Bug 231337 - dev-java/sun-{jdk,jre-bin}|app-emulation/emul-linux-x86-java} Multiple vulnerabilities (CVE-2008-{3103,3104,3105,3106,3107,3108,3109,3110,3111,3112,3113,3114,3115})
Bug#: 231337 (CVE-2008-3103) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: serkan@gentoo.org
Component: Vulnerabilities
URL:  http://blogs.sun.com/security/entry/advance_notification_of_security_updates2
Summary: dev-java/sun-{jdk,jre-bin}|app-emulation/emul-linux-x86-java} Multiple vulnerabilities (CVE-2008-{3103,3104,3105,3106,3107,3108,3109,3110,3111,3112,3113,3114,3115})
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2008-07-09 20:42 0000
Description:   Opened: 2008-07-09 20:42 0000 
On July 8, 2008, Sun will release the following security updates:

    * JDK and JRE 6 Update 7
    * JDK and JRE 5.0 Update 16
    * SDK and JRE 1.4.2_18
    * SDK and JRE 1.3.1_23

The following Sun Alerts corresponding to these updates will be released
following the availability of these updates.

    * 238628
    * 238666
    * 238687
    * 238905
    * 238965
    * 238966
    * 238967
    * 238968

Arches please stabilize.
dev-java/sun-{jdk,jre-bin}-1.4.2.18
dev-java/sun-{jdk,jre-bin}-1.5.0.16
dev-java/sun-{jdk,jre-bin}-1.6.0.07
app-emulation/emul-linux-x86-java-1.4.2.18
app-emulation/emul-linux-x86-java-1.5.0.16
app-emulation/emul-linux-x86-java-1.6.0.07


Reproducible: Always

------- Comment #1 From Robert Buchholz 2008-07-11 17:15:05 0000 ------- 
CVE-2008-3103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3103):
  Unspecified vulnerability in the Java Management Extensions (JMX) management
  agent in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and
  earlier and JDK and JRE 5.0 Update 15 and earlier, when local monitoring is
  enabled, allows remote attackers to "perform unauthorized operations" via
  unspecified vectors.

CVE-2008-3104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3104):
  Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in
  JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE
  1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote
  attackers to violate the security model for an applet's outbound connections
  by connecting to localhost services running on the machine that loaded the
  applet.

CVE-2008-3105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3105):
  Unspecified vulnerability in the JAX-WS client and service in Sun Java
  Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote
  attackers to access URLs or cause a denial of service via unknown vectors
  involving "processing of XML data" by a trusted application.

CVE-2008-3106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3106):
  Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK and
  JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier allows
  remote attackers to access URLs via unknown vectors involving processing of
  XML data by an untrusted (1) application or (2) applet, a different
  vulnerability than CVE-2008-3105.

CVE-2008-3107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3107):
  Unspecified vulnerability in the Virtual Machine in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before
  Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent
  attackers to gain privileges via an untrusted (1) application or (2) applet,
  as demonstrated by an application or applet that grants itself privileges to
  (a) read local files, (b) write to local files, or (c) execute local
programs.

CVE-2008-3108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3108):
  Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0
  before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x
  before 1.3.1_23 allows context-dependent attackers to gain privileges via
  unspecified vectors related to font processing.

CVE-2008-3109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3109):
  Unspecified vulnerability in scripting language support in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
  context-dependent attackers to gain privileges via an untrusted (1)
  application or (2) applet, as demonstrated by an application or applet that
  grants itself privileges to (a) read local files, (b) write to local files,
  or (c) execute local programs.

CVE-2008-3110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3110):
  Unspecified vulnerability in scripting language support in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote
  attackers to obtain sensitive information by using an applet to read
  information from another applet.

CVE-2008-3111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3111):
  Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 before
  Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allow context-dependent attackers to gain privileges via an
  untrusted application, as demonstrated by an application that grants itself
  privileges to (1) read local files, (2) write to local files, or (3) execute
  local programs, aka CR 6557220.

CVE-2008-3112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3112):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before
  Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allows remote attackers to create arbitrary files via an untrusted
  application, aka CR 6703909.

CVE-2008-3113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3113):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0 before
  Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to
  create or delete arbitrary files via an untrusted application, aka CR
6704077.

CVE-2008-3114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3114):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before
  Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allows context-dependent attackers to obtain sensitive information
  (the cache location) via an untrusted application, aka CR 6704074.

CVE-2008-3115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3115):
  Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlier, and
  5.0 Update 6 through 15, does not properly prevent execution of applets on
  older JRE releases, which might allow remote attackers to exploit
  vulnerabilities in these older releases.

------- Comment #2 From Robert Buchholz 2008-07-11 17:19:13 0000 ------- 
Arches, please test and mark stable:

=dev-java/sun-jdk-1.4.2.18
=dev-java/sun-jdk-1.5.0.16
=dev-java/sun-jdk-1.6.0.07
=dev-java/sun-jre-bin-1.4.2.18
=dev-java/sun-jre-bin-1.5.0.16
=dev-java/sun-jre-bin-1.6.0.07
Target keywords : "amd64 x86"

=app-emulation/emul-linux-x86-java-1.4.2.18
=app-emulation/emul-linux-x86-java-1.5.0.16
=app-emulation/emul-linux-x86-java-1.6.0.07
Target keywords : "amd64"

------- Comment #3 From Serkan Kaba 2008-07-12 20:32:18 0000 ------- 
(In reply to comment #2)
> Arches, please test and mark stable:
> 
> =dev-java/sun-jdk-1.4.2.18
> =dev-java/sun-jdk-1.5.0.16
> =dev-java/sun-jdk-1.6.0.07
> =dev-java/sun-jre-bin-1.4.2.18
> =dev-java/sun-jre-bin-1.5.0.16
> =dev-java/sun-jre-bin-1.6.0.07
> Target keywords : "amd64 x86"
> 
> =app-emulation/emul-linux-x86-java-1.4.2.18
> =app-emulation/emul-linux-x86-java-1.5.0.16
> =app-emulation/emul-linux-x86-java-1.6.0.07
> Target keywords : "amd64"
> 

=dev-java/sun-jdk-1.4.2.18
=dev-java/sun-jre-bin-1.4.2.18

are x86 only.

------- Comment #4 From Kenneth Prugh 2008-07-12 21:42:30 0000 ------- 
amd64 done

------- Comment #5 From Christian Faulhammer 2008-07-16 11:23:20 0000 ------- 
x86 stable

------- Comment #6 From Vlastimil Babka (Caster) 2008-07-18 08:06:18 0000 ------- 
All arches done. GLSA?

------- Comment #7 From Alex Legler 2009-11-17 23:09:32 0000 ------- 
GLSA 200911-02