Bug 71818

Summary:	net-www/opera: Java vulnerabilities
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	minor	CC:	lanius
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.securityfocus.com/archive/1/381634/2004-11-17/2004-11-23/0
Whiteboard:	B3 [upstream] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-20 01:12:44 UTC

Full details on BugTraq.

Short summary:

1:
Opera does not follow Sun's guidelines for secure Java programming. Internal access to sun-packages is granted.

2:
XSLT processor covert channel attack with bundled JRE (http://sunsolve.sun.com/search/document.do?assetkey=1-26-57613-1&searchclause= though it seems dead now, Google has a nice cache.)

3:
Internal pointer DoS exploitation

4:
Exposure of location of local java installation

5:
Exposure of local user name to an untrusted applet

Comment 1 Luke Macken (RETIRED) gentoo-dev

2004-11-22 12:47:34 UTC

According to secunia's advisory[1], this issue is fixed in 7.60 beta versions of opera.

[1]: http://secunia.com/advisories/13257/

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-11-28 10:39:39 UTC

Still no release upstream. CC'ing maintainer.

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-12 12:48:26 UTC

this (partly?) seems to be adressed in bug #74076

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2004-12-21 06:28:50 UTC

Fixed with 7.54u1, will be addressed in bug 74076

*** This bug has been marked as a duplicate of 74076 ***