Nom du paquet
java-1.6.0-openjdk
Date
2011-03-27
Advisory ID
MDVSA-2011:054
Affected versions
2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.1 i586 , 2010.0 i586 , 2009.0 i586 , MES5 x86_64 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been identified and fixed in
java-1.6.0-openjdk:

The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
the checkPermission method instead of throwing an exception in certain
circumstances, which might allow context-dependent attackers to bypass
the intended security policy by creating instances of ClassLoader
(CVE-2010-4351).

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier for
Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux;
and 1.4.2_29 and earlier for Solaris and Linux allows local standalone
applications to affect confidentiality, integrity, and availability via
unknown vectors related to Launcher. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450).

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect confidentiality, integrity, and availability via unknown vectors
related to Swing. NOTE: the previous information was obtained from the
February 2011 CPU. Oracle has not commented on claims from a downstream
vendor that this issue is related to the lack of framework support by
AWT event dispatch, and/or clipboard access in Applets. (CVE-2010-4465)

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect confidentiality, integrity, and availability via unknown vectors
related to HotSpot. NOTE: the previous information was obtained from
the February 2011 CPU. Oracle has not commented on claims from a
downstream vendor that this issue is heap corruption related to the
Verifier and backward jsrs. (CVE-2010-4469)

Unspecified vulnerability in the Java Runtime Environment (JRE) in
Oracle Java SE and Java for Business 6 Update 23, and, and earlier
allows remote attackers to affect availability via unknown vectors
related to JAXP and unspecified APIs. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented on
claims from a downstream vendor that this issue is related to Features
set on SchemaFactory not inherited by Validator. (CVE-2010-4470)

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
and 5.0 Update 27 and earlier allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to 2D. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented
on claims from a downstream vendor that this issue is related to the
exposure of system properties via vectors related to Font.createFont
and exception text (CVE-2010-4471).

Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier
allows remote attackers to affect availability, related to
XML Digital Signature and unspecified APIs. NOTE: the previous
information was obtained from the February 2011 CPU. Oracle has
not commented on claims from a downstream vendor that this issue
involves the replacement of the XML DSig Transform or C14N algorithm
implementations. (CVE-2010-4472)

The Double.parseDouble method in Java Runtime Environment (JRE) in
Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0
Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK,
Apache, JBossweb, and other products, allows remote attackers to cause
a denial of service via a crafted string that triggers an infinite
loop of estimations during conversion to a double-precision binary
floating-point number, as demonstrated using 2.2250738585072012e-308
(CVE-2010-4476).

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
remote attackers to trick users into executing code that appears to
come from a trusted source (CVE-2011-0025).

The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain
privileges via unknown vectors related to multiple signers and the
assignment of an inappropriate security descriptor. (CVE-2011-0706)

Additionally the java-1.5.0-gcj packages were not rebuilt with the
shipped version on GCC for 2009.0 and Enterprise Server 5 which
caused problems while building the java-1.6.0-openjdk updates,
therefore rebuilt java-1.5.0-gcj packages are being provided with
this advisory as well.

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct this issue.

Updated packages

2009.0 x86_64

 5728fe31661213beab52fe97f9af91ad  2009.0/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
 bd5a2a20d168ddcebe29bb109fea38c2  2009.0/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
 a37818a53a8dbfa85d82bcf3bf83e08f  2009.0/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
 ed9d1baa365606c512783863da3e0bd8  2009.0/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
 b5e70c75ecc67f8f1f7f22ca55059a8b  2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
 071df613e884a9faf3525661280b19d6  2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
 81b79e0a8ae29c5bcff3fa6872ad52e9  2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
 b5818cbad798514f02ee26c346d1e077  2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
 d80e3970d9279df1f9dddd46bcb01380  2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
 d72298b296819ab6791e28449d3cf475  2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm 
 fc94465e0b7e5fe50095c15726d38699  2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
 79aa73d85fe13e803173a9c520ac1bd8  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm

