Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 250012 (CVE-2008-2086)

Summary: Sun Java JRE/SDK <1.4.2.19, <1.5.0.17 <1.6.0.11 Multiple Vulnerabilites (CVE-2008-{2086,5339,5340,5341,5342,5343,5344,5345,5346,5347,5348,5349,5350,5351,5352,5353,5354,5355,5356,5357,5358,5359,5360})
Product: Gentoo Security Reporter: Matti Bickel (RETIRED) <mabi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: craig, java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/32991/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 215614    

Description Matti Bickel (RETIRED) gentoo-dev 2008-12-06 10:19:49 UTC
From Secunia:
http://secunia.com/advisories/32991/
Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security
restrictions, disclose sensitive information, cause a DoS (Denial of
service), or compromise a vulnerable system.

(1) Guessable temp file names
(2) JRE Image processing vulns
(3) GIF Image processing vulns
(4) Fonts processing vulns
(5) Establishment of network connections
(6) Applet loading vuln causes possibility to read arbitrary files
... (continues up to point (22)), please see the link above.

Solution: upgrade to fixed version: 
JDK and JRE 6 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) An anonymous researcher working with ZDI
3) iDefense
4) Sebastian Apelt working with iDefense
5, 6, 7) Peter Csepely working with ZDI
8) Virtual Security Research
9) Billy Rios of Microsoft and Nate Mcfeters of Ernst and Young
10) Peter Csepely working with ZDI and John Heasman of NGSSoftware
12) Francisco Amato
13) Stefan Middendorf from Cirosec
14) Sami Koivu
15) "regenrecht" working with iDefense
17) Henri Torgemane and Sami Koivu
19) Jan Grant of Bristol University
20) Adam Gowdiak
21) University of Oulu
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2008-12-06 10:36:33 UTC
Please provide updated ebuilds:
=dev-java/sun-jre-1.6.0.11
=dev-java/sun-jre-1.5.0.17
=dev-java/sun-jre-1.4.2.19
=dev-java/sun-jdk-1.6.0.11
=dev-java/sun-jdk-1.5.0.17
=dev-java/sun-jdk-1.4.2.19
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2008-12-06 10:49:15 UTC
Downgrading to A2, as i don't see a remote system compromise... everything seems to need a user executing an applet, JAR or using the java update mechanism.

Sorry for the spam.
Comment 3 Petteri Räty (RETIRED) gentoo-dev 2008-12-06 13:45:50 UTC
All slots of sun-jdk, sun-jre-bin and emul-linux-x86-java bumped. Arches please test:
x86: sun-jre-bin, sun-jdk all slots
amd64: emul-linux-x86-java all slots, sun-jre-bin and sun-jdk :1.5 :1.6
Comment 4 Petteri Räty (RETIRED) gentoo-dev 2008-12-06 13:47:00 UTC
*** Bug 249900 has been marked as a duplicate of this bug. ***
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-12-06 15:18:43 UTC
CVE-2008-2086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2086):
  Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and
  earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE
  1.4.2_18 and earlier allow remote attackers to execute arbitrary code
  via a crafted jnlp file that modifies the (1) java.home, (2)
  java.ext.dirs, or (3) user.home System Properties, aka "Java Web
  Start File Inclusion."

CVE-2008-5339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5339):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  JWS applications to perform network connections to unauthorized hosts
  via unknown vectors.

CVE-2008-5340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5340):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  JWS applications to gain privileges to access local files or
  applications via unknown vectors.

CVE-2008-5341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5341):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0
  Update 16 and earlier, allows untrusted JWS applications to obtain
  the pathname of the JWS cache and the application username via
  unknown vectors.

CVE-2008-5342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5342):
  Unspecified vulnerability in the BasicService for Java Web Start
  (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier;
  JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and
  earlier allows untrusted downloaded applications to cause local files
  to be displayed in the browser of the user of the untrusted
  application via unknown vectors.

CVE-2008-5343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5343):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows "hidden
  code" to make unauthorized network connections and "hijack HTTP
  sessions using cookies stored in the browser" via unknown vectors.

