| Summary: | dev-java/sun-javamail Remote Denial of Service (CVE-2007-6059) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | java |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://archives.neohapsis.com/archives/bugtraq/2007-11/0239.html | ||
| Whiteboard: | B3 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Buchholz (RETIRED)
2007-11-25 15:28:40 UTC
Java herd, please advise. Looks like a bug not in sun-javamail (which is just a library for SMTP, POP3 and IMAP) but in some webmail. Especially the 'com.example.util.dao..' package - it's not a part of sun-javamail. Also: sun-javamail or gnu-javamail? Probably we have to wait until more details are available. There's nothing about this issue on changelog for sun-javamail 1.4.1: http://java.sun.com/products/javamail/CHANGES.txt Robert sent an email to Thet Aung Min Latt for clarification. That CVE needs to be updated and is SEVERELY misleading. Javamail has no SQL pieces or etc. Javamail provides NO means to login via the web, or any means to log in. Short of passing credentials to a IMAP or POP server via it's API. Which that's all it is a Java API for sending and receiving email. Obviously someone has used this in a webmail app that has some vulnerabilities but failed to disclose that. Instead they blamed an underlying technology that is hardly responsible. I fail to see how this effects Sun or Sun's Javamail. I recommend we close as invalid. Even if the webmail is vulnerable, I doubt it's packaged and available on Gentoo. Since we really have no packaged Java webapps atm. CVE was disputed, quoting: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products." Closing INVALID. |