Your message dated Tue, 26 Jan 2010 19:54:46 +0100
with message-id <[email protected]>
and subject line Re: Bug#560908 closed by Matthias Klose (Re: openjdk-6: deluge
of vulnerabilities)
has caused the Debian Bug report #566770,
regarding openjdk-6: security issues published in 2008
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
566770: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566770
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openjdk-6
Version: 6_6b17~pre3-1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6. It is very likely that they are all
fixed; however, this needs to be manually verified. Please check and
reply in-line with the fixed package version for each issue. Thank you.
CVE-2008-0628[0]:
| The XML parsing code in Sun Java Runtime Environment JDK and JRE 6
| Update 3 and earlier processes external entity references even when
| the "external general entities" property is false, which allows remote
| attackers to conduct XML external entity (XXE) attacks and cause a
| denial of service or access restricted resources.
CVE-2008-0657[1]:
| Multiple unspecified vulnerabilities in the Java Runtime Environment
| in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and
| earlier, allow context-dependent attackers to gain privileges via an
| untrusted (1) application or (2) applet, as demonstrated by an
| application or applet that grants itself privileges to (a) read local
| files, (b) write to local files, or (c) execute local programs.
CVE-2008-1185[2]:
| Unspecified vulnerability in the Virtual Machine for Sun Java Runtime
| Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and
| earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to
| gain privileges via an untrusted application or applet, a different
| issue than CVE-2008-1186, aka "the first issue."
CVE-2008-1186[3]:
| Unspecified vulnerability in the Virtual Machine for Sun Java Runtime
| Environment (JRE) and JDK 5.0 Update 13 and earlier, and SDK/JRE
| 1.4.2_16 and earlier, allows remote attackers to gain privileges via
| an untrusted application or applet, a different issue than
| CVE-2008-1185, aka "the second issue."
CVE-2008-1187[4]:
| Unspecified vulnerability in Sun Java Runtime Environment (JRE) and
| JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE
| 1.4.2_16 and earlier allows remote attackers to cause a denial of
| service (JRE crash) and possibly execute arbitrary code via unknown
| vectors related to XSLT transforms.
CVE-2008-1188[5]:
| Multiple buffer overflows in the useEncodingDecl function in Java Web
| Start in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and
| earlier, allow remote attackers to execute arbitrary code via a JNLP
| file with (1) a long key name in the xml header or (2) a long charset
| value, different issues than CVE-2008-1189, aka "The first two
| issues."
CVE-2008-1189[6]:
| Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and
| earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier
| allows remote attackers to execute arbitrary code via unknown vectors,
| a different issue than CVE-2008-1188, aka the "third" issue.
CVE-2008-1190[7]:
| Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6
| Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16
| and earlier allows remote attackers to gain privileges via an
| untrusted application, a different issue than CVE-2008-1191, aka the
| "fourth" issue.
CVE-2008-1191[8]:
| Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6
| Update 4 and earlier allows remote attackers to create arbitrary files
| via an untrusted application, a different issue than CVE-2008-1190,
| aka "The fifth issue."
CVE-2008-1192[9]:
| Unspecified vulnerability in the Java Plug-in for Sun JDK and JRE 6
| Update 4 and earlier, and 5.0 Update 14 and earlier; and SDK and JRE
| 1.4.2_16 and earlier, and 1.3.1_21 and earlier; allows remote
| attackers to bypass the same origin policy and "execute local
| applications" via unknown vectors.
CVE-2008-1193[10]:
| Unspecified vulnerability in Java Runtime Environment Image Parsing
| Library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14
| and earlier, allows remote attackers to gain privileges via an
| untrusted application.
CVE-2008-1194[11]:
| Multiple unspecified vulnerabilities in the color management library
| in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and
| earlier, allows remote attackers to cause a denial of service (crash)
| via unknown vectors.
CVE-2008-1195[12]:
| Unspecified vulnerability in Sun JDK and Java Runtime Environment
| (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK
| and JRE 1.4.2_16 and earlier; allows remote attackers to access
| arbitrary network services on the local host via unspecified vectors
| related to JavaScript and Java APIs.
CVE-2008-1196[13]:
| Stack-based buffer overflow in Java Web Start (javaws.exe) in Sun JDK
| and JRE 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK
| and JRE 1.4.2_16 and earlier; allows remote attackers to execute
| arbitrary code via a crafted JNLP file.
CVE-2008-3103[14]:
| Unspecified vulnerability in the Java Management Extensions (JMX)
| management agent in Sun Java Runtime Environment (JRE) in JDK and JRE
| 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier, when
| local monitoring is enabled, allows remote attackers to "perform
| unauthorized operations" via unspecified vectors.
CVE-2008-3104[15]:
| Multiple unspecified vulnerabilities in Sun Java Runtime Environment
| (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update
| 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before
| 1.3.1_23 allow remote attackers to violate the security model for an
| applet's outbound connections by connecting to localhost services
| running on the machine that loaded the applet.
CVE-2008-3105[16]:
| Unspecified vulnerability in the JAX-WS client and service in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| remote attackers to access URLs or cause a denial of service via
| unknown vectors involving "processing of XML data" by a trusted
| application.
