openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #05421
Bug#612660: openjdk-6: CVE-2010-4476 Trivial DoS when parsing strings into Java Double objects
Package: openjdk-6
Version: 6b11-9.1+lenny2
Severity: grave
Tags: security
Justification: trivial denial of service by unauthenticated remote users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openjdk-6.
CVE-2010-4476[0]: (description from upstream announcement)
| This Security Alert addresses security issue CVE-2010-4476 (Java Runtime
| Environment hangs when converting "2.2250738585072012e-308" to a binary
| floating-point number), which is a vulnerability in the Java Runtime
| Environment component of the Oracle Java SE and Java for Business products.
| This vulnerability allows unauthenticated network attacks ( i.e. it may be
| exploited over a network without the need for a username and password).
| Successful attack of this vulnerability can result in unauthorized ability
| to cause a hang or frequently repeatable crash (complete Denial of Service)
| of the Java Runtime Environment. Java based application and web servers are
| especially at risk from this vulnerability.
In particular, there is a trivial attack involving a crafted HTTP header,
which probably affects many systems.
There is a patch available [1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://security-tracker.debian.org/tracker/CVE-2010-4476
[1] http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
- -- System Information:
Debian Release: 6.0
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNUu1AAAoJEFOUR53TUkxRcWAP/iMKvgancaw2RdctEZY54qKX
9W7MdhosFyeP4BAwtHUrge1SeRO9FzTitXXuAXEOcYD0nkKKnfN6c8HdqGly2TbJ
CFQXGgExyd3zuaSJwXohW9eFk983qLXokBHU0fMj0zDSIV7m3uqpo+hqQfdbQLyb
NYbDP+rfiCP+G7EisrEJjcqyMAQsxXLHhHlAmZHsgBFFc/3YbG+h/hEmoNzugfvU
ZQ+YE4GxTUBFlH5l+NjKey+r8kGrAg9A9cR2cz4+pKRCG6Li2MJGRewVy0GK92OL
ePjeKAFe0yfHTzFjKZz1FMnCeB+5341C7FpEqGdINNOet5fDjjkGPinXHAm8ysYu
en3GikXBf1xFmLhKOtpM4KgPTx6xt+zPOxY4xmQt+4xXl8WUHE9whsqWmrwtjoyh
8u9x5tXQkIK5hdHH1ZGAUBN9SoaYBc3Ml0H7h5jEilkvovqjZhTbvf8mt+LDAaBL
RUEeg1pH9UybHzpxqCdMmGABZTed+eLDxY+YvYL8IxPxLDlnHkwUPuD59lMU+l/c
OWQyYCETHIrlKVK6rTMkycJbpHryGxWb54XPWJ0oG/egXL1Rujm6njfnwEqXkKMk
y6pmAYjEDxs8VTnkeUjRiEbs9TIOTh/mN2fQ3NsSEYvgAeHnoIDijSo8XC/N5ove
e4zN86De2nUl9G1TPxLX
=SwDF
-----END PGP SIGNATURE-----
Follow ups