Debian Security Advisory
DSA-2311-1 openjdk-6 -- several vulnerabilities
- Date Reported:
- 27 Sep 2011
- Affected Packages:
- openjdk-6
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 629852.
In Mitre's CVE dictionary: CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871. - More information:
-
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java SE platform. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2011-0862
Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.
- CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.
- CVE-2011-0865
A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.
- CVE-2011-0867
Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)
- CVE-2011-0868
A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.
- CVE-2011-0869
Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.
- CVE-2011-0871
Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.
In addition, this update removes support for the Zero/Shark and Cacao Hotspot variants from the i386 and amd64 due to stability issues. These Hotspot variants are included in the openjdk-6-jre-zero and icedtea-6-jre-cacao packages, and these packages must be removed during this update.
For the oldstable distribution (lenny), these problems will be fixed in a separate DSA for technical reasons.
For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.9-0.1~squeeze1.
For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 6b18-1.8.9-0.1.
We recommend that you upgrade your openjdk-6 packages.
- CVE-2011-0862