(Adding advisory information from @RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 42) (2) HIGH: Oracle Java Multiple Vulnerabilities Affected: JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux Java SE JDK 5.0 Update 25 and earlier for Solaris Java SE SDK 1.4.2_27 and earlier for Solaris Java SE JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux Java for Business JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux Java for Business SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux Java for Business
Description: Oracle has recently released a critical update addressing multiple security vulnerabilities. According to Oracle, the patch addresses 29 vulnerabilities, 28 of which could lead to code execution. Some of these vulnerabilities exist because of flaws in the low-level implementation of the Java Runtime Environment (JRE). Although Java is intended to be type safe, low-level code sometimes writes user-defined strings to C buffers, giving an attacker the opportunity to overwrite return addresses and execute code. Vulnerabilities like these allow Java applets, which start without user interaction when a target navigates to a malicious site, to execute with the permissions of the Java process running them. Normally applets run with restricted privileges. Status: vendor confirmed, updates available References: Vendor Site http://www.oracle.com Oracle Update Advisory - October 2010 http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html SecurityFocus Bugtraq IDs http://www.securityfocus.com/bid/36935 http://www.securityfocus.com/bid/40235 http://www.securityfocus.com/bid/43965 http://www.securityfocus.com/bid/43971 http://www.securityfocus.com/bid/43979 http://www.securityfocus.com/bid/43985 http://www.securityfocus.com/bid/43988 http://www.securityfocus.com/bid/43992 http://www.securityfocus.com/bid/43994 http://www.securityfocus.com/bid/43999 http://www.securityfocus.com/bid/44009 http://www.securityfocus.com/bid/44011 http://www.securityfocus.com/bid/44012 http://www.securityfocus.com/bid/44013 http://www.securityfocus.com/bid/44013 http://www.securityfocus.com/bid/44014 http://www.securityfocus.com/bid/44016 http://www.securityfocus.com/bid/44017 http://www.securityfocus.com/bid/44020 http://www.securityfocus.com/bid/44020 http://www.securityfocus.com/bid/44021 http://www.securityfocus.com/bid/44023 http://www.securityfocus.com/bid/44024 http://www.securityfocus.com/bid/44026 http://www.securityfocus.com/bid/44027 http://www.securityfocus.com/bid/44028 http://www.securityfocus.com/bid/44030 http://www.securityfocus.com/bid/44032 http://www.securityfocus.com/bid/44035 http://www.securityfocus.com/bid/44038 http://www.securityfocus.com/bid/44038 http://www.securityfocus.com/bid/44040 Zero Day Initiative Advisories http://www.zerodayinitiative.com/advisories/ZDI-10-202/ http://www.zerodayinitiative.com/advisories/ZDI-10-203/ http://www.zerodayinitiative.com/advisories/ZDI-10-204/ http://www.zerodayinitiative.com/advisories/ZDI-10-205/ http://www.zerodayinitiative.com/advisories/ZDI-10-206/ http://www.zerodayinitiative.com/advisories/ZDI-10-207/ http://www.zerodayinitiative.com/advisories/ZDI-10-208/ -- Security Update for Sun Java JRE 6: Update 22 https://bugs.launchpad.net/bugs/659937 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
