Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2011:170 ] java-1.6.0-openjdk
From: security () mandriva com
Date: Fri, 11 Nov 2011 17:53:00 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:170
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : java-1.6.0-openjdk
 Date    : November 11, 2011
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Security issues were identified and fixed in openjdk (icedtea6)
 and icedtea-web:
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality
 via unknown vectors related to Networking (CVE-2011-3547).
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality,
 integrity, and availability, related to AWT (CVE-2011-3548).
 
 IcedTea6 prior to 1.10.4 allows remote attackers to affect
 confidentiality, integrity, and availability via unknown vectors
 related to 2D (CVE-2011-3551).
 
 IcedTea6 prior to 1.10.4 allows remote attackers to affect integrity
 via unknown vectors related to Networking (CVE-2011-3552).
 
 IcedTea6 prior to 1.10.4 allows remote authenticated users to affect
 confidentiality, related to JAXWS (CVE-2011-3553).
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality,
 integrity, and availability via unknown vectors related to Scripting
 (CVE-2011-3544).
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality,
 integrity, and availability via unknown vectors related to
 Deserialization (CVE-2011-3521).
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality,
 integrity, and availability via unknown vectors (CVE-2011-3554).
 
 A flaw was found in the way the SSL 3 and TLS 1.0 protocols used
 block ciphers in cipher-block chaining (CBC) mode. An attacker able
 to perform a chosen plain text attack against a connection mixing
 trusted and untrusted data could use this flaw to recover portions
 of the trusted data sent over the connection (CVE-2011-3389).
 
 Note: This update mitigates the CVE-2011-3389 issue by splitting
 the first application data record byte to a separate SSL/TLS
 protocol record. This mitigation may cause compatibility issues
 with some SSL/TLS implementations and can be disabled using the
 jsse.enableCBCProtection boolean property. This can be done on the
 command line by appending the flag -Djsse.enableCBCProtection=false
 to the java command.
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality
 via unknown vectors related to HotSpot (CVE-2011-3558).
 
 IcedTea6 prior to 1.10.4 allows remote attackers to affect
 confidentiality, integrity, and availability, related to RMI
 (CVE-2011-3556).
 
 IcedTea6 prior to 1.10.4 allows remote attackers to affect
 confidentiality, integrity, and availability, related to RMI
 (CVE-2011-3557).
 
 IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
 applications and untrusted Java applets to affect confidentiality
 and integrity, related to JSSE (CVE-2011-3560).
 
 Deepak Bhole discovered a flaw in the Same Origin Policy (SOP)
 implementation in the IcedTea project Web browser plugin. A
 malicious applet could use this flaw to bypass SOP protection and
 open connections to any sub-domain of the second-level domain of
 the applet's origin, as well as any sub-domain of the domain that
 is the suffix of the origin second-level domain.  For example,
 IcedTea-Web plugin allowed applet from some.host.example.com to
 connect to other.host.example.com, www.example.com, and example.com,
 as well as www.ample.com or ample.com. (CVE-2011-3377).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3377
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 2881c71d1da084f6c7a136335f5383d6  2010.1/i586/icedtea-web-1.0.6-0.1mdv2010.2.i586.rpm
 415d7598363639aecbafd380827b7ab2  2010.1/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
 27d2d84f2a00e4d18cb68e8c8ecd1626  2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
 8b4b727a2139d866d0e88ff720de9b57  2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
 8084b3aaeac98db2ddf89913db805725  2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
 f5c32405224455a5065d85ecbba6f1f2  2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.i586.rpm 
 45fd80b86f46b8e9ca3711c47d4fbb40  2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm
 6bbb0d8c0e0ce847b86d9145ca12e211  2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 899e54445bf4ad65ea254e835006ce27  2010.1/x86_64/icedtea-web-1.0.6-0.1mdv2010.2.x86_64.rpm
 7da63e6b6d83974f32f6580c4de53929  2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
 859e838ff8583b814f1270c36d0bf248  2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
 8da61ef538893c8b7766e868e369f400  2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
 3b56e8612ba71e92e728e3e1a9fef319  2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
 23eea5b9bf1a2ee3db0ebf0c6927234a  2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 
 45fd80b86f46b8e9ca3711c47d4fbb40  2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm
 6bbb0d8c0e0ce847b86d9145ca12e211  2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm

 Mandriva Linux 2011:
 b585d6580568d064d9e99ab2d8898dbb  2011/i586/icedtea-web-1.0.6-0.1-mdv2011.0.i586.rpm
 17ea4db995836efdb63f62370adc21f3  2011/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
 b5b625dd4b96e479ce532f2d578650bb  2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
 3bc34e225ec9e6b38dd1876a5c5ffe6d  2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
 050f5c111f9e65c0ea06f80e4ffff35d  2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
 3d5eed0e210b9d4e38a6dcd74929f0dd  2011/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm 
 0579fb909e08a0f420183284ba7061e9  2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm
 128cec9fdd9fd0e0d921341f178be9a1  2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm

 Mandriva Linux 2011/X86_64:
 aa77ab19c7746723530e3a696fd4355a  2011/x86_64/icedtea-web-1.0.6-0.1-mdv2011.0.x86_64.rpm
 467cc14261ed055450afbf1a2a5fe483  2011/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
 2850bfa26b1f992dff3c2c1ac3f1326b  2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
 50053850cfdd573a9469aa0b5783cc82  2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
 04ba44e392bf335e86fdc2c66d03bdf3  2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
 678776c021e19498a6e201c9b0ef6513  2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 
 0579fb909e08a0f420183284ba7061e9  2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm
 128cec9fdd9fd0e0d921341f178be9a1  2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm

 Mandriva Enterprise Server 5:
 c6af60f8fac7b8fb91a79983e4c68364  mes5/i586/icedtea-web-1.0.6-0.1mdvmes5.2.i586.rpm
 00295911ed1610030bd0b39680c2fb20  mes5/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
 bdcd904e1e04d57f8205904b84dd5971  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
 960da26357c48af97ca8e9cdb4245692  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
 8cf1ac9ad06eddba1916d8e4e2b3cedf  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
 f0a00b845915e25e7b4bc9802914aee4  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm 
 3860e9d27e8bc15ea72a57deb811c961  mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm
 b0701aff2a8ffdcc27a6cd7560d0d099  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 765023a21377d664c2ba05e98147dd1b  mes5/x86_64/icedtea-web-1.0.6-0.1mdvmes5.2.x86_64.rpm
 f0b699b476a124eb0a1b2f5187101de9  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
 249ffd15ed12d64798ff39431e402d69  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
 d747f2b1361c0a67d4d85824a94d0a69  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
 d50d63017beb08a2f23d08138a17c992  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
 dd36ff4d9b91a541dfa86bb46288bbe0  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm 
 3860e9d27e8bc15ea72a57deb811c961  mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm
 b0701aff2a8ffdcc27a6cd7560d0d099  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOvSWxmqjQ0CJFipgRAnk1AKDUddZYCqwkfhoUpLxEL0BT3mDf0ACfbuTI
aaF2JGTyfceBABs92un/yVA=
=yPsD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:170 ] java-1.6.0-openjdk security (Nov 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault