Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 306579 - Sun JRE/JDK <=1.5.0.22 <1.6.0.19 Multiple vulnerabilities (CVE-2009-3555,CVE-2010-{0082,0084,0085,0087,0088,0089,0090,0091,0092,0093,0094,0095,0837,0838,0839,0840,0841,0842,0843,0844,0845,0846,0847,0848,0849,0850})
Summary: Sun JRE/JDK <=1.5.0.22 <1.6.0.19 Multiple vulnerabilities (CVE-2009-3555,CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technology/depl...
Whiteboard: A2 [1.5 maskglsa] [1.6 glsa]
Keywords:
: 307567 (view as bug list)
Depends on: java15removal
Blocks: java-security CVE-2009-3555 312297 314531
  Show dependency tree
 
Reported: 2010-02-23 22:19 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2010-06-04 05:16 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 22:19:04 UTC
Java:
      The Java Secure Socket Extension (JSSE) included in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux are affected:
          o JDK and JRE 6 Update 17 and earlier
          o JDK and JRE 5.0 Update 22 and earlier
          o SDK and JRE 1.4.2_24 and earlier

      An interim fix, that disables TLS/SSL renegotiation in JSSE by default, will be included in our upcoming Java SE security update. Once the industry (via IETF-TLS Working Group) standardizes a fix to the protocol, Sun will update this fix accordingly.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-02-23 22:29:37 UTC
1.5 jdk is EOL, we should mark it as build-only and work on bug 292001 towards its removal. The emul-linux and sun-jre-bin packages could probably be masked. instantly.

1.6 is tricky, the description seems as update 18 should be fixed, but update 18 was not a 'security update' AFAIK? On http://java.sun.com/javase/6/webnotes/6u18.html it states security baseline 1.6.0_17 (but not sure if it means what I think) and there seems to be no relevant bug among the fixes mentioned.

So I'm not sure if stabling 1.6.0.18 would fix this. Is there some easy way to check if the renegotiation is disabled there or not?
Comment 2 Tomas Hoger 2010-02-24 08:45:34 UTC
(In reply to comment #1)
> 1.6 is tricky, the description seems as update 18 should be fixed, but update
> 18 was not a 'security update' AFAIK? On
> http://java.sun.com/javase/6/webnotes/6u18.html it states security baseline
> 1.6.0_17 (but not sure if it means what I think) and there seems to be no
> relevant bug among the fixes mentioned.

1.6.0_18 still re-handshakes TLS session upon request from (unpatched) client.

> So I'm not sure if stabling 1.6.0.18 would fix this. Is there some easy way to
> check if the renegotiation is disabled there or not?

Some java TLS server, connect to it using s_client and renegotiate.
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-03-30 19:40:28 UTC
*** Bug 307567 has been marked as a duplicate of this bug. ***
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-03-30 20:35:17 UTC
New release out, and the list of vulnerabilities grew (see $URL).
Please stabilize dev-java/sun-jdk / dev-java/sun-jre-bin / app-emulation/emul-linux-x86-java - all version 1.6.0.19
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-03-31 15:13:04 UTC
Arches, please test and mark stable:
=dev-java/sun-jre-bin-1.6.0.19
=dev-java/sun-jdk-1.6.0.19
Target keywords : "amd64 x86"

=app-emulation/emul-linux-x86-java-1.6.0.19
Target keywords : "amd64"
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-03-31 16:18:12 UTC
P.masked for removal: 
=dev-java/sun-jre-bin-1.5*
=app-emulation/emul-linux-x86-java-1.5*

use.masked nsplugin and marked as build-only to minimize usage outside of emerge
dev-java/sun-jdk-1.5
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-31 16:35:10 UTC
x86 stable
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-02 09:04:14 UTC
CVE-2010-0082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0082):
  Unspecified vulnerability in the HotSpot Server component in Oracle
  Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25,
  and 1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0084):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  and 1.4.2_25 allows remote attackers to affect confidentiality via
  unknown vectors.

CVE-2010-0085 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0085):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  1.4.2_25, and 1.3.1_27 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0087 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0087):
  Unspecified vulnerability in the Java Web Start, Java Plug-in
  component in Oracle Java SE and Java for Business 6 Update 18, 5.0
  Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0088):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  1.4.2_25, and 1.3.1_27 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0089):
  Unspecified vulnerability in the Java Web Start, Java Plug-in
  component in Oracle Java SE and Java for Business 6 Update 18, 5.0
  Update 23, and 1.4.2_25 allows remote attackers to affect
  availability via unknown vectors.

CVE-2010-0090 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0090):
  Unspecified vulnerability in the Java Web Start, Java Plug-in
  component in Oracle Java SE and Java for Business 6, Update, and 18
  allows remote attackers to affect integrity and availability via
  unknown vectors.

CVE-2010-0091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0091):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  and 1.4.2_25 allows remote attackers to affect confidentiality via
  unknown vectors.

CVE-2010-0092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0092):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and
  23 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2010-0093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0093):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  and 1.4.2_25 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0094):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and
  23 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2010-0095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0095):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  and 1.4.2_25 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0837):
  Unspecified vulnerability in the Pack200 component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote
  attackers to affect confidentiality, integrity, and availability via
  unknown vectors.

CVE-2010-0838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0838):
  Unspecified vulnerability in the Java 2D component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote
  attackers to affect confidentiality, integrity, and availability via
  unknown vectors.

CVE-2010-0839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0839):
  Unspecified vulnerability in the Sound component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0840):
  Unspecified vulnerability in the Java Runtime Environment component
  in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
  and 1.4.2_25 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0841):
  Unspecified vulnerability in the ImageIO component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows
  remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2010-0842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0842):
  Unspecified vulnerability in the Sound component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0843):
  Unspecified vulnerability in the Sound component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0844):
  Unspecified vulnerability in the Sound component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0845):
  Unspecified vulnerability in the HotSpot Server component in Oracle
  Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows
  remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2010-0846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0846):
  Unspecified vulnerability in the ImageIO component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0847):
  Unspecified vulnerability in the Java 2D component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0848 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0848):
  Unspecified vulnerability in the Java 2D component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0849):
  Unspecified vulnerability in the Java 2D component in Oracle Java SE
  and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and
  1.3.1_27 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors.

CVE-2010-0850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0850):
  Unspecified vulnerability in the Java 2D component in Oracle Java SE
  and Java for Business 1.3.1_27 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors.

Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-02 10:12:58 UTC
GLSA draft filed.
Comment 10 Mike Limansky 2010-04-15 13:11:33 UTC
Hi all, JDK 1.6.0_20 was released, with fix of critical security issue in javaws.

http://java.sun.com/javase/6/webnotes/6u20.html
Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-15 13:56:57 UTC
(In reply to comment #10)
> Hi all, JDK 1.6.0_20 was released, with fix of critical security issue in
> javaws.
> 
> http://java.sun.com/javase/6/webnotes/6u20.html

Might be about bug 314531 but I can't tell. Also no djl-licensed bundles yet. 

Comment 12 Markus Meier gentoo-dev 2010-04-15 20:42:25 UTC
amd64 stable, all arches done.
Comment 13 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-04-16 06:08:43 UTC
(In reply to comment #9)
> GLSA draft filed.
> 

You'll probably want to merge it with bug 314531 ?
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-04 05:00:11 UTC
(In reply to comment #13)
> You'll probably want to merge it with bug 314531 ?

Yes. Draft is ready to be sent.
Comment 15 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-04 05:16:42 UTC
GLSA 201006-18