Ubuntu Security Notice – openjdk-6 Vulnerabilities

Sponsored Link
=========================================================
Ubuntu Security Notice USN-859-1 November 13, 2009
openjdk-6 vulnerabilities
CVE-2009-2409, CVE-2009-3728, CVE-2009-3869, CVE-2009-3871,
CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876,
CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881,
CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3885
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 8.10:

icedtea6-plugin 6b12-0ubuntu6.6
openjdk-6-jre 6b12-0ubuntu6.6

Ubuntu 9.04:

icedtea6-plugin 6b14-1.4.1-0ubuntu12
openjdk-6-jre 6b14-1.4.1-0ubuntu12

Ubuntu 9.10:

icedtea6-plugin 6b16-1.6.1-3ubuntu1
openjdk-6-jre 6b16-1.6.1-3ubuntu1

After a standard system upgrade you need to restart any Java applications to effect the necessary changes.

Details follow:

Dan Kaminsky discovered that SSL certificates signed with MD2 could be spoofed given enough time. As a result, an attacker could potentially
create a malicious trusted certificate to impersonate another site. This update handles this issue by completely disabling MD2 for certificate
validation in OpenJDK. (CVE-2009-2409)

It was discovered that ICC profiles could be identified with “..” pathnames. If a user were tricked into running a specially crafted applet, a remote attacker could gain information about a local system. (CVE-2009-3728)

Peter Vreugdenhil discovered multiple flaws in the processing of graphics in the AWT library. If a user were tricked into running a specially crafted applet, a remote attacker could crash the application or run arbitrary code with user privileges. (CVE-2009-3869, CVE-2009-3871)

Multiple flaws were discovered in JPEG and BMP image handling. If a user were tricked into loading a specially crafted image, a remote attacker could crash the application or run arbitrary code with user privileges.(CVE-2009-3873, CVE-2009-3874, CVE-2009-3885)

Coda Hale discovered that HMAC-based signatures were not correctly validated. Remote attackers could bypass certain forms of authentication,granting unexpected access. (CVE-2009-3875)

Multiple flaws were discovered in ASN.1 parsing. A remote attacker could send a specially crafted HTTP stream that would exhaust system memory and lead to a denial of service. (CVE-2009-3876, CVE-2009-3877)

It was discovered that the graphics configuration subsystem did not correctly handle arrays. If a user were tricked into running a specially crafted applet, a remote attacker could exploit this to crash the application or execute arbitrary code with user privileges. (CVE-2009-3879)

It was discovered that loggers and Swing did not correctly handle certain sensitive objects. If a user were tricked into running a specially crafted applet, private information could be leaked to a remote attacker, leading to a loss of privacy. (CVE-2009-3880, CVE-2009-3882,CVE-2009-3883)

It was discovered that the ClassLoader did not correctly handle certain options. If a user were tricked into running a specially crafted applet, a remote attacker could execute arbitrary code with user privileges. (CVE-2009-3881)

It was discovered that time zone file loading could be used to determine the existence of files on the local system. If a user were tricked into running a specially crafted applet, private information could be leaked to a remote attacker, leading to a loss of privacy. (CVE-2009-3884)

Source

Sponsored Link

Related posts

2 thoughts on “Ubuntu Security Notice – openjdk-6 Vulnerabilities

  1. so how can we fix this issue?

    [Reply]

    admin Reply:

    Run the following commands from terminal

    sudo apt-get update

    sudo apt-get dist-upgrade

    This will effect only if you are using openjdk6

    [Reply]

Leave a comment

Your email address will not be published. Required fields are marked *