LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: May 20th, 2013
Linux Advisory Watch: May 17th, 2013
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: 1505-1: OpenJDK 6 vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Several security issues were fixed in OpenJDK 6. 
==========================================================================
Ubuntu Security Notice USN-1505-1
July 13, 2012

icedtea-web, openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenJDK 6.

Software Description:
- openjdk-6: Open Source Java implementation
- icedtea-web: A web browser plugin to execute Java applets

Details:

It was discovered that multiple flaws existed in the CORBA (Common
Object Request Broker Architecture) implementation in OpenJDK. An
attacker could create a Java application or applet that used these
flaws to bypass Java sandbox restrictions or modify immutable object
data. (CVE-2012-1711, CVE-2012-1719)

It was discovered that multiple flaws existed in the OpenJDK font
manager's layout lookup implementation. A attacker could specially
craft a font file that could cause a denial of service through
crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
code. (CVE-2012-1713)

It was discovered that the SynthLookAndFeel class from Swing in
OpenJDK did not properly prevent access to certain UI elements
from outside the current application context. An attacker could
create a Java application or applet that used this flaw to cause a
denial of service through crashing the JVM or bypass Java sandbox
restrictions. (CVE-2012-1716)

It was discovered that OpenJDK runtime library classes could create
temporary files with insecure permissions. A local attacker could
use this to gain access to sensitive information. (CVE-2012-1717)

It was discovered that OpenJDK did not handle CRLs (Certificate
Revocation Lists) properly. A remote attacker could use this to gain
access to sensitive information. (CVE-2012-1718)

It was discovered that the OpenJDK HotSpot Virtual Machine did not
properly verify the bytecode of the class to be executed. A remote
attacker could create a Java application or applet that used this
to cause a denial of service through crashing the JVM or bypass Java
sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

It was discovered that the OpenJDK XML (Extensible Markup Language)
parser did not properly handle some XML documents. An attacker could
create an XML document that caused a denial of service in a Java
application or applet parsing the document. (CVE-2012-1724)

As part of this update, the IcedTea web browser applet plugin was
updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  openjdk-6-jre                   6b24-1.11.3-1ubuntu0.12.04.1

Ubuntu 11.10:
  icedtea-6-plugin                1.2-2ubuntu0.11.10.1
  openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.10.1

Ubuntu 11.04:
  icedtea-6-plugin                1.2-2ubuntu0.11.04.1
  openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.04.1

Ubuntu 10.04 LTS:
  icedtea-6-plugin                1.2-2ubuntu0.10.04.1
  openjdk-6-jre                   6b24-1.11.3-1ubuntu0.10.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1505-1
  CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
  CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724,
  CVE-2012-1725

Package Information:
  https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.12.04.1
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.1
  https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.10.1
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.1
  https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.04.1
  https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.1
  https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.10.04.1
 
< Prev   Next >
    
Partner

 
Latest Features
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
Yesterday's Edition
Reporters sued as 'hackers' for finding a security hole with Google
Watch out for waterhole attacks -- hackers' latest stealth weapon
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2013 Guardian Digital, Inc. All rights reserved.