Your message dated Tue, 26 Jan 2010 19:54:46 +0100
with message-id <[email protected]>
and subject line Re: Bug#560908 closed by Matthias Klose (Re: openjdk-6: deluge
of vulnerabilities)
has caused the Debian Bug report #566766,
regarding openjdk-6: security issues published in 2007
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
566766: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566766
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openjdk-6
Version: 6_6b17~pre3-1
Severity: serious
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6 in 2007. It is very likely that they are all
fixed; however, this needs to be manually verified. Please check. Thank
you.
CVE-2006-2426[0]:
| Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6
| and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to
| cause a denial of service (disk consumption) by using the
| Font.createFont function to create temporary files of arbitrary size
| in the %temp% directory.
CVE-2007-2788[1]:
| Integer overflow in the embedded ICC profile image parser in Sun Java
| Development Kit (JDK) before 1.5.0_11-b03 and 1.6.x before
| 1.6.0_01-b06, and Sun Java Runtime Environment in JDK and JRE 6, JDK
| and JRE 5.0 Update 10 and earlier, SDK and JRE 1.4.2_14 and earlier,
| and SDK and JRE 1.3.1_20 and earlier, allows remote attackers to
| execute arbitrary code or cause a denial of service (JVM crash) via a
| crafted JPEG or BMP file that triggers a buffer overflow.
CVE-2007-2789[2]:
| The BMP image parser in Sun Java Development Kit (JDK) before
| 1.5.0_11-b03 and 1.6.x before 1.6.0_01-b06, and Sun Java Runtime
| Environment in JDK and JRE 6, JDK and JRE 5.0 Update 10 and earlier,
| SDK and JRE 1.4.2_14 and earlier, and SDK and JRE 1.3.1_19 and
| earlier, when running on Unix/Linux systems, allows remote attackers
| to cause a denial of service (JVM hang) via untrusted applets or
| applications that open arbitrary local files via a crafted BMP file,
| such as /dev/tty.
CVE-2007-3503[3]:
| The Javadoc tool in Sun JDK 6 and JDK 5.0 Update 11 can generate HTML
| documentation pages that contain cross-site scripting (XSS)
| vulnerabilities, which allows remote attackers to inject arbitrary web
| script or HTML via unspecified vectors.
CVE-2007-3655[4]:
| Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE
| 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote
| attackers to execute arbitrary code via a long codebase attribute in a
| JNLP file.
CVE-2007-3698[5]:
| The Java Secure Socket Extension (JSSE) in Sun JDK and JRE 6 Update 1
| and earlier, JDK and JRE 5.0 Updates 7 through 11, and SDK and JRE
| 1.4.2_11 through 1.4.2_14, when using JSSE for SSL/TLS support, allows
| remote attackers to cause a denial of service (CPU consumption) via
| certain SSL/TLS handshake requests.
CVE-2007-3716[6]:
| The Java XML Digital Signature implementation in Sun JDK and JRE 6
| before Update 2 does not properly process XSLT stylesheets in XSLT
| transforms in XML signatures, which allows context-dependent attackers
| to execute arbitrary code via a crafted stylesheet, a related issue to
| CVE-2007-3715.
CVE-2007-3922[7]:
| Unspecified vulnerability in the Java Runtime Environment (JRE) Applet
| Class Loader in Sun JDK and JRE 5.0 Update 11 and earlier, 6 through 6
| Update 1, and SDK and JRE 1.4.2_14 and earlier, allows remote
| attackers to violate the security model for an applet's outbound
| connections by connecting to certain localhost services running on the
| machine that loaded the applet.
CVE-2007-5232[8]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching
| is enabled, allows remote attackers to violate the security model for
| an applet's outbound connections via a DNS rebinding attack.
CVE-2007-5237[9]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not
| properly enforce access restrictions for untrusted applications, which
| allows user-assisted remote attackers to read and modify local files
| via an untrusted application, aka "two vulnerabilities."
CVE-2007-5238[10]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE
| 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does
| not properly enforce access restrictions for untrusted applications,
| which allows user-assisted remote attackers to obtain sensitive
| information (the Java Web Start cache location) via an untrusted
| application, aka "three vulnerabilities."
