Straight from the announcement: 1. Problem A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. This issue is described in the following document: CVE CAN-2004-1029 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029. 2. Vulnerable Versions All Blackdown VMs previous to J2SE v1.4.2-01. 3. Solution Upgrade to J2SE v1.4.2-01 -------------------------------------------------------- sun-jdk-1.4.2.06.ebuild is not vulnerable and already stable for x86. More URLs: <http://www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true> <http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2004-11/1126.html>: "Sun Microsystems was informed on April 29, 2004 and has fixed the problem in J2SE 1.4.2_06"
java please bump to 1.4.2-01.
Created attachment 44615 [details] blackdown-jdk-1.4.2.ebuild.diff Hi, I got the new version installed with the attached changes. I did a quick test on x86 with mozilla and jdk at this german website: http://www.heise.de/security/dienste/browsercheck/tests/java.shtml Poly
blackdown-jdk/jre bumped too 1.4.2.01 still needs amd64 keywording
amd64, please test and mark stable: target KEYWORDS: blackdown-jre-1.4.2.01.ebuild:KEYWORDS="-* amd64 x86" blackdown-jdk-1.4.2.01.ebuild:KEYWORDS="-* x86 amd64"
New severity
oeps, sparc had blackdown 1.4.1 stable too. its was the only jdk for there arch, but that it seems to be affected too(i removed it), so they no longer have a stable jdk, blackdown doesn't release them for sparc anymore
bumped 1.4.1 to 1.4.1-r1 for sparc, it no longer installs the mozilla plugin.
amd64, please test and mark blackdown-jdk-1.4.2.01 stable.
Axxo & PPC: Versions 1.3.x are probably vulnerable too. What solution do we have for the ppc arch (which has a 1.3 version stable). Can it be bumped to 1.4.x ? What else could we do to secure ppc ?
i cannot test the plugins of 1.3* since they don't work on newer version of mozilla/firefox all sun/blackdown >=1.4.0 in the tree now shouldn't be affected ppc also has a stable ibm-jdk-bin
As Lars posted above, a test can be found at <http://www.heise.de/security/dienste/browsercheck/tests/java.shtml> (German). In the stanza beginning with "Am 23.11.2004 wurde ein Problem bekannt" click on the link "hier", a popup should appear saying "Sie sind verwundbar" if you are still vulnerable. Opera still seems to have problems with this, probably because of its non-standard java usage (s. bug #71818).
amd64 is ready now ppc: please try blackdown-jdk/jre 1.4.x and see if you could mark it stable. We've a short schedule on this one, we might need to issue a temporary GLSA with affected versions by Monday. See what you can do :)
JoseJX just said that ppc has no "Java plug-in" functionality from blackdown-jdk/jre so it's not affected by this vulnerability. We're waiting for a confirmation on this and will send a x86/amd64 restricted GLSA if this is verified.
a thread on FD talks about the necessity to remove old java versions http://www.securityfocus.com/archive/1/382281 http://www.securityfocus.com/archive/1/382413 http://java.sun.com/products/plugin/versions.html#answers : Question: What happens when the user at some later point returns to the applet that specifies the 1.3.1 plug-in? Does the 1.4 plug-in load, ignoring the applet's HTML plug-in version parameters? Answer: Here the answer depends on whether the 1.3.1 applet specifies clsid:8AD ... or clsid:CAF .... The clsid:CAF ... indicates that the applet requires the specific version of 1.3.1 to run; and so it will run with the 1.3.1 version if it has not been removed from the system and will prompt the user to install it if it has. However, if the clsid:8AD ... is used and both versions of the Plug-in are still installed on the system, then the 1.3.1 version will be run. If 1.3.1has been removed, the 1.4 version will be run. In this case, any version of Plug-in equal to or higher than the indicated version will be used. Question: What happens when the user has a newer version of the plug-in installed (e.g., 1.4) but opens an applet whose HTML specifies an older version (1.3.1 or 1.2.1)? Will the user be prompted to install the older one? If so, what happens when the user returns to the newer applet? Answer: This is similar to the question above. If the clsid:CAF ... is used, then the older version will be installed and run. However, if the clsid:8AD is used, then the newer version will run the applet. _______ another test can be found here: http://bcheck.scanit.be/bcheck/
Holding on the GLSA a few more hours on konq/opera vulnerability test to see if we should have a "Note:" about their vulnerable status.
GLSA 200411-38