OVERVIEW ======== Java Web Start is a technology for easy client-side deployment of Java applications. "Using Java Web Start technology, standalone Java software applications can be deployed with a single click over the network" (from Sun Microsystems's website). Java Web Start is installed with Java Runtime Environment (JRE). During installation, file type associations are added to make web browsers automatically (with a single click) open Java Web Start's .JNLP files (the behavior may vary between different web browsers). There is a vulnerability in the way Web Start handles Java system properties defined in JNLP files. A malicious user can pass command line arguments to the Java virtual machine. They can be used to disable the Java "sandbox" and compromise the system. The attack can be carried out when the victim user views a web page crafted by the attacker. [...] VULNERABLE VERSIONS =================== Java Web Start in J2SE 1.4.2 releases prior 1.4.2_07 are vulnerable. J2SE 5.0 and later, and releases prior to 1.4.2 are NOT vulnerable. [...] The complete message can be found here: http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032687.html 1.4.2_07 is already in the tree.
Would the sun-jre also be affected ?
i think so, since the jre also provides javaws (the java webstart binary)
GLSA 200503-28