Sun JDK/JRE: Multiple vulnerabilities Multiple vulnerabilities in the Sun JDK and JRE allow for several attacks, including the remote execution of arbitrary code. sun-jre-bin sun-jdk emul-linux-x86-java blackdown-jre blackdown-jdk November 17, 2009 November 17, 2009: 01 182824 231337 250012 263810 280409 291817 remote 1.5.0.22 1.6.0.17 1.6.0.17 1.5.0.22 1.6.0.17 1.6.0.17 1.4.2.03-r14 1.4.2.03-r16 1.5.0.22 1.6.0.17 1.6.0.17

The Sun Java Development Kit (JDK) and the Sun Java Runtime Environment (JRE) provide the Sun Java platform.

Multiple vulnerabilities have been reported in the Sun Java implementation. Please review the CVE identifiers referenced below and the associated Sun Alerts for details.

A remote attacker could entice a user to open a specially crafted JAR archive, applet, or Java Web Start application, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Furthermore, a remote attacker could cause a Denial of Service affecting multiple services via several vectors, disclose information and memory contents, write or execute local files, conduct session hijacking attacks via GIFAR files, steal cookies, bypass the same-origin policy, load untrusted JAR files, establish network connections to arbitrary hosts and posts via several vectors, modify the list of supported graphics configurations, bypass HMAC-based authentication systems, escalate privileges via several vectors and cause applet code to be executed with older, possibly vulnerable versions of the JRE.

NOTE: Some vulnerabilities require a trusted environment, user interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack.

There is no known workaround at this time.

All Sun JRE 1.5.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.5.0.22"

All Sun JRE 1.6.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.17"

All Sun JDK 1.5.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.5.0.22"

All Sun JDK 1.6.x users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.17"

All users of the precompiled 32bit Sun JRE 1.5.x should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.5.0.22"

All users of the precompiled 32bit Sun JRE 1.6.x should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/emul-linux-x86-java-1.6.0.17"

All Sun JRE 1.4.x, Sun JDK 1.4.x, Blackdown JRE, Blackdown JDK and precompiled 32bit Sun JRE 1.4.x users are strongly advised to unmerge Java 1.4:

# emerge --unmerge =app-emulation/emul-linux-x86-java-1.4* # emerge --unmerge =dev-java/sun-jre-bin-1.4* # emerge --unmerge =dev-java/sun-jdk-1.4* # emerge --unmerge dev-java/blackdown-jdk # emerge --unmerge dev-java/blackdown-jre

Gentoo is ceasing support for the 1.4 generation of the Sun Java Platform in accordance with upstream. All 1.4 JRE and JDK versions are masked and will be removed shortly.

CVE-2008-2086 CVE-2008-3103 CVE-2008-3104 CVE-2008-3105 CVE-2008-3106 CVE-2008-3107 CVE-2008-3108 CVE-2008-3109 CVE-2008-3110 CVE-2008-3111 CVE-2008-3112 CVE-2008-3113 CVE-2008-3114 CVE-2008-3115 CVE-2008-5339 CVE-2008-5340 CVE-2008-5341 CVE-2008-5342 CVE-2008-5343 CVE-2008-5344 CVE-2008-5345 CVE-2008-5346 CVE-2008-5347 CVE-2008-5348 CVE-2008-5349 CVE-2008-5350 CVE-2008-5351 CVE-2008-5352 CVE-2008-5353 CVE-2008-5354 CVE-2008-5355 CVE-2008-5356 CVE-2008-5357 CVE-2008-5358 CVE-2008-5359 CVE-2008-5360 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2409 CVE-2009-2475 CVE-2009-2476 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2676 CVE-2009-2689 CVE-2009-2690 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 CVE-2009-3728 CVE-2009-3729 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886 a3li a3li