Bug 291369

Comment 1 Alex Legler (RETIRED) 2009-11-12 23:41:40 UTC

CVE-2009-3728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3728):
  Directory traversal vulnerability in the ICC_Profile.getInstance
  method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before
  Update 22 and 6 before Update 17, and OpenJDK, allows remote
  attackers to determine the existence of local International Color
  Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka
  Bug Id 6631533.

CVE-2009-3729 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3729):
  Unspecified vulnerability in the TrueType font parsing functionality
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows
  remote attackers to cause a denial of service (application crash) via
  a certain test suite, aka Bug Id 6815780.

CVE-2009-3879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3879):
  Multiple unspecified vulnerabilities in the (1) X11 and (2)
  Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, have unknown impact and attack
  vectors, related to failure to clone arrays that are returned by the
  getConfigurations function, aka Bug Id 6822057.

CVE-2009-3880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3880):
  The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE)
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and
  OpenJDK, does not properly restrict the objects that may be sent to
  loggers, which allows attackers to obtain sensitive information via
  vectors related to the implementation of Component,
  KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id
  6664512.

CVE-2009-3881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3881):
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  does not prevent the existence of children of a resurrected
  ClassLoader, which allows remote attackers to gain privileges via
  unspecified vectors, related to an "information leak vulnerability,"
  aka Bug Id 6636650.

CVE-2009-3882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3882):
  Multiple unspecified vulnerabilities in the Swing implementation in
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  have unknown impact and remote attack vectors, related to
  "information leaks in mutable variables," aka Bug Id 6657026.

CVE-2009-3884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3884):
  The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, allows remote attackers to
  determine the existence of local files via vectors related to
  handling of zoneinfo (aka tz) files, aka Bug Id 6824265.

CVE-2009-3886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3886):
  The Java Web Start implementation in Sun Java SE 6 before Update 17
  does not properly handle the interaction between a signed JAR file
  and a JNLP (1) application or (2) applet, which has unspecified
  impact and attack vectors, related to a "regression," aka Bug Id
  6870531.

Comment 2 Alex Legler (RETIRED) 2009-11-12 23:45:19 UTC

CVE-2009-3728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3728):
  Directory traversal vulnerability in the ICC_Profile.getInstance
  method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before
  Update 22 and 6 before Update 17, and OpenJDK, allows remote
  attackers to determine the existence of local International Color
  Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka
  Bug Id 6631533.

CVE-2009-3729 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3729):
  Unspecified vulnerability in the TrueType font parsing functionality
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows
  remote attackers to cause a denial of service (application crash) via
  a certain test suite, aka Bug Id 6815780.

CVE-2009-3879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3879):
  Multiple unspecified vulnerabilities in the (1) X11 and (2)
  Win32GraphicsDevice subsystems in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, have unknown impact and attack
  vectors, related to failure to clone arrays that are returned by the
  getConfigurations function, aka Bug Id 6822057.

CVE-2009-3880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3880):
  The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE)
  in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and
  OpenJDK, does not properly restrict the objects that may be sent to
  loggers, which allows attackers to obtain sensitive information via
  vectors related to the implementation of Component,
  KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id
  6664512.

CVE-2009-3881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3881):
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  does not prevent the existence of children of a resurrected
  ClassLoader, which allows remote attackers to gain privileges via
  unspecified vectors, related to an "information leak vulnerability,"
  aka Bug Id 6636650.

CVE-2009-3882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3882):
  Multiple unspecified vulnerabilities in the Swing implementation in
  Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK,
  have unknown impact and remote attack vectors, related to
  "information leaks in mutable variables," aka Bug Id 6657026.

CVE-2009-3884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3884):
  The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22
  and 6 before Update 17, and OpenJDK, allows remote attackers to
  determine the existence of local files via vectors related to
  handling of zoneinfo (aka tz) files, aka Bug Id 6824265.

CVE-2009-3886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3886):
  The Java Web Start implementation in Sun Java SE 6 before Update 17
  does not properly handle the interaction between a signed JAR file
  and a JNLP (1) application or (2) applet, which has unspecified
  impact and attack vectors, related to a "regression," aka Bug Id
  6870531.