Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 306583

Summary: <dev-java/ibm-{jdk,jre}-bin-1.5.0.11_p1 and 1.6.0.7: Vulnerability in TLS Protocol during Renegotiation (CVE-2009-3555)
Product: Gentoo Security Reporter: Vlastimil Babka (Caster) (RETIRED) <caster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ibm.com/developerworks/java/jdk/alerts/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 215614, 292023, 352603    

Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 22:37:55 UTC 
Synopsis 	 	
A security vulnerability in the TLS protocol (including SSL v3) may allow an attacker to conduct man-in-the-middle (MITM) type of attacks where chosen plain text may be injected as a prefix in an user's TLS session. This vulnerability does not allow an attacker to decrypt the intercepted network communication.	

Affected Releases
IBM Platforms:
6 SR6 and earlier
5.0 SR11 and earlier
1.4.2 SR13-FP3 and earlier

Releases containing fix
IBM Platforms:
6 SR7 and later
5.0 SR11-FP1 and later
1.4.2 SR13-FP4 and later
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 23:03:21 UTC 
Please stabilize:
dev-java/ibm-jdk-bin-1.5.0.11_p1
dev-java/ibm-jre-bin-1.5.0.11_p1

distfiles on their way as usual
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-24 13:44:56 UTC 
x86 stable
Comment 3 Brent Baude (RETIRED) gentoo-dev 2010-02-28 17:00:20 UTC 
ppc64 done
Comment 4 Markus Meier gentoo-dev 2010-03-08 19:51:35 UTC 
amd64 stable
Comment 5 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:40:21 UTC 
Marked ppc stable.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:30:25 UTC 
glsa request filed.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 11:14:56 UTC 
A quick search shows no results for a GLSA that was released per previous comments.

The issue was fixed in later releases from Sun and marked stable.  No vulnerable versions are in the tree as of approximately 6 years ago.