Gentoo: GLSA-202112-09 Important: Various Oracle JRE/JDK Vulnerabilities
gentoo
June 4, 2010
The Oracle JDK and JRE are vulnerable to multiple unspecified vulnerabilities.
Summary
Multiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details.
Resolution
All Oracle JRE 1.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.20"
All Oracle JDK 1.6.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20"
All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.20"
All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle JRE 1.5.x users are strongly advised to unmerge Java 1.5:
# emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* # emerge --unmerge =dev-java/sun-jre-bin-1.5* # emerge --unmerge =dev-java/sun-jdk-1.5*
Gentoo is ceasing support for the 1.5 generation of the Oracle Java Platform in accordance with upstream. All 1.5 JRE versions are masked and will be removed shortly. All 1.5 JDK versions are marked as "build-only" and will be masked for removal shortly. Users are advised to change their default user and system Java implementation to an unaffected version. For example:
# java-config --set-system-vm sun-jdk-1.6
For more information, please consult the Gentoo Linux Java documentation.
All Oracle JDK 1.6.x users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.20"
All users of the precompiled 32bit Oracle JRE 1.6.x should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.20"
All Oracle JRE 1.5.x, Oracle JDK 1.5.x, and precompiled 32bit Oracle JRE 1.5.x users are strongly advised to unmerge Java 1.5:
# emerge --unmerge =app-emulation/emul-linux-x86-java-1.5* # emerge --unmerge =dev-java/sun-jre-bin-1.5* # emerge --unmerge =dev-java/sun-jdk-1.5*
Gentoo is ceasing support for the 1.5 generation of the Oracle Java Platform in accordance with upstream. All 1.5 JRE versions are masked and will be removed shortly. All 1.5 JDK versions are marked as "build-only" and will be masked for removal shortly. Users are advised to change their default user and system Java implementation to an unaffected version. For example:
# java-config --set-system-vm sun-jdk-1.6
For more information, please consult the Gentoo Linux Java documentation.
References
[ 1 ] CVE-2009-3555 https://www.cve.org/CVERecord?id=CVE-2009-3555 [ 2 ] CVE-2010-0082 https://www.cve.org/CVERecord?id=CVE-2010-0082 [ 3 ] CVE-2010-0084 https://www.cve.org/CVERecord?id=CVE-2010-0084 [ 4 ] CVE-2010-0085 https://www.cve.org/CVERecord?id=CVE-2010-0085 [ 5 ] CVE-2010-0087 https://www.cve.org/CVERecord?id=CVE-2010-0087 [ 6 ] CVE-2010-0088 https://www.cve.org/CVERecord?id=CVE-2010-0088 [ 7 ] CVE-2010-0089 https://www.cve.org/CVERecord?id=CVE-2010-0089 [ 8 ] CVE-2010-0090 https://www.cve.org/CVERecord?id=CVE-2010-0090 [ 9 ] CVE-2010-0091 https://www.cve.org/CVERecord?id=CVE-2010-0091 [ 10 ] CVE-2010-0092 https://www.cve.org/CVERecord?id=CVE-2010-0092 [ 11 ] CVE-2010-0093 https://www.cve.org/CVERecord?id=CVE-2010-0093 [ 12 ] CVE-2010-0094 https://www.cve.org/CVERecord?id=CVE-2010-0094 [ 13 ] CVE-2010-0095 https://www.cve.org/CVERecord?id=CV...
Read the Full AdvisoryAvailability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201006-18
style>.gentoo_availability{display:block;}
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Severity: Normal
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: June 04, 2010
Bugs: #306579, #314531
ID: 201006-18
Background
The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
provide the Oracle Java platform (formerly known as Sun Java Platform).
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Affected Packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jre-bin < 1.6.0.20 >= 1.6.0.20
2 dev-java/sun-jdk < 1.6.0.20 >= 1.6.0.20
3 app-emulation/emul-linux-x86-java < 1.6.0.20 >= 1.6.0.20
-------------------------------------------------------------------
3 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Impact
=====
A remote attacker could exploit these vulnerabilities to cause
unspecified impact, possibly including remote execution of arbitrary
code.
Workaround
There is no known workaround at this time.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!