summaryrefslogtreecommitdiff
blob: 3327e4b5b95f925a1283a1a7cfb40dd7a560cf41 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

<glsa id="201006-18">
  <title>Oracle JRE/JDK: Multiple vulnerabilities</title>
  <synopsis>
    The Oracle JDK and JRE are vulnerable to multiple unspecified
    vulnerabilities.
  </synopsis>
  <product type="ebuild">sun-jre-bin sun-jdk emul-linux-x86-java</product>
  <announced>June 04, 2010</announced>
  <revised>June 04, 2010: 01</revised>
  <bug>306579</bug>
  <bug>314531</bug>
  <access>remote</access>
  <affected>
    <package name="dev-java/sun-jre-bin" auto="yes" arch="*">
      <unaffected range="ge">1.6.0.20</unaffected>
      <vulnerable range="lt">1.6.0.20</vulnerable>
    </package>
    <package name="dev-java/sun-jdk" auto="yes" arch="*">
      <unaffected range="ge">1.6.0.20</unaffected>
      <vulnerable range="lt">1.6.0.20</vulnerable>
    </package>
    <package name="app-emulation/emul-linux-x86-java" auto="yes" arch="*">
      <unaffected range="ge">1.6.0.20</unaffected>
      <vulnerable range="lt">1.6.0.20</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
    the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
    provide the Oracle Java platform (formerly known as Sun Java Platform).
    </p>
  </background>
  <description>
    <p>
    Multiple vulnerabilities have been reported in the Oracle Java
    implementation. Please review the CVE identifiers referenced below and
    the associated Oracle Critical Patch Update Advisory for details.
    </p>
  </description>
  <impact type="normal">
    <p>
    A remote attacker could exploit these vulnerabilities to cause
    unspecified impact, possibly including remote execution of arbitrary
    code.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All Oracle JRE 1.6.x users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=dev-java/sun-jre-bin-1.6.0.20&quot;</code>
    <p>
    All Oracle JDK 1.6.x users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=dev-java/sun-jdk-1.6.0.20&quot;</code>
    <p>
    All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to
    the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=app-emulation/emul-linux-x86-java-1.6.0.20&quot;</code>
    <p>
    All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle
    JRE 1.5.x users are strongly advised to unmerge Java 1.5:
    </p>
    <code>
    # emerge --unmerge =app-emulation/emul-linux-x86-java-1.5*
    # emerge --unmerge =dev-java/sun-jre-bin-1.5*
    # emerge --unmerge =dev-java/sun-jdk-1.5*</code>
    <p>
    Gentoo is ceasing support for the 1.5 generation of the Oracle Java
    Platform in accordance with upstream. All 1.5 JRE versions are masked
    and will be removed shortly. All 1.5 JDK versions are marked as
    "build-only" and will be masked for removal shortly. Users are advised
    to change their default user and system Java implementation to an
    unaffected version. For example:
    </p>
    <code>
    # java-config --set-system-vm sun-jdk-1.6</code>
    <p>
    For more information, please consult the Gentoo Linux Java
    documentation.
    </p>
  </resolution>
  <references>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">CVE-2009-3555</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082">CVE-2010-0082</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084">CVE-2010-0084</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085">CVE-2010-0085</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0087">CVE-2010-0087</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088">CVE-2010-0088</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0089">CVE-2010-0089</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0090">CVE-2010-0090</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091">CVE-2010-0091</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092">CVE-2010-0092</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093">CVE-2010-0093</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094">CVE-2010-0094</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095">CVE-2010-0095</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837">CVE-2010-0837</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838">CVE-2010-0838</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0839">CVE-2010-0839</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840">CVE-2010-0840</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0841">CVE-2010-0841</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0842">CVE-2010-0842</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0843">CVE-2010-0843</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0844">CVE-2010-0844</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845">CVE-2010-0845</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0846">CVE-2010-0846</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847">CVE-2010-0847</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848">CVE-2010-0848</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0849">CVE-2010-0849</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0850">CVE-2010-0850</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886">CVE-2010-0886</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0887">CVE-2010-0887</uri>
    <uri link="/doc/en/java.xml#doc_chap4">Gentoo Linux Java documentation</uri>
    <uri link="http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html">Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010</uri>
  </references>
  <metadata tag="requester" timestamp="Fri, 02 Apr 2010 09:43:04 +0000">
    a3li
  </metadata>
  <metadata tag="submitter" timestamp="Fri, 02 Apr 2010 09:59:07 +0000">
    a3li
  </metadata>
  <metadata tag="bugReady" timestamp="Fri, 04 Jun 2010 05:06:52 +0000">
    a3li
  </metadata>
</glsa>