CVE-2008-5344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5344):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applets to read arbitrary files and make unauthorized network
  connections via unknown vectors related to applet classloading.

CVE-2008-5345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5345):
  Unspecified vulnerability in Java Runtime Environment (JRE) with Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23
  and earlier allows code that is loaded from a local filesystem to
  read arbitrary files and make unauthorized connections to localhost
  via unknown vectors.

CVE-2008-5346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5346):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and
  earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets
  and applications to read arbitrary memory via a crafted ZIP file.

CVE-2008-5347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5347):
  Multiple unspecified vulnerabilities in Java Runtime Environment
  (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted
  applets and applications to gain privileges via vectors related to
  access to inner classes in the (1) JAX-WS and (2) JAXB packages.

CVE-2008-5348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5348):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos
  authentication, allows remote attackers to cause a denial of service
  (OS resource consumption) via unknown vectors.

CVE-2008-5349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5349):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16
  and earlier, allows remote attackers to cause a denial of service
  (CPU consumption) via a crafted RSA public key.

CVE-2008-5350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5350):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applications and applets to list the contents of the operating user's
  directory via unknown vectors.

CVE-2008-5351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5351):
  Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and
  earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE
  1.4.2_18 and earlier accepts UTF-8 encodings that are not the
  "shortest" form, which makes it easier for attackers to bypass
  protection mechanisms for other applications that rely on
  shortest-form UTF-8 encodings.

CVE-2008-5352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5352):
  Integer overflow in the JAR unpacking utility (unpack200) in the
  unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16
  and earlier, allows untrusted applications and applets to gain
  privileges via a Pack200 compressed JAR file that triggers a
  heap-based buffer overflow.

CVE-2008-5353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5353):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applets and applications to gain privileges via unknown vectors
  related to "deserializing calendar objects."

CVE-2008-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5354):
  Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched
  and possibly remote untrusted Java applications to execute arbitrary
  code via a JAR file with a long Main-Class manifest entry.

CVE-2008-5355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5355):
  The "Java Update" feature for Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the
  signature of the JRE that is downloaded, which allows remote
  attackers to execute arbitrary code via DNS man-in-the-middle attacks.

CVE-2008-5356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5356):
  Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote
  attackers to execute arbitrary code via a crafted TrueType font file.

CVE-2008-5357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5357):
  Integer overflow in Java Runtime Environment (JRE) for Sun JDK and
  JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier;
  SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and
  earlier might allow remote attackers to execute arbitrary code via a
  crafted TrueType font file, which triggers a heap-based buffer
  overflow.

CVE-2008-5358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5358):
  Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and
  earlier might allow remote attackers to execute arbitrary code via a
  crafted GIF file that triggers memory corruption during display of
  the splash screen, possibly related to splashscreen.dll.

CVE-2008-5359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5359):
  Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE
  6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK
  and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier
  might allow remote attackers to execute arbitrary code via unknown
  vectors related to "image processing code."

CVE-2008-5360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5360):
  Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE
  6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK
  and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier
  creates temporary files with predictable file names, which allows
  attackers to write malicious JAR files via unknown vectors.

Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-06 16:52:55 UTC
CVE-2008-2086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2086):
  Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and
  earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE
  1.4.2_18 and earlier allow remote attackers to execute arbitrary code
  via a crafted jnlp file that modifies the (1) java.home, (2)
  java.ext.dirs, or (3) user.home System Properties, aka "Java Web
  Start File Inclusion."

CVE-2008-5339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5339):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  JWS applications to perform network connections to unauthorized hosts
  via unknown vectors.

CVE-2008-5340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5340):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  JWS applications to gain privileges to access local files or
  applications via unknown vectors.

CVE-2008-5341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5341):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0
  Update 16 and earlier, allows untrusted JWS applications to obtain
  the pathname of the JWS cache and the application username via
  unknown vectors.

CVE-2008-5342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5342):
  Unspecified vulnerability in the BasicService for Java Web Start
  (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier;
  JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and
  earlier allows untrusted downloaded applications to cause local files
  to be displayed in the browser of the user of the untrusted
  application via unknown vectors.

