Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in OpenJDK
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in OpenJDK
ID: USN-1373-1
Distribution: Ubuntu
Plattformen: Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10
Datum: Fr, 24. Februar 2012, 12:32
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507
Applikationen: OpenJDK

Originalnachricht


--===============6448709514512073238==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="UHN/qo2QbUvPLonB"
Content-Disposition: inline


--UHN/qo2QbUvPLonB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1373-1
February 24, 2012

openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

Multiple OpenJDK 6 vulnerabilities have been fixed.

Software Description:
- openjdk-6: Open Source Java implementation

Details:

It was discovered that the Java HttpServer class did not limit the
number of headers read from a HTTP request. A remote attacker could
cause a denial of service by sending special requests that trigger
hash collisions predictably. (CVE-2011-5035)

ATTENTION: this update changes previous Java HttpServer class behavior
by limiting the number of request headers to 200. This may be increased
by adjusting the sun.net.httpserver.maxReqHeaders property.

It was discovered that the Java Sound component did not properly
check buffer boundaries. A remote attacker could use this to cause
a denial of service or view confidential data. (CVE-2011-3563)

It was discovered that the Java2D implementation does not properly
check graphics rendering objects before passing them to the native
renderer. A remote attacker could use this to cause a denial of
service or to bypass Java sandbox restrictions. (CVE-2012-0497)

It was discovered that an off-by-one error exists in the Java ZIP
file processing code. An attacker could us this to cause a denial of
service through a maliciously crafted ZIP file. (CVE-2012-0501)

It was discovered that the Java AWT KeyboardFocusManager did not
properly enforce keyboard focus security policy. A remote attacker
could use this with an untrusted application or applet to grab keyboard
focus and possibly expose confidential data. (CVE-2012-0502)

It was discovered that the Java TimeZone class did not properly enforce
security policy around setting the default time zone. A remote attacker
could use this with an untrusted application or applet to set a new
default time zone and bypass Java sandbox restrictions. (CVE-2012-0503)

It was discovered the Java ObjectStreamClass did not throw
an accurately identifiable exception when a deserialization
failure occurred. A remote attacker could use this with
an untrusted application or applet to bypass Java sandbox
restrictions. (CVE-2012-0505)

It was discovered that the Java CORBA implementation did not properly
protect repository identifiers on certain CORBA objects. A remote
attacker could use this to corrupt object data. (CVE-2012-0506)

It was discovered that the Java AtomicReferenceArray class
implementation did not properly check if an array was of
the expected Object[] type. A remote attacker could use this
with a malicious application or applet to bypass Java sandbox
restrictions. (CVE-2012-0507)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
icedtea-6-jre-cacao 6b23~pre11-0ubuntu1.11.10.2
icedtea-6-jre-jamvm 6b23~pre11-0ubuntu1.11.10.2
openjdk-6-jre 6b23~pre11-0ubuntu1.11.10.2
openjdk-6-jre-headless 6b23~pre11-0ubuntu1.11.10.2
openjdk-6-jre-lib 6b23~pre11-0ubuntu1.11.10.2
openjdk-6-jre-zero 6b23~pre11-0ubuntu1.11.10.2

Ubuntu 11.04:
icedtea-6-jre-cacao 6b22-1.10.6-0ubuntu1
icedtea-6-jre-jamvm 6b22-1.10.6-0ubuntu1
openjdk-6-jre 6b22-1.10.6-0ubuntu1
openjdk-6-jre-headless 6b22-1.10.6-0ubuntu1
openjdk-6-jre-lib 6b22-1.10.6-0ubuntu1
openjdk-6-jre-zero 6b22-1.10.6-0ubuntu1

Ubuntu 10.10:
icedtea-6-jre-cacao 6b20-1.9.13-0ubuntu1~10.10.1
openjdk-6-jre 6b20-1.9.13-0ubuntu1~10.10.1
openjdk-6-jre-headless 6b20-1.9.13-0ubuntu1~10.10.1
openjdk-6-jre-lib 6b20-1.9.13-0ubuntu1~10.10.1
openjdk-6-jre-zero 6b20-1.9.13-0ubuntu1~10.10.1

Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b20-1.9.13-0ubuntu1~10.04.1
openjdk-6-jre 6b20-1.9.13-0ubuntu1~10.04.1
openjdk-6-jre-headless 6b20-1.9.13-0ubuntu1~10.04.1
openjdk-6-jre-lib 6b20-1.9.13-0ubuntu1~10.04.1
openjdk-6-jre-zero 6b20-1.9.13-0ubuntu1~10.04.1

After a standard system update you need to restart any Java applications
or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1373-1
CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0501,
CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506,
CVE-2012-0507

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-6/6b23~pre11-0ubuntu1.11.10.2
https://launchpad.net/ubuntu/+source/openjdk-6/6b22-1.10.6-0ubuntu1
https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.13-0ubuntu1~10.10.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.13-0ubuntu1~10.04.1


--UHN/qo2QbUvPLonB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJPR20uAAoJEC8Jno0AXoH0m7oQAKdvSjcoXTLlNWtCReKe0ViV
uwWf4WPuYE2QrCOubpS2Kez8yMY0DpYO17IcS7CSr4/F6rlgOokf0DMWaIcI5bj3
LTJDll8b3+t4oDv+E5dD15CuU+gx6jY/3TFBCmVrOhlToq27KNJOJCar66jaxNVZ
l0JNHHge7VurJifoC1IOEKHge7BF6WFIU8eJj79M4nhbc1iBcSgIorUY/CX18I1k
eueCLXEZ504ZiOro3ImNG40ujEtZ7+zGh3Rmgffy5ST1KaDvHXNE3/2wliR2CZXn
h58gmPLaWN+apR0gz+dpmLXkGpJnzWF9kMVhOIt4MpkzwFJviPbyj+gfrDAaotGs
wnJcd3/uKk/yiVSPZN8oL1QXdk1teP7YsLhTPwXI2V47kHlDBvGupR5UxATUuB+d
c3rI0U1Mx/nXudAMOgUaLvjc76JoA24Us6/sBFat7R/1sgkmn3PIO0s5ecN+h6RQ
Lqs4TLhT4eftNHjn21DZIviONrlkF0SrLPi8HzJjxPKbYx6wWxkrH8mOgI0ze58H
rUfZ9zSLMO1o/FUzCjgL+lA9oI/dNDke7CnPqez3Q/q6Nqq6QO8wt3ILMlRE4bzX
e17dEEio0QcRq8eo7oKA13420QDIJX4ZdLs6IB872SeZ1dnMlof6KVftlo1O0U9j
TRle7tL1A9CNjfNYUzaJ
=/1qK
-----END PGP SIGNATURE-----

--UHN/qo2QbUvPLonB--


--===============6448709514512073238==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6448709514512073238==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung