zoneinfo file existence information leak (CVE-2009-3884).
 - BMP parsing DoS with UNC ICC links (CVE-2009-3885).
 
 Additionally Paulo Cesar Pereira de Andrade (pcpa) at Mandriva found
 and fixed a bug in IcedTea6 1.8 that is also applied to the provided
 packages:
 
 * plugin/icedteanp/IcedTeaNPPlugin.cc
   (plugin_filter_environment): Increment malloc size by one to
   account for
   NULL terminator. Bug# 474.
 
 Packages for 2009.0 are provided due to the Extended Maintenance
 Program.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
 http://article.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/8938
 http://blogs.sun.com/darcy/resource/OpenJDK_6/openjdk6-b18-changes-summary.html
 http://icedtea.classpath.org/hg/release/icedtea6-1.8/rev/a6a02193b073
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 37c14ebea4b3ceccbecba4ffea2630a6  2009.0/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.i586.rpm
 3f7ba1d78aaf5f1ca56e86fcb48e7192  2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.0.i586.rpm
 12963efa8b4ea6691ba68f4e72e81e5d  2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.0.i586.rpm
 6387d4381c518c5658701c114c5fcb9d  2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.0.i586.rpm
 f90d2a22c10b6eb30aedef13207d346c  2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.0.i586.rpm
 01e62b54974a3d1b5232de0baa196e41  2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 
 212262f34829af20e53fb2076fa78d25  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 630941e679a033285ddf5cb3e4c1d092  2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm
 6330c6dda9cf7c59a90f529bceeee17b  2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm
 c7d708c5f14d710a6bdcc352bb18a55a  2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm
 edf4b1d8efeb157bb0f19b4c4cc55935  2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm
 ac9f8227297249940b1845f3ad95165f  2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm
 d1ed0ce1155c85c423d0cbe47eadfa5b  2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm 
 212262f34829af20e53fb2076fa78d25  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 304bc2cab18b29781bfac69d4927ddce  2009.1/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.i586.rpm
 77f0d2e2b2c04288a5aae608a2f73f1a  2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.1.i586.rpm
 7ff7542b4328fd978725f8e0b02590d9  2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.1.i586.rpm
 3d1bf214209ea3aef86b58962e80901e  2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.1.i586.rpm
 f52cf5f8d3f85b98da246963d583f6bc  2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.1.i586.rpm
 87b2fd7ac9883e624e71faa993559e78  2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 
 0ff2ca4dfc122a3538349ed2dab6ed81  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 883105d4347bb0864c7c73e4f0865066  2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm
 ac44d41806625e0be7a55ff30bf1f0e7  2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm
 67db7247fbf1b5be5391f33603b9148c  2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm
 0b6e7a93df49306976453daf29a29d96  2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm
 67e679d7aa4545a968889dcbb1a3fa8e  2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm
 4042e3ae7e3b2dbdcba0e73aadd219d5  2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 
 0ff2ca4dfc122a3538349ed2dab6ed81  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 f3c1bb7b091d5889a856edf93e066367  2010.0/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.i586.rpm
 7f717091a34f98e9547c698bf08065f5  2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2010.0.i586.rpm
 21b8532c934559100b0dbc498ba3c52e  2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2010.0.i586.rpm
 8711fdef27cce9af73191903f85dbcd6  2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2010.0.i586.rpm
 1905269f878bb1c6367dedc6797f6914  2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2010.0.i586.rpm
 c5f53d24770de6704f00fdf34c87a703  2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2010.0.i586.rpm 
 b789ff663963ae8b60a0d189b870907c  2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 100203d38e76348f262d69d2cae8a7ba  2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm
 f155019a4a22d7bf7265c67024dcbc33  2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm
 8eaf304d6eb93212d1045adc301de385  2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm
 2e2082bd89db22cf5fa4be2ebaceb71c  2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm
 3e7a1849db88a8b8ddcdf30441edfcb7  2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm
 fbc9da5e2080972f6f8c01f23e86890f  2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm 
 b789ff663963ae8b60a0d189b870907c  2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 742a7a6dcc82962a132eadb91a2b1736  mes5/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm
 3acd32ccd1fee71f07ccb4b038434ffd  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm
 c3358ac84dbc950752655fee46fd5e4b  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm
 a30ef6b33fd9ba1403ab46ef9643efdb  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm
 534f95a18c4798ec80cdfe47bd1148a8  mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm
 e79e4bd9462096222f5b07d681b3d418  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm 
 0bc580c8d4d6e57cbee939bf68743170  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 180566f92a5564c747c716ecdf082c8f  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm
 5e05d90fe32dfce7b15db7d9e5604227  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm
 09506c689ed0265023861e006fbcb624  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm
 c9ff4a3a4695c56b13268d76c355cfbe  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm
 0a70a54c2eed68e723cbc65de63bfbff  mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm
 166c980a8479cd915f3507070c25508e  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 
 0bc580c8d4d6e57cbee939bf68743170  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFL1/vUmqjQ0CJFipgRAlcyAJ9+2v53cztdo8nXoixp0vg0IuQjrACbB/vW
+oOtru3I2iYRjlx04fi7wMw=
=rIwa
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