Ubuntu 1505-1: OpenJDK 6 vulnerabilities

    Date12 Jul 2012
    CategoryUbuntu
    62
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in OpenJDK 6.
    ==========================================================================
    Ubuntu Security Notice USN-1505-1
    July 13, 2012
    
    icedtea-web, openjdk-6 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 12.04 LTS
    - Ubuntu 11.10
    - Ubuntu 11.04
    - Ubuntu 10.04 LTS
    
    Summary:
    
    Several security issues were fixed in OpenJDK 6.
    
    Software Description:
    - openjdk-6: Open Source Java implementation
    - icedtea-web: A web browser plugin to execute Java applets
    
    Details:
    
    It was discovered that multiple flaws existed in the CORBA (Common
    Object Request Broker Architecture) implementation in OpenJDK. An
    attacker could create a Java application or applet that used these
    flaws to bypass Java sandbox restrictions or modify immutable object
    data. (CVE-2012-1711, CVE-2012-1719)
    
    It was discovered that multiple flaws existed in the OpenJDK font
    manager's layout lookup implementation. A attacker could specially
    craft a font file that could cause a denial of service through
    crashing the JVM (Java Virtual Machine) or possibly execute arbitrary
    code. (CVE-2012-1713)
    
    It was discovered that the SynthLookAndFeel class from Swing in
    OpenJDK did not properly prevent access to certain UI elements
    from outside the current application context. An attacker could
    create a Java application or applet that used this flaw to cause a
    denial of service through crashing the JVM or bypass Java sandbox
    restrictions. (CVE-2012-1716)
    
    It was discovered that OpenJDK runtime library classes could create
    temporary files with insecure permissions. A local attacker could
    use this to gain access to sensitive information. (CVE-2012-1717)
    
    It was discovered that OpenJDK did not handle CRLs (Certificate
    Revocation Lists) properly. A remote attacker could use this to gain
    access to sensitive information. (CVE-2012-1718)
    
    It was discovered that the OpenJDK HotSpot Virtual Machine did not
    properly verify the bytecode of the class to be executed. A remote
    attacker could create a Java application or applet that used this
    to cause a denial of service through crashing the JVM or bypass Java
    sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)
    
    It was discovered that the OpenJDK XML (Extensible Markup Language)
    parser did not properly handle some XML documents. An attacker could
    create an XML document that caused a denial of service in a Java
    application or applet parsing the document. (CVE-2012-1724)
    
    As part of this update, the IcedTea web browser applet plugin was
    updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 12.04 LTS:
      openjdk-6-jre                   6b24-1.11.3-1ubuntu0.12.04.1
    
    Ubuntu 11.10:
      icedtea-6-plugin                1.2-2ubuntu0.11.10.1
      openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.10.1
    
    Ubuntu 11.04:
      icedtea-6-plugin                1.2-2ubuntu0.11.04.1
      openjdk-6-jre                   6b24-1.11.3-1ubuntu0.11.04.1
    
    Ubuntu 10.04 LTS:
      icedtea-6-plugin                1.2-2ubuntu0.10.04.1
      openjdk-6-jre                   6b24-1.11.3-1ubuntu0.10.04.1
    
    This update uses a new upstream release, which includes additional
    bug fixes. After a standard system update you need to restart any
    Java applications or applets to make all the necessary changes.
    
    References:
      http://www.ubuntu.com/usn/usn-1505-1
      CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
      CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724,
      CVE-2012-1725
    
    Package Information:
      https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.12.04.1
      https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.1
      https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.10.1
      https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.1
      https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.11.04.1
      https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.1
      https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.3-1ubuntu0.10.04.1
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.