drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in OpenJDK (Aktualisierung)
Name: |
Mehrere Probleme in OpenJDK (Aktualisierung) |
|
ID: |
USN-1263-2 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04, Ubuntu 11.10 |
|
Datum: |
Mi, 25. Januar 2012, 08:34 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
OpenJDK |
|
Update von: |
Mehrere Probleme in IcedTea-Web |
|
Originalnachricht |
--===============1593168168268810097== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JYK4vJDZwFMowpUq" Content-Disposition: inline
--JYK4vJDZwFMowpUq Content-Type: text/plain; charset=us-ascii Content-Disposition: inlin Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-1263-2 January 24, 2012
openjdk-6, openjdk-6b18 regression ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS
Summary:
USN-1263-1 caused a regression when using OpenJDK 6's SSL/TLS implementation.
Software Description: - openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation
Details:
USN-1263-1 fixed vulnerabilities in OpenJDK 6. The upstream patch for the chosen plaintext attack on the block-wise AES encryption algorithm (CVE-2011-3389) introduced a regression that caused TLS/SSL connections to fail when using certain algorithms. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377) Juliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389) It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) It was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544) It was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547) It was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548) It was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551) It was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552) It was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553) It was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554) It was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557) It was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558) It was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 11.10: icedtea-6-jre-cacao 6b23~pre11-0ubuntu1.11.10.1 icedtea-6-jre-jamvm 6b23~pre11-0ubuntu1.11.10.1 openjdk-6-jre 6b23~pre11-0ubuntu1.11.10.1 openjdk-6-jre-headless 6b23~pre11-0ubuntu1.11.10.1 openjdk-6-jre-lib 6b23~pre11-0ubuntu1.11.10.1 openjdk-6-jre-zero 6b23~pre11-0ubuntu1.11.10.1
Ubuntu 11.04: icedtea-6-jre-cacao 6b22-1.10.4-0ubuntu1~11.04.2 icedtea-6-jre-jamvm 6b22-1.10.4-0ubuntu1~11.04.2 openjdk-6-jre 6b22-1.10.4-0ubuntu1~11.04.2 openjdk-6-jre-headless 6b22-1.10.4-0ubuntu1~11.04.2 openjdk-6-jre-lib 6b22-1.10.4-0ubuntu1~11.04.2 openjdk-6-jre-zero 6b22-1.10.4-0ubuntu1~11.04.2
Ubuntu 10.10: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.10.3 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.10.3 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.10.3 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.10.3 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.10.3
Ubuntu 10.04 LTS: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.04.3 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.04.3 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.04.3 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.04.3 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.04.3
After a standard system update you need to restart any Java applications or applets to make all the necessary changes.
References: http://www.ubuntu.com/usn/usn-1263-2 http://www.ubuntu.com/usn/usn-1263-1 https://launchpad.net/bugs/891761
Package Information: https://launchpad.net/ubuntu/+source/openjdk-6/6b23~pre11-0ubuntu1.11.10.1 https://launchpad.net/ubuntu/+source/openjdk-6/6b22-1.10.4-0ubuntu1~11.04.2 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~11.04.2 https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.10-0ubuntu1~10.10.3 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~10.10.3 https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.10-0ubuntu1~10.04.3 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~10.04.3
--JYK4vJDZwFMowpUq Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJPHzMyAAoJEC8Jno0AXoH08HcP/1FGxX+akZAU2ADDkp054yaa waPh0erajyp+x46IDCoOeFdpm29DPaImCGtPaQNyZNot/PMfEjJnF5X8oF3YXf8U tzSAd720ZEMgRks9zi1r0/OToame62IHX1hVJiKwAJp+xlNYOrH+GC617yHXwnyb yEq68PYN61sLmihDKQKFlFYPgiyVttbGtRAV00KUaHikXlXDuTrUpynWZ3TyFisx 5m6O6cCyVP+HRoCKfSyHEOEuL8mpxa08gaqs5s9tb8IOeIrERAOwNF0bveOpQwrp 5YEUDSry5supV/8Nr10Z8EZqzP+76LFNH4XTTW3X+SqiL8k7/mZeahcJUo6wEwBe ZNkOB4/O626oP3QjDZnw/+J9D7QerA5MtSb1XVfRv14IW94a1zSZqAGHk6T5UZC9 8lFzrK/NA56ee5MuM/7YaS/d6SIv7D7MoaSY2vdBBO/CRgiRA42IOHamD92ZmNcD ToG3YbLOJtaBiNvwDrufVLkestL8QUMX2Z5eFPpT+wi/D+HRO+2EN/KGUT9bbk5e WiOJTkqTPmnzB8YAGrMHVk0wEXjJ8yeMJag5AF/O44ro/gGxDdr1555PSHGhOGGR SiTSXUUtULX0qOGDwbpyFP8dE9rc/J+dVCeRC+hFIzC1Gmp/JDv941S/Q0GlGmwE CSEtfwKTIsFgNmFFmYB/ =ToU6 -----END PGP SIGNATURE-----
--JYK4vJDZwFMowpUq--
--===============1593168168268810097== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============1593168168268810097==--
|
|
|
|