231337 CVE-2008-3103 2008-07-09 20:42 0000 dev-java/sun-{jdk,jre-bin}|app-emulation/emul-linux-x86-java} Multiple vulnerabilities (CVE-2008-{3103,3104,3105,3106,3107,3108,3109,3110,3111,3112,3113,3114,3115}) 2009-11-17 23:09:32 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://blogs.sun.com/security/entry/advance_notification_of_security_updates2 A2 [glsa] P2 major --- 165270 215614 233652 1 serkan@gentoo.org security@gentoo.org java@gentoo.org serkan@gentoo.org 2008-07-09 20:42:47 0000 On July 8, 2008, Sun will release the following security updates: * JDK and JRE 6 Update 7 * JDK and JRE 5.0 Update 16 * SDK and JRE 1.4.2_18 * SDK and JRE 1.3.1_23 The following Sun Alerts corresponding to these updates will be released following the availability of these updates. * 238628 * 238666 * 238687 * 238905 * 238965 * 238966 * 238967 * 238968 Arches please stabilize. dev-java/sun-{jdk,jre-bin}-1.4.2.18 dev-java/sun-{jdk,jre-bin}-1.5.0.16 dev-java/sun-{jdk,jre-bin}-1.6.0.07 app-emulation/emul-linux-x86-java-1.4.2.18 app-emulation/emul-linux-x86-java-1.5.0.16 app-emulation/emul-linux-x86-java-1.6.0.07 Reproducible: Always rbu@gentoo.org 2008-07-11 17:15:05 0000 CVE-2008-3103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3103): Unspecified vulnerability in the Java Management Extensions (JMX) management agent in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier, when local monitoring is enabled, allows remote attackers to "perform unauthorized operations" via unspecified vectors. CVE-2008-3104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3104): Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet. CVE-2008-3105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3105): Unspecified vulnerability in the JAX-WS client and service in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to access URLs or cause a denial of service via unknown vectors involving "processing of XML data" by a trusted application. CVE-2008-3106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3106): Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier allows remote attackers to access URLs via unknown vectors involving processing of XML data by an untrusted (1) application or (2) applet, a different vulnerability than CVE-2008-3105. CVE-2008-3107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3107): Unspecified vulnerability in the Virtual Machine in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. CVE-2008-3108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3108): Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain privileges via unspecified vectors related to font processing. CVE-2008-3109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3109): Unspecified vulnerability in scripting language support in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. CVE-2008-3110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3110): Unspecified vulnerability in scripting language support in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to obtain sensitive information by using an applet to read information from another applet. CVE-2008-3111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3111): Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 before Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allow context-dependent attackers to gain privileges via an untrusted application, as demonstrated by an application that grants itself privileges to (1) read local files, (2) write to local files, or (3) execute local programs, aka CR 6557220. CVE-2008-3112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3112): Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to create arbitrary files via an untrusted application, aka CR 6703909. CVE-2008-3113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3113): Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0 before Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to create or delete arbitrary files via an untrusted application, aka CR 6704077. CVE-2008-3114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3114): Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain sensitive information (the cache location) via an untrusted application, aka CR 6704074. CVE-2008-3115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3115): Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlier, and 5.0 Update 6 through 15, does not properly prevent execution of applets on older JRE releases, which might allow remote attackers to exploit vulnerabilities in these older releases. rbu@gentoo.org 2008-07-11 17:19:13 0000 Arches, please test and mark stable: =dev-java/sun-jdk-1.4.2.18 =dev-java/sun-jdk-1.5.0.16 =dev-java/sun-jdk-1.6.0.07 =dev-java/sun-jre-bin-1.4.2.18 =dev-java/sun-jre-bin-1.5.0.16 =dev-java/sun-jre-bin-1.6.0.07 Target keywords : "amd64 x86" =app-emulation/emul-linux-x86-java-1.4.2.18 =app-emulation/emul-linux-x86-java-1.5.0.16 =app-emulation/emul-linux-x86-java-1.6.0.07 Target keywords : "amd64" serkan@gentoo.org 2008-07-12 20:32:18 0000 (In reply to comment #2) > Arches, please test and mark stable: > > =dev-java/sun-jdk-1.4.2.18 > =dev-java/sun-jdk-1.5.0.16 > =dev-java/sun-jdk-1.6.0.07 > =dev-java/sun-jre-bin-1.4.2.18 > =dev-java/sun-jre-bin-1.5.0.16 > =dev-java/sun-jre-bin-1.6.0.07 > Target keywords : "amd64 x86" > > =app-emulation/emul-linux-x86-java-1.4.2.18 > =app-emulation/emul-linux-x86-java-1.5.0.16 > =app-emulation/emul-linux-x86-java-1.6.0.07 > Target keywords : "amd64" > =dev-java/sun-jdk-1.4.2.18 =dev-java/sun-jre-bin-1.4.2.18 are x86 only. ken69267@gentoo.org 2008-07-12 21:42:30 0000 amd64 done fauli@gentoo.org 2008-07-16 11:23:20 0000 x86 stable caster@gentoo.org 2008-07-18 08:06:18 0000 All arches done. GLSA? a3li@gentoo.org 2009-11-17 23:09:32 0000 GLSA 200911-02