Java: The Java Secure Socket Extension (JSSE) included in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux are affected: o JDK and JRE 6 Update 17 and earlier o JDK and JRE 5.0 Update 22 and earlier o SDK and JRE 1.4.2_24 and earlier An interim fix, that disables TLS/SSL renegotiation in JSSE by default, will be included in our upcoming Java SE security update. Once the industry (via IETF-TLS Working Group) standardizes a fix to the protocol, Sun will update this fix accordingly.
1.5 jdk is EOL, we should mark it as build-only and work on bug 292001 towards its removal. The emul-linux and sun-jre-bin packages could probably be masked. instantly. 1.6 is tricky, the description seems as update 18 should be fixed, but update 18 was not a 'security update' AFAIK? On http://java.sun.com/javase/6/webnotes/6u18.html it states security baseline 1.6.0_17 (but not sure if it means what I think) and there seems to be no relevant bug among the fixes mentioned. So I'm not sure if stabling 1.6.0.18 would fix this. Is there some easy way to check if the renegotiation is disabled there or not?
(In reply to comment #1) > 1.6 is tricky, the description seems as update 18 should be fixed, but update > 18 was not a 'security update' AFAIK? On > http://java.sun.com/javase/6/webnotes/6u18.html it states security baseline > 1.6.0_17 (but not sure if it means what I think) and there seems to be no > relevant bug among the fixes mentioned. 1.6.0_18 still re-handshakes TLS session upon request from (unpatched) client. > So I'm not sure if stabling 1.6.0.18 would fix this. Is there some easy way to > check if the renegotiation is disabled there or not? Some java TLS server, connect to it using s_client and renegotiate.
*** Bug 307567 has been marked as a duplicate of this bug. ***
New release out, and the list of vulnerabilities grew (see $URL). Please stabilize dev-java/sun-jdk / dev-java/sun-jre-bin / app-emulation/emul-linux-x86-java - all version 1.6.0.19
Arches, please test and mark stable: =dev-java/sun-jre-bin-1.6.0.19 =dev-java/sun-jdk-1.6.0.19 Target keywords : "amd64 x86" =app-emulation/emul-linux-x86-java-1.6.0.19 Target keywords : "amd64"
P.masked for removal: =dev-java/sun-jre-bin-1.5* =app-emulation/emul-linux-x86-java-1.5* use.masked nsplugin and marked as build-only to minimize usage outside of emerge dev-java/sun-jdk-1.5
x86 stable
CVE-2010-0082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0082): Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0084): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. CVE-2010-0085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0085): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0087): Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0088): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0089): Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect availability via unknown vectors. CVE-2010-0090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0090): Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6, Update, and 18 allows remote attackers to affect integrity and availability via unknown vectors. CVE-2010-0091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0091): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. CVE-2010-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0092): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0093): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0094): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0095): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0837): Unspecified vulnerability in the Pack200 component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0838): Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0839): Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0840): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0841): Unspecified vulnerability in the ImageIO component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0842): Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0843): Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0844): Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0845): Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0846): Unspecified vulnerability in the ImageIO component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0847): Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0848): Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0849): Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2010-0850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0850): Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
GLSA draft filed.
Hi all, JDK 1.6.0_20 was released, with fix of critical security issue in javaws. http://java.sun.com/javase/6/webnotes/6u20.html
(In reply to comment #10) > Hi all, JDK 1.6.0_20 was released, with fix of critical security issue in > javaws. > > http://java.sun.com/javase/6/webnotes/6u20.html Might be about bug 314531 but I can't tell. Also no djl-licensed bundles yet.
amd64 stable, all arches done.
(In reply to comment #9) > GLSA draft filed. > You'll probably want to merge it with bug 314531 ?
(In reply to comment #13) > You'll probably want to merge it with bug 314531 ? Yes. Draft is ready to be sent.
GLSA 201006-18