CVE-2008-5343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5343):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows "hidden
  code" to make unauthorized network connections and "hijack HTTP
  sessions using cookies stored in the browser" via unknown vectors.

CVE-2008-5344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5344):
  Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in
  with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update
  16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applets to read arbitrary files and make unauthorized network
  connections via unknown vectors related to applet classloading.

CVE-2008-5345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5345):
  Unspecified vulnerability in Java Runtime Environment (JRE) with Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23
  and earlier allows code that is loaded from a local filesystem to
  read arbitrary files and make unauthorized connections to localhost
  via unknown vectors.

CVE-2008-5346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5346):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and
  earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets
  and applications to read arbitrary memory via a crafted ZIP file.

CVE-2008-5347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5347):
  Multiple unspecified vulnerabilities in Java Runtime Environment
  (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted
  applets and applications to gain privileges via vectors related to
  access to inner classes in the (1) JAX-WS and (2) JAXB packages.

CVE-2008-5348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5348):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos
  authentication, allows remote attackers to cause a denial of service
  (OS resource consumption) via unknown vectors.

CVE-2008-5349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5349):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16
  and earlier, allows remote attackers to cause a denial of service
  (CPU consumption) via a crafted RSA public key.

CVE-2008-5350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5350):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applications and applets to list the contents of the operating user's
  directory via unknown vectors.

CVE-2008-5351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5351):
  Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and
  earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE
  1.4.2_18 and earlier accepts UTF-8 encodings that are not the
  "shortest" form, which makes it easier for attackers to bypass
  protection mechanisms for other applications that rely on
  shortest-form UTF-8 encodings.

CVE-2008-5352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5352):
  Integer overflow in the JAR unpacking utility (unpack200) in the
  unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16
  and earlier, allows untrusted applications and applets to gain
  privileges via a Pack200 compressed JAR file that triggers a
  heap-based buffer overflow.

CVE-2008-5353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5353):
  Unspecified vulnerability in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted
  applets and applications to gain privileges via unknown vectors
  related to "deserializing calendar objects."

CVE-2008-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5354):
  Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched
  and possibly remote untrusted Java applications to execute arbitrary
  code via a JAR file with a long Main-Class manifest entry.

CVE-2008-5355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5355):
  The "Java Update" feature for Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the
  signature of the JRE that is downloaded, which allows remote
  attackers to execute arbitrary code via DNS man-in-the-middle attacks.

CVE-2008-5356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5356):
  Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun
  JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and
  earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote
  attackers to execute arbitrary code via a crafted TrueType font file.

CVE-2008-5357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5357):
  Integer overflow in Java Runtime Environment (JRE) for Sun JDK and
  JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier;
  SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and
  earlier might allow remote attackers to execute arbitrary code via a
  crafted TrueType font file, which triggers a heap-based buffer
  overflow.

CVE-2008-5358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5358):
  Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and
  earlier might allow remote attackers to execute arbitrary code via a
  crafted GIF file that triggers memory corruption during display of
  the splash screen, possibly related to splashscreen.dll.

CVE-2008-5359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5359):
  Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE
  6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK
  and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier
  might allow remote attackers to execute arbitrary code via unknown
  vectors related to "image processing code."

CVE-2008-5360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5360):
  Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE
  6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK
  and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier
  creates temporary files with predictable file names, which allows
  attackers to write malicious JAR files via unknown vectors.

Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-06 16:59:19 UTC
Sorry for the doublepost, I should've synced again... :/
Comment 8 Markus Meier gentoo-dev 2008-12-10 22:09:52 UTC
amd64/x86 should all be done - everything looks good. all arches done.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-10 22:18:13 UTC
Thanks! Maybe we should accept the bug now... ;)
Comment 10 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-01-06 07:37:11 UTC
*** Bug 246010 has been marked as a duplicate of this bug. ***
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 19:22:46 UTC
A2 always needs a GLSA, filed.
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-17 23:09:51 UTC
GLSA 200911-02