Debian Security Advisory

DSA-2311-1 openjdk-6 -- several vulnerabilities

Date Reported:
27 Sep 2011
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 629852.
In Mitre's CVE dictionary: CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871.
More information:

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java SE platform. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2011-0862

    Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.

  • CVE-2011-0864

    Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.

  • CVE-2011-0865

    A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.

  • CVE-2011-0867

    Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)

  • CVE-2011-0868

    A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.

  • CVE-2011-0869

    Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.

  • CVE-2011-0871

    Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.

In addition, this update removes support for the Zero/Shark and Cacao Hotspot variants from the i386 and amd64 due to stability issues. These Hotspot variants are included in the openjdk-6-jre-zero and icedtea-6-jre-cacao packages, and these packages must be removed during this update.

For the oldstable distribution (lenny), these problems will be fixed in a separate DSA for technical reasons.

For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.9-0.1~squeeze1.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6b18-1.8.9-0.1.

We recommend that you upgrade your openjdk-6 packages.