openjdk team mailing list archive

Thread
Date
Bug#566770: openjdk-6: security issues published in 2008

To: submit@xxxxxxxxxxxxxxx
From: Michael Gilbert <michael.s.gilbert@xxxxxxxxx>
Date: Mon, 25 Jan 2010 01:34:48 -0000
Delivered-to: submit@xxxxxxxxxxxxxxx
Reply-to: Michael Gilbert <michael.s.gilbert@xxxxxxxxx>, 566770@xxxxxxxxxxxxxxx
Resent-cc: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Mon, 25 Jan 2010 01:33:05 +0000
Resent-date: Mon, 25 Jan 2010 01:33:08 +0000
Resent-from: Michael Gilbert <michael.s.gilbert@xxxxxxxxx>
Resent-message-id: <handler.566770.B.12643830064864@xxxxxxxxxxxxxxx>
Resent-sender: Debian BTS <debbugs@xxxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx
Package: openjdk-6
Version: 6_6b17~pre3-1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6.  It is very likely that they are all
fixed; however, this needs to be manually verified. Please check and
reply in-line with the fixed package version for each issue. Thank you.

CVE-2008-0628[0]:
| The XML parsing code in Sun Java Runtime Environment JDK and JRE 6
| Update 3 and earlier processes external entity references even when
| the "external general entities" property is false, which allows remote
| attackers to conduct XML external entity (XXE) attacks and cause a
| denial of service or access restricted resources.

CVE-2008-0657[1]:
| Multiple unspecified vulnerabilities in the Java Runtime Environment
| in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and
| earlier, allow context-dependent attackers to gain privileges via an
| untrusted (1) application or (2) applet, as demonstrated by an
| application or applet that grants itself privileges to (a) read local
| files, (b) write to local files, or (c) execute local programs.

CVE-2008-1185[2]:
| Unspecified vulnerability in the Virtual Machine for Sun Java Runtime
| Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and
| earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to
| gain privileges via an untrusted application or applet, a different
| issue than CVE-2008-1186, aka "the first issue."

CVE-2008-1186[3]:
| Unspecified vulnerability in the Virtual Machine for Sun Java Runtime
| Environment (JRE) and JDK 5.0 Update 13 and earlier, and SDK/JRE
| 1.4.2_16 and earlier, allows remote attackers to gain privileges via
| an untrusted application or applet, a different issue than
| CVE-2008-1185, aka "the second issue."

CVE-2008-1187[4]:
| Unspecified vulnerability in Sun Java Runtime Environment (JRE) and
| JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE
| 1.4.2_16 and earlier allows remote attackers to cause a denial of
| service (JRE crash) and possibly execute arbitrary code via unknown
| vectors related to XSLT transforms.

CVE-2008-1188[5]:
| Multiple buffer overflows in the useEncodingDecl function in Java Web
| Start in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and
| earlier, allow remote attackers to execute arbitrary code via a JNLP
| file with (1) a long key name in the xml header or (2) a long charset
| value, different issues than CVE-2008-1189, aka "The first two
| issues."

CVE-2008-1189[6]:
| Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and
| earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier
| allows remote attackers to execute arbitrary code via unknown vectors,
| a different issue than CVE-2008-1188, aka the "third" issue.

CVE-2008-1190[7]:
| Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6
| Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16
| and earlier allows remote attackers to gain privileges via an
| untrusted application, a different issue than CVE-2008-1191, aka the
| "fourth" issue.

CVE-2008-1191[8]:
| Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6
| Update 4 and earlier allows remote attackers to create arbitrary files
| via an untrusted application, a different issue than CVE-2008-1190,
| aka "The fifth issue."

CVE-2008-1192[9]:
| Unspecified vulnerability in the Java Plug-in for Sun JDK and JRE 6
| Update 4 and earlier, and 5.0 Update 14 and earlier; and SDK and JRE
| 1.4.2_16 and earlier, and 1.3.1_21 and earlier; allows remote
| attackers to bypass the same origin policy and "execute local
| applications" via unknown vectors.

CVE-2008-1193[10]:
| Unspecified vulnerability in Java Runtime Environment Image Parsing
| Library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14
| and earlier, allows remote attackers to gain privileges via an
| untrusted application.

CVE-2008-1194[11]:
| Multiple unspecified vulnerabilities in the color management library
| in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and
| earlier, allows remote attackers to cause a denial of service (crash)
| via unknown vectors.

CVE-2008-1195[12]:
| Unspecified vulnerability in Sun JDK and Java Runtime Environment
| (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK
| and JRE 1.4.2_16 and earlier; allows remote attackers to access
| arbitrary network services on the local host via unspecified vectors
| related to JavaScript and Java APIs.

CVE-2008-1196[13]:
| Stack-based buffer overflow in Java Web Start (javaws.exe) in Sun JDK
| and JRE 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK
| and JRE 1.4.2_16 and earlier; allows remote attackers to execute
| arbitrary code via a crafted JNLP file.

