Articles / Debian: Security update for…

Debian: Security update for OpenJDK

Several security vulnerabilities were discovered in OpenJDK, an implementation of the Java platform. The JNLP SecurityManager returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader. Malicious applets can perform DNS cache poisoning.

An empty (but set) LD_LIBRARY_PATH environment variable results in a misconstructed library search path, resulting in code execution from possibly untrusted sources. Malicious applets can extend their privileges by abusing Swing timers. The Hotspot just-in-time compiler miscompiles crafted byte sequences, resulting in heap corruption. JAXP can be exploited by untrusted code to elevate privileges. Java2D can be exploited by untrusted code to elevate privileges. Untrusted code can replace the XML DSIG implementation.

Signatures on JAR files are not properly verified, which allows remote attackers to trick users into executing code that appears to come from a trusted source. The JNLPClassLoader class allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of “an inappropriate security descriptor. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2224-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
April 20, 2011                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-6
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2010-4351 CVE-2010-4448 CVE-2010-4450 CVE-2010-4465 
                CVE-2010-4469 CVE-2010-4470 CVE-2010-4471 CVE-2010-4472
                CVE-2011-0025 CVE-2011-0706

Several security vulnerabilities were discovered in OpenJDK, an
implementation of the Java platform.

CVE-2010-4351
   The JNLP SecurityManager returns from the checkPermission method
   instead of throwing an exception in certain circumstances, which
   might allow context-dependent attackers to bypass the intended
   security policy by creating instances of ClassLoader.

CVE-2010-4448
   Malicious applets can perform DNS cache poisoning.

CVE-2010-4450
   An empty (but set) LD_LIBRARY_PATH environment variable results in
   a misconstructed library search path, resulting in code execution
   from possibly untrusted sources.

CVE-2010-4465
   Malicious applets can extend their privileges by abusing Swing
   timers.

CVE-2010-4469
   The Hotspot just-in-time compiler miscompiles crafted byte
   sequences, resulting in heap corruption.

CVE-2010-4470
   JAXP can be exploited by untrusted code to elevate privileges.

CVE-2010-4471
   Java2D can be exploited by untrusted code to elevate privileges.

CVE-2010-4472
   Untrusted code can replace the XML DSIG implementation.

CVE-2011-0025
   Signatures on JAR files are not properly verified, which allows
   remote attackers to trick users into executing code that appears
   to come from a trusted source.

CVE-2011-0706
   The JNLPClassLoader class allows remote attackers to gain
   privileges via unknown vectors related to multiple signers and the
   assignment of "an inappropriate security descriptor

In addition, this security update contains stability fixes, such as
switching to the recommended Hotspot version (hs14) for this
particular version of OpenJDK.

For the oldstable distribution (lenny), these problems have been fixed in
version 6b18-1.8.7-2~lenny1.

For the stable distribution (squeeze), these problems have been fixed in
version 6b18-1.8.7-2~squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 1.8.7-1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJNrz/PAAoJEL97/wQC1SS+pPQH/jMWKZ/ZGR3C9PHGmuhp1XA+
oH5hsdBYP0HxkIybvW8Ec4GjAWu8X5bljBti+RbZmUdwWH+nWCEZL4rZmdi5ti64
dLFR0Ez6o4jsAJEP1vJC1TX8M07hhfYVMxACiTkqW52Z5g2I2h/yvnDsj7LZsvwE
wozJ4ZyD/IVss/MqYjBeLhZnKzL+4weDs0aVTwoHf31yRj62claGz8CPGhGQI4c1
Pdq3fqipm1VZxWUfr+PuC0VImDNS7GmKjQFVfevwUkllg/IGj3q+wsDhzuIq3r+K
dv5zjNmVCi0a4ybTRbxfZaEztoGLcwwjD4veCV2XNPf6bm+rsBYOf9EhlsCXZ6Q=
=DANG
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.