Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387637 (CVE-2011-3389) - <dev-java/{icedtea-bin-1.10.4,icedtea-6.1.10.4} Multiple vulnerabilities (CVE-2011-{3389,3521,3544,3547,3548,3551,3552,3553,3554,3556,3557,3558,3560})
Summary: <dev-java/{icedtea-bin-1.10.4,icedtea-6.1.10.4} Multiple vulnerabilities (CVE...
Status: RESOLVED FIXED
Alias: CVE-2011-3389
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.fuseyism.com/index.php/20...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks: icedtea-tracker java-security 388055
  Show dependency tree
 
Reported: 2011-10-19 05:52 UTC by Andrew John Hughes
Modified: 2014-06-29 15:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew John Hughes 2011-10-19 05:52:34 UTC
http://blog.fuseyism.com/index.php/2011/10/18/security-icedtea6-1-8-10-1-9-10-and-1-10-4-released/

New ebuilds in java-overlay.

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-19 10:04:01 UTC
(In reply to comment #0)
> New ebuilds in java-overlay.

@Java, please bump the new version in tree
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-20 10:48:03 UTC
CVE-2011-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality and
  integrity, related to JSSE.

CVE-2011-3558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote
  untrusted Java Web Start applications and untrusted Java applets to affect
  confidentiality via unknown vectors related to HotSpot.

CVE-2011-3557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote
  attackers to affect confidentiality, integrity, and availability, related to
  RMI.

CVE-2011-3556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote
  attackers to affect confidentiality, integrity, and availability, related to
  RMI.

CVE-2011-3554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier allows remote untrusted Java Web Start applications and untrusted
  Java applets to affect confidentiality, integrity, and availability via
  unknown vectors.

CVE-2011-3553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4
  and earlier allows remote authenticated users to affect confidentiality,
  related to JAXWS.

CVE-2011-3552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote attackers to affect
  integrity via unknown vectors related to Networking.

CVE-2011-3551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4
  and earlier allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to 2D.

CVE-2011-3548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality,
  integrity, and availability, related to AWT.

CVE-2011-3547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and
  earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start
  applications and untrusted Java applets to affect confidentiality via
  unknown vectors related to Networking.

CVE-2011-3544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote
  untrusted Java Web Start applications and untrusted Java applets to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Scripting.

CVE-2011-3521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521):
  Unspecified vulnerability in the Java Runtime Environment component in
  Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31
  earlier allows remote untrusted Java Web Start applications and untrusted
  Java applets to affect confidentiality, integrity, and availability via
  unknown vectors related to Deserialization.

CVE-2011-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389):
  The SSL protocol, as used in certain configurations in Microsoft Windows and
  Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and
  other products, encrypts data by using CBC mode with chained initialization
  vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP
  headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session,
  in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API,
  (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a
  "BEAST" attack.
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-10-22 22:47:33 UTC
dev-java/icedtea bumped to 1.10.4, package is not yet stabilized so nothing more to do

dev-java/icedtea6-bin-1.10.4 also bumped, arches please stabilize
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-23 11:52:45 UTC
amd64
ok
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-26 18:40:34 UTC
amd64 ok
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-10-28 10:37:55 UTC
gentoo64 icedtea # USE="X alsa -doc -examples nsplugin source" emerge =dev-java/icedtea6-bin-1.10.4
gentoo64 icedtea # emerge =virtual/jdk-1.6.0

all ok
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-30 12:37:20 UTC
x86 stable
Comment 8 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-10-30 14:11:57 UTC
Package moved icedtea6-bin to icedtea-bin. Sorry for the trouble.
Comment 9 Tony Vroon (RETIRED) gentoo-dev 2011-11-01 11:17:53 UTC
+  01 Nov 2011; Tony Vroon <chainsaw@gentoo.org> icedtea-bin-1.10.4.ebuild:
+  Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney &
+  Agostino "ago" Sarubbo in security bug #387637.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-11-02 07:49:07 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 15:29:13 UTC
This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).