CVE-2008-3103[14]:
| Unspecified vulnerability in the Java Management Extensions (JMX)
| management agent in Sun Java Runtime Environment (JRE) in JDK and JRE
| 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier, when
| local monitoring is enabled, allows remote attackers to "perform
| unauthorized operations" via unspecified vectors.

CVE-2008-3104[15]:
| Multiple unspecified vulnerabilities in Sun Java Runtime Environment
| (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update
| 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before
| 1.3.1_23 allow remote attackers to violate the security model for an
| applet's outbound connections by connecting to localhost services
| running on the machine that loaded the applet.

CVE-2008-3105[16]:
| Unspecified vulnerability in the JAX-WS client and service in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| remote attackers to access URLs or cause a denial of service via
| unknown vectors involving "processing of XML data" by a trusted
| application.

CVE-2008-3106[17]:
| Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK
| and JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and
| earlier allows remote attackers to access URLs via unknown vectors
| involving processing of XML data by an untrusted (1) application or
| (2) applet, a different vulnerability than CVE-2008-3105.

CVE-2008-3107[18]:
| Unspecified vulnerability in the Virtual Machine in Sun Java Runtime
| Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0
| before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows
| context-dependent attackers to gain privileges via an untrusted (1)
| application or (2) applet, as demonstrated by an application or applet
| that grants itself privileges to (a) read local files, (b) write to
| local files, or (c) execute local programs.

CVE-2008-3108[19]:
| Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE
| 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and
| JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain
| privileges via unspecified vectors related to font processing.

CVE-2008-3109[20]:
| Unspecified vulnerability in scripting language support in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| context-dependent attackers to gain privileges via an untrusted (1)
| application or (2) applet, as demonstrated by an application or applet
| that grants itself privileges to (a) read local files, (b) write to
| local files, or (c) execute local programs.

CVE-2008-3110[21]:
| Unspecified vulnerability in scripting language support in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| remote attackers to obtain sensitive information by using an applet to
| read information from another applet.

CVE-2008-3111[22]:
| Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6
| before Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allow context-dependent attackers to gain
| privileges via an untrusted application, as demonstrated by (a) an
| application that grants itself privileges to (1) read local files, (2)
| write to local files, or (3) execute local programs; and as
| demonstrated by (b) a long value associated with a java-vm-args
| attribute in a j2se tag in a JNLP file, which triggers a stack-based
| buffer overflow in the GetVMArgsOption function; aka CR 6557220.

CVE-2008-3112[23]:
| Directory traversal vulnerability in Sun Java Web Start in JDK and JRE
| 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allows remote attackers to create arbitrary
| files via the writeManifest method in the CacheEntry class, aka CR
| 6703909.

CVE-2008-3113[24]:
| Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0
| before Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote
| attackers to create or delete arbitrary files via an untrusted
| application, aka CR 6704077.

CVE-2008-3114[25]:
| Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6
| before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain
| sensitive information (the cache location) via an untrusted
| application, aka CR 6704074.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0628
    http://security-tracker.debian.org/tracker/CVE-2008-0628
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0657
    http://security-tracker.debian.org/tracker/CVE-2008-0657
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1185
    http://security-tracker.debian.org/tracker/CVE-2008-1185
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1186
    http://security-tracker.debian.org/tracker/CVE-2008-1186
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187
    http://security-tracker.debian.org/tracker/CVE-2008-1187
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1188
    http://security-tracker.debian.org/tracker/CVE-2008-1188
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1189
    http://security-tracker.debian.org/tracker/CVE-2008-1189
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1190
    http://security-tracker.debian.org/tracker/CVE-2008-1190
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1191
    http://security-tracker.debian.org/tracker/CVE-2008-1191
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1192
    http://security-tracker.debian.org/tracker/CVE-2008-1192
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193
    http://security-tracker.debian.org/tracker/CVE-2008-1193
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194
    http://security-tracker.debian.org/tracker/CVE-2008-1194
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1195
    http://security-tracker.debian.org/tracker/CVE-2008-1195
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196
    http://security-tracker.debian.org/tracker/CVE-2008-1196
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
    http://security-tracker.debian.org/tracker/CVE-2008-3103
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
    http://security-tracker.debian.org/tracker/CVE-2008-3104
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
    http://security-tracker.debian.org/tracker/CVE-2008-3105
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
    http://security-tracker.debian.org/tracker/CVE-2008-3106
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
    http://security-tracker.debian.org/tracker/CVE-2008-3107
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
    http://security-tracker.debian.org/tracker/CVE-2008-3108
[20] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
    http://security-tracker.debian.org/tracker/CVE-2008-3109
[21] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
    http://security-tracker.debian.org/tracker/CVE-2008-3110
[22] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
    http://security-tracker.debian.org/tracker/CVE-2008-3111
[23] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
    http://security-tracker.debian.org/tracker/CVE-2008-3112
[24] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
    http://security-tracker.debian.org/tracker/CVE-2008-3113
[25] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
    http://security-tracker.debian.org/tracker/CVE-2008-3114