Security Information / 2012 / Security Information -- DSA-2507-1 openjdk-6

Debian Security Advisory

DSA-2507-1 openjdk-6 -- several vulnerabilities

Date Reported:

04 Jul 2012

Affected Packages:

openjdk-6

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725.

More information:

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform.

• CVE-2012-1711 CVE-2012-1719

  Multiple errors in the CORBA implementation could lead to breakouts of the Java sandbox.

• CVE-2012-1713

  Missing input sanitising in the font manager could lead to the execution of arbitrary code.

• CVE-2012-1716

  The SynthLookAndFeel Swing class could be abused to break out of the Java sandbox.

• CVE-2012-1717

  Several temporary files were created insecurely, resulting in local information disclosure.

• CVE-2012-1718

  Certificate revocation lists were incorrectly implemented.

• CVE-2012-1723 CVE-2012-1725

  Validation errors in the bytecode verifier of the Hotspot VM could lead to breakouts of the Java sandbox.

• CVE-2012-1724

  Missing input sanitising in the XML parser could lead to denial of service through an infinite loop.

For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.13-0+squeeze2.

For the unstable distribution (sid), this problem has been fixed in version 6b24-1.11.3-1.

We recommend that you upgrade your openjdk-6 packages.