Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 387851

Summary: <dev-java/oracle-{jre,jdk}-bin-1.7.0.1,<app-emulation/emul-linux-x86-java-1.6.0.29,<dev-java/sun-{jdk,jre-bin}-1.6.0.29 Multiple vulnerabilities CVE-2011-{3389,3516,3521,3544,3545,3546,3547,3548,3549,3550,3551,3552,3553,3554,3555,3556,3557,3558,3560,3561}
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: caster, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] [1.7 noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 215614    

Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-20 10:43:06 UTC
CVE-2011-3561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JavaFX 2.0 allows
  remote attackers to affect confidentiality via unknown vectors related to
  Deployment.

CVE-2011-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality and
  integrity, related to JSSE.

CVE-2011-3558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote
  untrusted Java Web Start applications and untrusted Java applets to affect
  confidentiality via unknown vectors related to HotSpot.

CVE-2011-3557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote
  attackers to affect confidentiality, integrity, and availability, related to
  RMI.

CVE-2011-3556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote
  attackers to affect confidentiality, integrity, and availability, related to
  RMI.

CVE-2011-3555 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE, and 7 allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect integrity and availability
  via unknown vectors.

CVE-2011-3554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier allows remote untrusted Java Web Start applications and untrusted
  Java applets to affect confidentiality, integrity, and availability via
  unknown vectors.

CVE-2011-3553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4
  and earlier allows remote authenticated users to affect confidentiality,
  related to JAXWS.

CVE-2011-3552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote attackers to affect
  integrity via unknown vectors related to Networking.

CVE-2011-3551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4
  and earlier allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to 2D.

CVE-2011-3550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote
  untrusted Java Web Start applications and untrusted Java applets to affect
  confidentiality, integrity, and availability, related to AWT.

CVE-2011-3549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality,
  integrity, and availability via unknown vectors related to Swing.

CVE-2011-3548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality,
  integrity, and availability, related to AWT.

CVE-2011-3547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality via
  unknown vectors related to Networking.

CVE-2011-3546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JavaFX 2.0 allows
  remote untrusted Java Web Start applications and untrusted Java applets to
  affect confidentiality and integrity via unknown vectors related to
  Deployment.

CVE-2011-3545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier, allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Sound.

CVE-2011-3544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote
  untrusted Java Web Start applications and untrusted Java applets to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Scripting.

CVE-2011-3521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31
  earlier allows remote untrusted Java Web Start applications and untrusted
  Java applets to affect confidentiality, integrity, and availability via
  unknown vectors related to Deserialization.

CVE-2011-3516 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 6 Update 27 and earlier, when running on Windows,
  allows remote untrusted Java Web Start applications and untrusted Java
  applets to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment.

CVE-2011-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389):
  The SSL protocol, as used in certain configurations in Microsoft Windows and
  Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and
  other products, encrypts data by using CBC mode with chained initialization
  vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP
  headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session,
  in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API,
  (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a
  "BEAST" attack.


http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-21 23:27:48 UTC
*** Bug 388055 has been marked as a duplicate of this bug. ***
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-10-22 14:20:30 UTC
oracle-jdk-bin and -jre-bin 1.7 bumped, slot is not yet stable
for sun-jdk:1.6 (and sun-jre-bin and app-emulation/emul-linux-x86-java) there are more changes needed as upstream changed packaging (and it'll be fetch restricted again :(
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-10-22 23:51:45 UTC
Please stabilize:

dev-java/sun-jdk-1.6.0.29
dev-java/sun-jre-bin-1.6.0.29
(amd64 only) app-emulation/emul-linux-x86-java-1.6.0.29
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-30 12:36:53 UTC
x86 stable
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-10-30 14:22:48 UTC
For the glsa: note that icedtea6-bin has been renamed to icedtea-bin
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2011-11-05 10:11:31 UTC
amd64 done
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-11-05 10:25:31 UTC
This issue was resolved and addressed in
 GLSA 201111-02 at http://security.gentoo.org/glsa/glsa-201111-02.xml
by GLSA coordinator Alex Legler (a3li).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2011-11-05 10:25:50 UTC
This issue was resolved and addressed in
 GLSA 201111-02 at http://security.gentoo.org/glsa/glsa-201111-02.xml
by GLSA coordinator Alex Legler (a3li).