| <?xml version="1.0" encoding="utf-8"?> |
| <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> |
| |
| <glsa id="201006-18"> |
| <title>Oracle JRE/JDK: Multiple vulnerabilities</title> |
| <synopsis> |
| The Oracle JDK and JRE are vulnerable to multiple unspecified |
| vulnerabilities. |
| </synopsis> |
| <product type="ebuild">sun-jre-bin sun-jdk emul-linux-x86-java</product> |
| <announced>June 04, 2010</announced> |
| <revised>June 04, 2010: 01</revised> |
| <bug>306579</bug> |
| <bug>314531</bug> |
| <access>remote</access> |
| <affected> |
| <package name="dev-java/sun-jre-bin" auto="yes" arch="*"> |
| <unaffected range="ge">1.6.0.20</unaffected> |
| <vulnerable range="lt">1.6.0.20</vulnerable> |
| </package> |
| <package name="dev-java/sun-jdk" auto="yes" arch="*"> |
| <unaffected range="ge">1.6.0.20</unaffected> |
| <vulnerable range="lt">1.6.0.20</vulnerable> |
| </package> |
| <package name="app-emulation/emul-linux-x86-java" auto="yes" arch="*"> |
| <unaffected range="ge">1.6.0.20</unaffected> |
| <vulnerable range="lt">1.6.0.20</vulnerable> |
| </package> |
| </affected> |
| <background> |
| <p> |
| The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and |
| the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) |
| provide the Oracle Java platform (formerly known as Sun Java Platform). |
| </p> |
| </background> |
| <description> |
| <p> |
| Multiple vulnerabilities have been reported in the Oracle Java |
| implementation. Please review the CVE identifiers referenced below and |
| the associated Oracle Critical Patch Update Advisory for details. |
| </p> |
| </description> |
| <impact type="normal"> |
| <p> |
| A remote attacker could exploit these vulnerabilities to cause |
| unspecified impact, possibly including remote execution of arbitrary |
| code. |
| </p> |
| </impact> |
| <workaround> |
| <p> |
| There is no known workaround at this time. |
| </p> |
| </workaround> |
| <resolution> |
| <p> |
| All Oracle JRE 1.6.x users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20"</code> |
| <p> |
| All Oracle JDK 1.6.x users should upgrade to the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20"</code> |
| <p> |
| All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to |
| the latest version: |
| </p> |
| <code> |
| # emerge --sync |
| # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.20"</code> |
| <p> |
| All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle |
| JRE 1.5.x users are strongly advised to unmerge Java 1.5: |
| </p> |
| <code> |
| # emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* |
| # emerge --unmerge =dev-java/sun-jre-bin-1.5* |
| # emerge --unmerge =dev-java/sun-jdk-1.5*</code> |
| <p> |
| Gentoo is ceasing support for the 1.5 generation of the Oracle Java |
| Platform in accordance with upstream. All 1.5 JRE versions are masked |
| and will be removed shortly. All 1.5 JDK versions are marked as |
| "build-only" and will be masked for removal shortly. Users are advised |
| to change their default user and system Java implementation to an |
| unaffected version. For example: |
| </p> |
| <code> |
| # java-config --set-system-vm sun-jdk-1.6</code> |
| <p> |
| For more information, please consult the Gentoo Linux Java |
| documentation. |
| </p> |
| </resolution> |
| <references> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">CVE-2009-3555</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082">CVE-2010-0082</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084">CVE-2010-0084</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085">CVE-2010-0085</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087">CVE-2010-0087</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088">CVE-2010-0088</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089">CVE-2010-0089</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090">CVE-2010-0090</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091">CVE-2010-0091</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092">CVE-2010-0092</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093">CVE-2010-0093</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094">CVE-2010-0094</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095">CVE-2010-0095</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837">CVE-2010-0837</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838">CVE-2010-0838</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839">CVE-2010-0839</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840">CVE-2010-0840</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841">CVE-2010-0841</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842">CVE-2010-0842</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843">CVE-2010-0843</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844">CVE-2010-0844</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845">CVE-2010-0845</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846">CVE-2010-0846</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847">CVE-2010-0847</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848">CVE-2010-0848</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849">CVE-2010-0849</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850">CVE-2010-0850</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886">CVE-2010-0886</uri> |
| <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0887">CVE-2010-0887</uri> |
| <uri link="/doc/en/java.xml#doc_chap4">Gentoo Linux Java documentation</uri> |
| <uri link="http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html">Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010</uri> |
| </references> |
| <metadata tag="requester" timestamp="Fri, 02 Apr 2010 09:43:04 +0000"> |
| a3li |
| </metadata> |
| <metadata tag="submitter" timestamp="Fri, 02 Apr 2010 09:59:07 +0000"> |
| a3li |
| </metadata> |
| <metadata tag="bugReady" timestamp="Fri, 04 Jun 2010 05:06:52 +0000"> |
| a3li |
| </metadata> |
| </glsa> |