CVE-2008-3106[17]:
| Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK
| and JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and
| earlier allows remote attackers to access URLs via unknown vectors
| involving processing of XML data by an untrusted (1) application or
| (2) applet, a different vulnerability than CVE-2008-3105.
CVE-2008-3107[18]:
| Unspecified vulnerability in the Virtual Machine in Sun Java Runtime
| Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0
| before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows
| context-dependent attackers to gain privileges via an untrusted (1)
| application or (2) applet, as demonstrated by an application or applet
| that grants itself privileges to (a) read local files, (b) write to
| local files, or (c) execute local programs.
CVE-2008-3108[19]:
| Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE
| 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and
| JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain
| privileges via unspecified vectors related to font processing.
CVE-2008-3109[20]:
| Unspecified vulnerability in scripting language support in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| context-dependent attackers to gain privileges via an untrusted (1)
| application or (2) applet, as demonstrated by an application or applet
| that grants itself privileges to (a) read local files, (b) write to
| local files, or (c) execute local programs.
CVE-2008-3110[21]:
| Unspecified vulnerability in scripting language support in Sun Java
| Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows
| remote attackers to obtain sensitive information by using an applet to
| read information from another applet.
CVE-2008-3111[22]:
| Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6
| before Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allow context-dependent attackers to gain
| privileges via an untrusted application, as demonstrated by (a) an
| application that grants itself privileges to (1) read local files, (2)
| write to local files, or (3) execute local programs; and as
| demonstrated by (b) a long value associated with a java-vm-args
| attribute in a j2se tag in a JNLP file, which triggers a stack-based
| buffer overflow in the GetVMArgsOption function; aka CR 6557220.
CVE-2008-3112[23]:
| Directory traversal vulnerability in Sun Java Web Start in JDK and JRE
| 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allows remote attackers to create arbitrary
| files via the writeManifest method in the CacheEntry class, aka CR
| 6703909.
CVE-2008-3113[24]:
| Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0
| before Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote
| attackers to create or delete arbitrary files via an untrusted
| application, aka CR 6704077.
CVE-2008-3114[25]:
| Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6
| before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE
| 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain
| sensitive information (the cache location) via an untrusted
| application, aka CR 6704074.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0628
http://security-tracker.debian.org/tracker/CVE-2008-0628
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0657
http://security-tracker.debian.org/tracker/CVE-2008-0657
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1185
http://security-tracker.debian.org/tracker/CVE-2008-1185
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1186
http://security-tracker.debian.org/tracker/CVE-2008-1186
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187
http://security-tracker.debian.org/tracker/CVE-2008-1187
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1188
http://security-tracker.debian.org/tracker/CVE-2008-1188
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1189
http://security-tracker.debian.org/tracker/CVE-2008-1189
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1190
http://security-tracker.debian.org/tracker/CVE-2008-1190
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1191
http://security-tracker.debian.org/tracker/CVE-2008-1191
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1192
http://security-tracker.debian.org/tracker/CVE-2008-1192
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193
http://security-tracker.debian.org/tracker/CVE-2008-1193
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194
http://security-tracker.debian.org/tracker/CVE-2008-1194
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1195
http://security-tracker.debian.org/tracker/CVE-2008-1195
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1196
http://security-tracker.debian.org/tracker/CVE-2008-1196
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3103
http://security-tracker.debian.org/tracker/CVE-2008-3103
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3104
http://security-tracker.debian.org/tracker/CVE-2008-3104
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3105
http://security-tracker.debian.org/tracker/CVE-2008-3105
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3106
http://security-tracker.debian.org/tracker/CVE-2008-3106
[18] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3107
http://security-tracker.debian.org/tracker/CVE-2008-3107
[19] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3108
http://security-tracker.debian.org/tracker/CVE-2008-3108
[20] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3109
http://security-tracker.debian.org/tracker/CVE-2008-3109
[21] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3110
http://security-tracker.debian.org/tracker/CVE-2008-3110
[22] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111
http://security-tracker.debian.org/tracker/CVE-2008-3111
[23] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3112
http://security-tracker.debian.org/tracker/CVE-2008-3112
[24] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3113
http://security-tracker.debian.org/tracker/CVE-2008-3113
[25] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3114
http://security-tracker.debian.org/tracker/CVE-2008-3114
--- End Message ---
--- Begin Message ---
Michael Gilbert wrote:
> On Fri, 18 Dec 2009 10:54:15 +0000, Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > which was filed against the openjdk-6 package:
> >
> > #560908: openjdk-6: deluge of vulnerabilities
> >
> > It has been closed by Matthias Klose.
>
> are you 100% sure that all 28 of these issues are fixed in this
> version? how did you check this?
The patches are bundled in batches for the respective Sun Java releases
and included in openjdk releases where applicable (some components like
Web Start are not present in OpenJDK).
There's no particular reason to believe that upstream missed some patches
in this process. You can check them individually and annotate them in the
Debian Security Tracker if you like, but it doesn't warrant RC bugs.
Cheers,
Moritz
--- End Message ---
