Bug 355127

Summary:	<dev-java/{icedtea6-bin-1.9.7,icedtea-6.1.9.7}: multiple vulnerabilites (CVE-2010-{4448,4450,4465,4469,4470,4471,4472},CVE-2011-0706)
Product:	Gentoo Security	Reporter:	Andrew John Hughes <gnu_andrew>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	java
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	354213, 354231
Bug Blocks:	215614, 247140, 370787

Description Andrew John Hughes 2011-02-15 23:08:50 UTC

http://blog.fuseyism.com/index.php/2011/02/15/security-icedtea6-1710-187-and-197-released/
http://dbhole.wordpress.com/2011/02/15/icedtea-web-1-0-1-released/

I've added updated ebuilds to java-overlay.  Please promote to main tree.

Reproducible: Always

Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2011-02-16 17:43:05 UTC

I hate to ask it again so soon, but please stabilize dev-java/icedtea6-bin-1.9.7

Comment 2 Markos Chandras (RETIRED) gentoo-dev

2011-02-16 21:17:59 UTC

amd64 done

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2011-02-21 18:30:31 UTC

x86 stable, last one so update the whiteboard

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 18:38:26 UTC

Thanks, folks.

Rating B2; added to existing GLSA request.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 20:01:07 UTC

CVE-2011-0706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0706):
  The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK
  Runtime Environment 1.6.0, allows remote attackers to gain privileges via
  unknown vectors related to multiple signers and the assignment of "an
  inappropriate security descriptor."

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2014-06-29 15:29:02 UTC

This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).