Oracle JRE/JDK: Multiple vulnerabilities

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 201111-02 / sun-jre-bin sun-jdk emul-linux-x86-java
Release Date	November 05, 2011
Latest Revision	November 05, 2011: 1
Impact	normal
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
dev-java/sun-jre-bin	< 1.6.0.29	>= 1.6.0.29*	All supported architectures
app-emulation/emul-linux-x86-java	< 1.6.0.29	>= 1.6.0.29*	All supported architectures
dev-java/sun-jdk	< 1.6.0.29	>= 1.6.0.29*	All supported architectures

Warning: *: Needs to be manually updated

Related bugreports: #340421, #354213, #370559, #387851

Synopsis

Multiple vulnerabilities have been found in the Oracle JRE/JDK, allowing attackers to cause unspecified impact.

2. Impact Information

Background

The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform).

Description

Multiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details.

Impact

A remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Oracle JDK 1.6 users should upgrade to the latest version:

Code Listing 3.1: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"

All Oracle JRE 1.6 users should upgrade to the latest version:

Code Listing 3.2: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"

All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to the latest version:

Code Listing 3.3: Resolution

  # emerge --sync
  # emerge --ask --oneshot --verbose
  ">=app-emulation/emul-linux-x86-java-1.6.0.29"

NOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically. This limitation is not present on a non-fetch restricted implementation such as dev-java/icedtea-bin.

4. References

CVE-2010-3541
CVE-2010-3548
CVE-2010-3549
CVE-2010-3550
CVE-2010-3551
CVE-2010-3552
CVE-2010-3553
CVE-2010-3554
CVE-2010-3555
CVE-2010-3556
CVE-2010-3557
CVE-2010-3558
CVE-2010-3559
CVE-2010-3560
CVE-2010-3561
CVE-2010-3562
CVE-2010-3563
CVE-2010-3565
CVE-2010-3566
CVE-2010-3567
CVE-2010-3568
CVE-2010-3569
CVE-2010-3570
CVE-2010-3571
CVE-2010-3572
CVE-2010-3573
CVE-2010-3574
CVE-2010-4422
CVE-2010-4447
CVE-2010-4448
CVE-2010-4450
CVE-2010-4451
CVE-2010-4452
CVE-2010-4454
CVE-2010-4462
CVE-2010-4463
CVE-2010-4465
CVE-2010-4466
CVE-2010-4467
CVE-2010-4468
CVE-2010-4469
CVE-2010-4470
CVE-2010-4471
CVE-2010-4472
CVE-2010-4473
CVE-2010-4474
CVE-2010-4475
CVE-2010-4476
CVE-2011-0802
CVE-2011-0814
CVE-2011-0815
CVE-2011-0862
CVE-2011-0863
CVE-2011-0864
CVE-2011-0865
CVE-2011-0867
CVE-2011-0868
CVE-2011-0869
CVE-2011-0871
CVE-2011-0872
CVE-2011-0873
CVE-2011-3389
CVE-2011-3516
CVE-2011-3521
CVE-2011-3544
CVE-2011-3545
CVE-2011-3546
CVE-2011-3547
CVE-2011-3548
CVE-2011-3549
CVE-2011-3550
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3555
CVE-2011-3556
CVE-2011-3557
CVE-2011-3558
CVE-2011-3560
CVE-2011-3561

Page updated November 05, 2011

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.