Bug 370559

Summary:	dev-java/sun-jdk, sun-jre-bin, app-emulation/emul-linux-x86-java <1.6.0.26: Multiple vulnerabilities (CVE-2011-{0802,0814,0815,0862,0863,0864,0865,0867,0868,0869,0871,0872,0873})
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexanderyt, java
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	215614, 370787, 377623

Description Tim Sammut (RETIRED) gentoo-dev

2011-06-07 20:35:16 UTC

+++ This bug was initially created as a clone of Bug #354213 +++

1.6.0.26 has been released to fix multiple security vulnerabilities. From the pre-announce advisory at $URL (for some reason the real advisory is not available yet):

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Java SE Critical Patch Update for June 2011, which will be released on Tuesday, June 7, 2011.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

This Critical Patch Update is a collection of patches for multiple security vulnerabilities in Oracle Java SE. This Critical Patch Update contains 17 new security vulnerability fixes. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0.
Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

    * JDK and JRE 6 Update 25 and earlier for Windows, Solaris, and Linux
    * JDK and JRE 5.0 Update 29 and earlier for Windows, Solaris and Linux
    * SDK and JRE 1.4.2_31 and earlier for Windows, Solaris and Linux

Oracle Java SE Executive Summary

This Critical Patch Update contains 17 new security vulnerability fixes for Oracle Java SE.  All these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0

Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2011-06-08 15:54:58 UTC

Please stabilize
dev-java/sun-jdk-1.6.0.26
dev-java/sun-jre-bin-1.6.0.26

(amd64 only)
app-emulation/emul-linux-x86-java-1.6.0.26

Comment 2 Agostino Sarubbo gentoo-dev

2011-06-09 10:31:13 UTC

amd64 ok

Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-06-10 17:32:25 UTC

x86 stable

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2011-06-18 11:58:52 UTC

amd64 done. Thanks Agostino

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-06-18 18:20:23 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2011-06-20 11:08:09 UTC

CVE-2011-0873 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, and 5.0 Update 29 and earlier,
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to 2D.

CVE-2011-0872 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect
  availability via unknown vectors related to NIO.

CVE-2011-0871 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote untrusted Java Web Start applications and
  untrusted Java applets to affect confidentiality, integrity, and
  availability via unknown vectors related to Swing.

CVE-2011-0869 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 26 and earlier allows remote untrusted Java Web
  Start applications and untrusted Java applets to affect confidentiality via
  unknown vectors related to SAAJ.

CVE-2011-0868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier allows remote attackers to affect
  confidentiality via unknown vectors related to 2D.

CVE-2011-0867 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote untrusted Java Web Start applications and
  untrusted Java applets to affect confidentiality via unknown vectors related
  to Networking.

CVE-2011-0865 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote untrusted Java Web Start applications and
  untrusted Java applets to affect integrity via unknown vectors related to
  Deserialization.

CVE-2011-0864 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote untrusted Java Web Start applications and
  untrusted Java applets to affect confidentiality, integrity, and
  availability via unknown vectors related to HotSpot.

CVE-2011-0863 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier allows remote untrusted Java Web
  Start applications and untrusted Java applets to affect confidentiality,
  integrity, and availability via unknown vectors related to Deployment.

CVE-2011-0862 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862):
  Multiple unspecified vulnerabilities in the Java Runtime Environment (JRE)
  component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and
  earlier, and 1.4.2_31 and earlier allow remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  2D.

CVE-2011-0815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote untrusted Java Web Start applications and
  untrusted Java applets to affect confidentiality, integrity, and
  availability via unknown vectors related to AWT.

CVE-2011-0814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Sound, a
  different vulnerability than CVE-2011-0802.

CVE-2011-0802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29 and earlier, and
  1.4.2_31 and earlier allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Sound, a
  different vulnerability than CVE-2011-0814.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2011-11-05 10:25:14 UTC

This issue was resolved and addressed in
 GLSA 201111-02 at http://security.gentoo.org/glsa/glsa-201111-02.xml
by GLSA coordinator Alex Legler (a3li).

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2011-11-05 10:25:45 UTC

This issue was resolved and addressed in
 GLSA 201111-02 at http://security.gentoo.org/glsa/glsa-201111-02.xml
by GLSA coordinator Alex Legler (a3li).