From Secunia: http://secunia.com/advisories/32991/ Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system. (1) Guessable temp file names (2) JRE Image processing vulns (3) GIF Image processing vulns (4) Fonts processing vulns (5) Establishment of network connections (6) Applet loading vuln causes possibility to read arbitrary files ... (continues up to point (22)), please see the link above. Solution: upgrade to fixed version: JDK and JRE 6 Update 11 JDK and JRE 5.0 Update 17 SDK and JRE 1.4.2_19 PROVIDED AND/OR DISCOVERED BY: The vendor credits: 2) An anonymous researcher working with ZDI 3) iDefense 4) Sebastian Apelt working with iDefense 5, 6, 7) Peter Csepely working with ZDI 8) Virtual Security Research 9) Billy Rios of Microsoft and Nate Mcfeters of Ernst and Young 10) Peter Csepely working with ZDI and John Heasman of NGSSoftware 12) Francisco Amato 13) Stefan Middendorf from Cirosec 14) Sami Koivu 15) "regenrecht" working with iDefense 17) Henri Torgemane and Sami Koivu 19) Jan Grant of Bristol University 20) Adam Gowdiak 21) University of Oulu
Please provide updated ebuilds: =dev-java/sun-jre-1.6.0.11 =dev-java/sun-jre-1.5.0.17 =dev-java/sun-jre-1.4.2.19 =dev-java/sun-jdk-1.6.0.11 =dev-java/sun-jdk-1.5.0.17 =dev-java/sun-jdk-1.4.2.19
Downgrading to A2, as i don't see a remote system compromise... everything seems to need a user executing an applet, JAR or using the java update mechanism. Sorry for the spam.
All slots of sun-jdk, sun-jre-bin and emul-linux-x86-java bumped. Arches please test: x86: sun-jre-bin, sun-jdk all slots amd64: emul-linux-x86-java all slots, sun-jre-bin and sun-jdk :1.5 :1.6
*** Bug 249900 has been marked as a duplicate of this bug. ***
CVE-2008-2086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2086): Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allow remote attackers to execute arbitrary code via a crafted jnlp file that modifies the (1) java.home, (2) java.ext.dirs, or (3) user.home System Properties, aka "Java Web Start File Inclusion." CVE-2008-5339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5339): Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors. CVE-2008-5340 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5340): Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to gain privileges to access local files or applications via unknown vectors. CVE-2008-5341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5341): Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors. CVE-2008-5342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5342): Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors. CVE-2008-5343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5343): Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows "hidden code" to make unauthorized network connections and "hijack HTTP sessions using cookies stored in the browser" via unknown vectors. CVE-2008-5344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5344): Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading. CVE-2008-5345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5345): Unspecified vulnerability in Java Runtime Environment (JRE) with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors. CVE-2008-5346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5346): Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file. CVE-2008-5347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5347): Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages. CVE-2008-5348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5348): Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos authentication, allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors. CVE-2008-5349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5349): Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key. CVE-2008-5350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5350): Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors. CVE-2008-5351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5351): Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings. CVE-2008-5352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5352): Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow. CVE-2008-5353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5353): Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets and applications to gain privileges via unknown vectors related to "deserializing calendar objects." CVE-2008-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5354): Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry. CVE-2008-5355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5355): The "Java Update" feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks. CVE-2008-5356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5356): Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file. CVE-2008-5357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5357): Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow. CVE-2008-5358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5358): Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll. CVE-2008-5359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5359): Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via unknown vectors related to "image processing code." CVE-2008-5360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5360): Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors.
Sorry for the doublepost, I should've synced again... :/
amd64/x86 should all be done - everything looks good. all arches done.
Thanks! Maybe we should accept the bug now... ;)
*** Bug 246010 has been marked as a duplicate of this bug. ***
A2 always needs a GLSA, filed.
GLSA 200911-02
