Security Information / 2011 / Security Information -- DSA-2311-1 openjdk-6

Debian Security Advisory

DSA-2311-1 openjdk-6 -- several vulnerabilities

Date Reported:

27 Sep 2011

Affected Packages:

openjdk-6

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 629852.
In Mitre's CVE dictionary: CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871.

More information:

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java SE platform. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2011-0862

  Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.

• CVE-2011-0864

  Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.

• CVE-2011-0865

  A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.

• CVE-2011-0867

  Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)

• CVE-2011-0868

  A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.

• CVE-2011-0869

  Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.

• CVE-2011-0871

  Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.

In addition, this update removes support for the Zero/Shark and Cacao Hotspot variants from the i386 and amd64 due to stability issues. These Hotspot variants are included in the openjdk-6-jre-zero and icedtea-6-jre-cacao packages, and these packages must be removed during this update.

For the oldstable distribution (lenny), these problems will be fixed in a separate DSA for technical reasons.

For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.9-0.1~squeeze1.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6b18-1.8.9-0.1.

We recommend that you upgrade your openjdk-6 packages.