openjdk team mailing list archive

[Michael Gilbert <michael.s.gilbert@xxxxxxxxx>]

Package: openjdk-6
Version: 6_6b17~pre3-1
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6 in 2007.  It is very likely that they are all
fixed; however, this needs to be manually verified. Please check. Thank
you.

CVE-2006-2426[0]:
| Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6
| and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to
| cause a denial of service (disk consumption) by using the
| Font.createFont function to create temporary files of arbitrary size
| in the %temp% directory.

CVE-2007-2788[1]:
| Integer overflow in the embedded ICC profile image parser in Sun Java
| Development Kit (JDK) before 1.5.0_11-b03 and 1.6.x before
| 1.6.0_01-b06, and Sun Java Runtime Environment in JDK and JRE 6, JDK
| and JRE 5.0 Update 10 and earlier, SDK and JRE 1.4.2_14 and earlier,
| and SDK and JRE 1.3.1_20 and earlier, allows remote attackers to
| execute arbitrary code or cause a denial of service (JVM crash) via a
| crafted JPEG or BMP file that triggers a buffer overflow.

CVE-2007-2789[2]:
| The BMP image parser in Sun Java Development Kit (JDK) before
| 1.5.0_11-b03 and 1.6.x before 1.6.0_01-b06, and Sun Java Runtime
| Environment in JDK and JRE 6, JDK and JRE 5.0 Update 10 and earlier,
| SDK and JRE 1.4.2_14 and earlier, and SDK and JRE 1.3.1_19 and
| earlier, when running on Unix/Linux systems, allows remote attackers
| to cause a denial of service (JVM hang) via untrusted applets or
| applications that open arbitrary local files via a crafted BMP file,
| such as /dev/tty.

CVE-2007-3503[3]:
| The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML
| documentation pages that contain cross-site scripting (XSS)
| vulnerabilities, which allows remote attackers to inject arbitrary web
| script or HTML via unspecified vectors.

CVE-2007-3655[4]:
| Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE
| 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote
| attackers to execute arbitrary code via a long codebase attribute in a
| JNLP file.

CVE-2007-3698[5]:
| The Java Secure Socket Extension (JSSE) in Sun JDK and JRE 6 Update 1
| and earlier, JDK and JRE 5.0 Updates 7 through 11, and SDK and JRE
| 1.4.2_11 through 1.4.2_14, when using JSSE for SSL/TLS support, allows
| remote attackers to cause a denial of service (CPU consumption) via
| certain SSL/TLS handshake requests.

CVE-2007-3716[6]:
| The Java XML Digital Signature implementation in Sun JDK and JRE 6
| before Update 2 does not properly process XSLT stylesheets in XSLT
| transforms in XML signatures, which allows context-dependent attackers
| to execute arbitrary code via a crafted stylesheet, a related issue to
| CVE-2007-3715.

CVE-2007-3922[7]:
| Unspecified vulnerability in the Java Runtime Environment (JRE) Applet
| Class Loader in Sun JDK and JRE 5.0 Update 11 and earlier, 6 through 6
| Update 1, and SDK and JRE 1.4.2_14 and earlier, allows remote
| attackers to violate the security model for an applet's outbound
| connections by connecting to certain localhost services running on the
| machine that loaded the applet.

CVE-2007-5232[8]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching
| is enabled, allows remote attackers to violate the security model for
| an applet's outbound connections via a DNS rebinding attack.

CVE-2007-5237[9]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not
| properly enforce access restrictions for untrusted applications, which
| allows user-assisted remote attackers to read and modify local files
| via an untrusted application, aka "two vulnerabilities."

CVE-2007-5238[10]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE
| 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does
| not properly enforce access restrictions for untrusted applications,
| which allows user-assisted remote attackers to obtain sensitive
| information (the Java Web Start cache location) via an untrusted
| application, aka "three vulnerabilities."

CVE-2007-5239[11]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE
| 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK
| and JRE 1.3.1_20 and earlier does not properly enforce access
| restrictions for untrusted (1) applications and (2) applets, which
| allows user-assisted remote attackers to copy or rename arbitrary
| files when local users perform drag-and-drop operations from the
| untrusted application or applet window onto certain types of desktop
| applications.

CVE-2007-5240[12]:
| Visual truncation vulnerability in the Java Runtime Environment in Sun
| JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and
| earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20
| and earlier allows remote attackers to circumvent display of the
| untrusted-code warning banner by creating a window larger than the
| workstation screen.

CVE-2007-5273[13]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy
| server is used, allows remote attackers to violate the security model
| for an applet's outbound connections via a multi-pin DNS rebinding
| attack in which the applet download relies on DNS resolution on the
| proxy server, but the applet's socket operations rely on DNS
| resolution on the local machine, a different issue than CVE-2007-5274.
| NOTE: this is similar to CVE-2007-5232.

CVE-2007-5274[14]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or
| Opera is used, allows remote attackers to violate the security model
| for JavaScript outbound connections via a multi-pin DNS rebinding
| attack dependent on the LiveConnect API, in which JavaScript download
| relies on DNS resolution by the browser, but JavaScript socket
| operations rely on separate DNS resolution by a Java Virtual Machine
| (JVM), a different issue than CVE-2007-5273.  NOTE: this is similar to
| CVE-2007-5232.

CVE-2007-5375[15]:
| Interpretation conflict in the Sun Java Virtual Machine (JVM) allows
| user-assisted remote attackers to conduct a multi-pin DNS rebinding
| attack and execute arbitrary JavaScript in an intranet context, when
| an intranet web server has an HTML document that references a
| "mayscript=true" Java applet through a local relative URI, which may
| be associated with different IP addresses by the browser and the JVM.

CVE-2007-5689[16]:
| The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE)
| in SDK and JRE 1.3.x through 1.3.1_20 and 1.4.x through 1.4.2_15, and
| JDK and JRE 5.x through 5.0 Update 12 and 6.x through 6 Update 2,
| allows remote attackers to execute arbitrary programs, or read or
| modify arbitrary files, via applets that grant privileges to
| themselves.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
    http://security-tracker.debian.org/tracker/CVE-2006-2426
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788
    http://security-tracker.debian.org/tracker/CVE-2007-2788
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
    http://security-tracker.debian.org/tracker/CVE-2007-2789
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3503
    http://security-tracker.debian.org/tracker/CVE-2007-3503
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3655
    http://security-tracker.debian.org/tracker/CVE-2007-3655
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3698
    http://security-tracker.debian.org/tracker/CVE-2007-3698
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3716
    http://security-tracker.debian.org/tracker/CVE-2007-3716
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3922
    http://security-tracker.debian.org/tracker/CVE-2007-3922
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5232
    http://security-tracker.debian.org/tracker/CVE-2007-5232
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5237
    http://security-tracker.debian.org/tracker/CVE-2007-5237
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5238
    http://security-tracker.debian.org/tracker/CVE-2007-5238
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5239
    http://security-tracker.debian.org/tracker/CVE-2007-5239
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5240
    http://security-tracker.debian.org/tracker/CVE-2007-5240
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5273
    http://security-tracker.debian.org/tracker/CVE-2007-5273
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274
    http://security-tracker.debian.org/tracker/CVE-2007-5274
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5375
    http://security-tracker.debian.org/tracker/CVE-2007-5375
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5689
    http://security-tracker.debian.org/tracker/CVE-2007-5689