Bug 240500

Summary:	www-client/opera <9.60 - Multiple vulnerabilities (CVE-2008-4694,CVE-2008-4695)
Product:	Gentoo Security	Reporter:	Jeroen Roovers (RETIRED) <jer>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.opera.com/docs/changelogs/linux/960/#sec
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Jeroen Roovers (RETIRED) gentoo-dev

2008-10-08 12:41:28 UTC

* Fixed an issue where specially crafted addresses could execute arbitrary code, as reported by Chris of Matasano Security; see our advisory[1]
* Java applets can no longer be used to read sensitive information, as reported by Nate McFeters; see our advisory[2]

[1] http://www.opera.com/support/search/view/901/
[2] http://www.opera.com/support/search/view/902/

www-client/opera-9.60 fixes these and an ebuild is in the tree.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-10-08 15:51:52 UTC

Arches, please test and mark stable:
=www-client/opera-9.60
Target keywords : "amd64 ppc sparc x86"

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-10-08 15:52:56 UTC

no sparc, as usual.

Comment 3 Markus Meier gentoo-dev

2008-10-09 20:13:37 UTC

amd64/x86 stable

Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-11 17:59:54 UTC

ppc stable

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-13 18:57:32 UTC

GLSA together with bug 235298.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-10-22 18:03:42 UTC

 CVE-2008-4694 code execution using redirects to crafted addresses
 CVE-2008-4695  Java applets cache file read

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev

2008-11-03 19:01:41 UTC

GLSA 200811-01, thanks everyone and sorry about the delay.