CVE-2007-5239[11]:
| Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE
| 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK
| and JRE 1.3.1_20 and earlier does not properly enforce access
| restrictions for untrusted (1) applications and (2) applets, which
| allows user-assisted remote attackers to copy or rename arbitrary
| files when local users perform drag-and-drop operations from the
| untrusted application or applet window onto certain types of desktop
| applications.
CVE-2007-5240[12]:
| Visual truncation vulnerability in the Java Runtime Environment in Sun
| JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and
| earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20
| and earlier allows remote attackers to circumvent display of the
| untrusted-code warning banner by creating a window larger than the
| workstation screen.
CVE-2007-5273[13]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy
| server is used, allows remote attackers to violate the security model
| for an applet's outbound connections via a multi-pin DNS rebinding
| attack in which the applet download relies on DNS resolution on the
| proxy server, but the applet's socket operations rely on DNS
| resolution on the local machine, a different issue than CVE-2007-5274.
| NOTE: this is similar to CVE-2007-5232.
CVE-2007-5274[14]:
| Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and
| earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15
| and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or
| Opera is used, allows remote attackers to violate the security model
| for JavaScript outbound connections via a multi-pin DNS rebinding
| attack dependent on the LiveConnect API, in which JavaScript download
| relies on DNS resolution by the browser, but JavaScript socket
| operations rely on separate DNS resolution by a Java Virtual Machine
| (JVM), a different issue than CVE-2007-5273. NOTE: this is similar to
| CVE-2007-5232.
CVE-2007-5375[15]:
| Interpretation conflict in the Sun Java Virtual Machine (JVM) allows
| user-assisted remote attackers to conduct a multi-pin DNS rebinding
| attack and execute arbitrary JavaScript in an intranet context, when
| an intranet web server has an HTML document that references a
| "mayscript=true" Java applet through a local relative URI, which may
| be associated with different IP addresses by the browser and the JVM.
CVE-2007-5689[16]:
| The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE)
| in SDK and JRE 1.3.x through 1.3.1_20 and 1.4.x through 1.4.2_15, and
| JDK and JRE 5.x through 5.0 Update 12 and 6.x through 6 Update 2,
| allows remote attackers to execute arbitrary programs, or read or
| modify arbitrary files, via applets that grant privileges to
| themselves.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
http://security-tracker.debian.org/tracker/CVE-2006-2426
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788
http://security-tracker.debian.org/tracker/CVE-2007-2788
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
http://security-tracker.debian.org/tracker/CVE-2007-2789
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3503
http://security-tracker.debian.org/tracker/CVE-2007-3503
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3655
http://security-tracker.debian.org/tracker/CVE-2007-3655
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3698
http://security-tracker.debian.org/tracker/CVE-2007-3698
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3716
http://security-tracker.debian.org/tracker/CVE-2007-3716
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3922
http://security-tracker.debian.org/tracker/CVE-2007-3922
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5232
http://security-tracker.debian.org/tracker/CVE-2007-5232
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5237
http://security-tracker.debian.org/tracker/CVE-2007-5237
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5238
http://security-tracker.debian.org/tracker/CVE-2007-5238
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5239
http://security-tracker.debian.org/tracker/CVE-2007-5239
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5240
http://security-tracker.debian.org/tracker/CVE-2007-5240
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5273
http://security-tracker.debian.org/tracker/CVE-2007-5273
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5274
http://security-tracker.debian.org/tracker/CVE-2007-5274
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5375
http://security-tracker.debian.org/tracker/CVE-2007-5375
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5689
http://security-tracker.debian.org/tracker/CVE-2007-5689
--- End Message ---
--- Begin Message ---
Michael Gilbert wrote:
> On Fri, 18 Dec 2009 10:54:15 +0000, Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > which was filed against the openjdk-6 package:
> >
> > #560908: openjdk-6: deluge of vulnerabilities
> >
> > It has been closed by Matthias Klose.
>
> are you 100% sure that all 28 of these issues are fixed in this
> version? how did you check this?
The patches are bundled in batches for the respective Sun Java releases
and included in openjdk releases where applicable (some components like
Web Start are not present in OpenJDK).
There's no particular reason to believe that upstream missed some patches
in this process. You can check them individually and annotate them in the
Debian Security Tracker if you like, but it doesn't warrant RC bugs.
Cheers,
Moritz
--- End Message ---
