Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231337 (CVE-2008-3103) - dev-java/sun-{jdk,jre-bin}|app-emulation/emul-linux-x86-java} Multiple vulnerabilities (CVE-2008-{3103,3104,3105,3106,3107,3108,3109,3110,3111,3112,3113,3114,3115})
Summary: dev-java/sun-{jdk,jre-bin}|app-emulation/emul-linux-x86-java} Multiple vulner...
Status: RESOLVED FIXED
Alias: CVE-2008-3103
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://blogs.sun.com/security/entry/a...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks: emul-tracker java-security 233652
  Show dependency tree
 
Reported: 2008-07-09 20:42 UTC by Serkan Kaba (RETIRED)
Modified: 2009-11-17 23:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Serkan Kaba (RETIRED) gentoo-dev 2008-07-09 20:42:47 UTC
On July 8, 2008, Sun will release the following security updates:

    * JDK and JRE 6 Update 7
    * JDK and JRE 5.0 Update 16
    * SDK and JRE 1.4.2_18
    * SDK and JRE 1.3.1_23

The following Sun Alerts corresponding to these updates will be released following the availability of these updates.

    * 238628
    * 238666
    * 238687
    * 238905
    * 238965
    * 238966
    * 238967
    * 238968

Arches please stabilize.
dev-java/sun-{jdk,jre-bin}-1.4.2.18
dev-java/sun-{jdk,jre-bin}-1.5.0.16
dev-java/sun-{jdk,jre-bin}-1.6.0.07
app-emulation/emul-linux-x86-java-1.4.2.18
app-emulation/emul-linux-x86-java-1.5.0.16
app-emulation/emul-linux-x86-java-1.6.0.07


Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-11 17:15:05 UTC
CVE-2008-3103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3103):
  Unspecified vulnerability in the Java Management Extensions (JMX) management
  agent in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and
  earlier and JDK and JRE 5.0 Update 15 and earlier, when local monitoring is
  enabled, allows remote attackers to "perform unauthorized operations" via
  unspecified vectors.

CVE-2008-3104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3104):
  Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in
  JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE
  1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote
  attackers to violate the security model for an applet's outbound connections
  by connecting to localhost services running on the machine that loaded the
  applet.

CVE-2008-3105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3105):
  Unspecified vulnerability in the JAX-WS client and service in Sun Java
  Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote
  attackers to access URLs or cause a denial of service via unknown vectors
  involving "processing of XML data" by a trusted application.

CVE-2008-3106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3106):
  Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK and
  JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier allows
  remote attackers to access URLs via unknown vectors involving processing of
  XML data by an untrusted (1) application or (2) applet, a different
  vulnerability than CVE-2008-3105.

CVE-2008-3107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3107):
  Unspecified vulnerability in the Virtual Machine in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before
  Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent
  attackers to gain privileges via an untrusted (1) application or (2) applet,
  as demonstrated by an application or applet that grants itself privileges to
  (a) read local files, (b) write to local files, or (c) execute local programs.

CVE-2008-3108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3108):
  Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0
  before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x
  before 1.3.1_23 allows context-dependent attackers to gain privileges via
  unspecified vectors related to font processing.

CVE-2008-3109 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3109):
  Unspecified vulnerability in scripting language support in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
  context-dependent attackers to gain privileges via an untrusted (1)
  application or (2) applet, as demonstrated by an application or applet that
  grants itself privileges to (a) read local files, (b) write to local files,
  or (c) execute local programs.

CVE-2008-3110 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3110):
  Unspecified vulnerability in scripting language support in Sun Java Runtime
  Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote
  attackers to obtain sensitive information by using an applet to read
  information from another applet.

CVE-2008-3111 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3111):
  Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 before
  Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allow context-dependent attackers to gain privileges via an
  untrusted application, as demonstrated by an application that grants itself
  privileges to (1) read local files, (2) write to local files, or (3) execute
  local programs, aka CR 6557220.

CVE-2008-3112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3112):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before
  Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allows remote attackers to create arbitrary files via an untrusted
  application, aka CR 6703909.

CVE-2008-3113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3113):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0 before
  Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to
  create or delete arbitrary files via an untrusted application, aka CR 6704077.

CVE-2008-3114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3114):
  Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before
  Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before
  1.4.2_18 allows context-dependent attackers to obtain sensitive information
  (the cache location) via an untrusted application, aka CR 6704074.

CVE-2008-3115 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3115):
  Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlier, and
  5.0 Update 6 through 15, does not properly prevent execution of applets on
  older JRE releases, which might allow remote attackers to exploit
  vulnerabilities in these older releases.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-07-11 17:19:13 UTC
Arches, please test and mark stable:

=dev-java/sun-jdk-1.4.2.18
=dev-java/sun-jdk-1.5.0.16
=dev-java/sun-jdk-1.6.0.07
=dev-java/sun-jre-bin-1.4.2.18
=dev-java/sun-jre-bin-1.5.0.16
=dev-java/sun-jre-bin-1.6.0.07
Target keywords : "amd64 x86"

=app-emulation/emul-linux-x86-java-1.4.2.18
=app-emulation/emul-linux-x86-java-1.5.0.16
=app-emulation/emul-linux-x86-java-1.6.0.07
Target keywords : "amd64"
Comment 3 Serkan Kaba (RETIRED) gentoo-dev 2008-07-12 20:32:18 UTC
(In reply to comment #2)
> Arches, please test and mark stable:
> 
> =dev-java/sun-jdk-1.4.2.18
> =dev-java/sun-jdk-1.5.0.16
> =dev-java/sun-jdk-1.6.0.07
> =dev-java/sun-jre-bin-1.4.2.18
> =dev-java/sun-jre-bin-1.5.0.16
> =dev-java/sun-jre-bin-1.6.0.07
> Target keywords : "amd64 x86"
> 
> =app-emulation/emul-linux-x86-java-1.4.2.18
> =app-emulation/emul-linux-x86-java-1.5.0.16
> =app-emulation/emul-linux-x86-java-1.6.0.07
> Target keywords : "amd64"
> 

=dev-java/sun-jdk-1.4.2.18
=dev-java/sun-jre-bin-1.4.2.18

are x86 only.
Comment 4 Kenneth Prugh (RETIRED) gentoo-dev 2008-07-12 21:42:30 UTC
amd64 done
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-16 11:23:20 UTC
x86 stable
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-07-18 08:06:18 UTC
All arches done. GLSA?
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-17 23:09:32 UTC
GLSA 200911-02