| Summary: | <dev-java/icedtea6{,-bin}-1.9.2:: IcedTea System property information leak via public static (CVE-2010-3860) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Vlastimil Babka (Caster) (RETIRED) <caster> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | java, proxy-maint |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://blog.fuseyism.com/index.php/2010/11/24/icedtea6-176-183-and-192-released/ | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 352035 | ||
| Bug Blocks: | 215614, 340819 | ||
|
Description
Vlastimil Babka (Caster) (RETIRED)
2010-11-25 21:21:17 UTC
dev-java/icedtea bumped (package not stable yet) dev-java/icedtea6-bin building Looks like I've forgotten to update this bug and get it stable etc. Now superseeded by bug 352035 CVE-2010-3860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3860): IcedTea 1.7.x before 1.7.6, 1.8.x before 1.8.3, and 1.9.x before 1.9.2, as based on OpenJDK 6, declares multiple sensitive variables as public, which allows remote attackers to obtain sensitive information including (1) user.name, (2) user.home, and (3) java.home system properties, and other sensitive information such as installation directories. This issue was resolved and addressed in GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml by GLSA coordinator Mikle Kolyada (Zlogene). |