MES5 i586

 2bf537286d1406c491061e07a73c96ec  mes5/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
 fb125806cc547d2c69cf13ae67c835d5  mes5/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
 657a9fb9b644be8f8a49442a8210d56a  mes5/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
 fff64cbf465a2a701c248ad5cc4c89c6  mes5/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
 8ba9fe5adad781d341ba764b661c8c92  mes5/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
 75de95d6064fe9d552795deb0768dfca  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
 9f5ccbfff9afb405baadfc67f8173617  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
 70de70d7adaccff5397814d31bd51a96  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
 94b138e8a423f2f8c2ad137577bb4d42  mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
 fd7dc4b050b6e07ea7686a72c2704ccd  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm 
 2899dfa5a7491a13e85736bf588913d9  mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
 4fc6e8041b5a93a3a71082fb1cbead26  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm

2010.0 x86_64

 11e65a4c18288572327dd4c4f8841f94  2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
 58bdac45685c3146adb44cb2c006811f  2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
 e9dfc0bd42192c92b2a788809226ff27  2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
 afcef69bfa7804c70df2684b2ed19634  2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
 64ea6c5ab1b71b8a0f163aa1f7581c69  2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
 beb768b3e0714331050baf31a8e88bc9  2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm 
 f7cb05087b53d464084c1d9975f914b1  2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm

2010.1 i586

 c2736e4b08921bb5de8dbad3e13bb988  2010.1/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
 884207fa52ea3e168710dfb3988229d5  2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
 a0d0a86bbc5dcc9d2eff2dc2e14ae083  2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
 dc1dd774b5eb1efb1a785b0ff4bc8f94  2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
 41cffbd28ed3d467e465328d8369116a  2010.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
 ae4064b170d4e2fcd0b4949cd53af79e  2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.i586.rpm 
 f44cc336bcd85dbfd7c589b1b34e1907  2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm

2010.0 i586

 bbe3a5e4538edd269e8e8c846d02ec50  2010.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
 825fa39b02a627993df166acad99e002  2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
 b30390e1d4457964f60630c95b36e768  2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
 f6123d9a0852fabdf596850979b58e4d  2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
 f2ec2f80944f1f401154d2fb2c2ad64d  2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
 68ed360de6ee490d80906fd561459faa  2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.i586.rpm 
 f7cb05087b53d464084c1d9975f914b1  2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm

2009.0 i586

 cfea90f1f20d28bf5a2f628e0a910eaa  2009.0/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
 d3188bf2f1da126b4d04e920e331d831  2009.0/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
 1b4994018478f335d49531d9d5e60642  2009.0/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
 078af1b826c27ea3c7befc88ace7ebd5  2009.0/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
 d1c6cba2035f8eada4e351310ebf7be2  2009.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
 8b53c26f88092819346654a339b44622  2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
 fc8af257ef8db0d37f3bfff954740c0b  2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
 6cd5f5cdb27e4c8936292aef0aa5010c  2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
 03fdab84535710ac263c08b3870cb062  2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
 0232ce60d1d6e1072e50a13f2b416fcc  2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.i586.rpm 
 fc94465e0b7e5fe50095c15726d38699  2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
 79aa73d85fe13e803173a9c520ac1bd8  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm

MES5 x86_64

 11c7cdc078dcd9cf30e818f4fb4c4e1f  mes5/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
 6c6185f429a1672255e30cf00c2af065  mes5/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
 f194361aa7a5cfeec17745f0ee158962  mes5/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
 7d2679d156a618d7ba847ba2ebcede4b  mes5/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
 8ae3d0065764f69d1546a61b895a4244  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
 8ef4ab6f5f8f421c1b36dfae807350a5  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
 d504a7493fc86d5750c849f738bb6167  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
 3c044a087cc5225fd9ad138dcea5fa7d  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
 b89fa5785567340525aa5b57c8b9440c  mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
 3dc504dbf7161b1026bf41298118a819  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm 
 2899dfa5a7491a13e85736bf588913d9  mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
 4fc6e8041b5a93a3a71082fb1cbead26  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm

2010.1 x86_64

 556d72a8cf60df24274bb49938a2791c  2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
 e7e183d456383ad562cdb9da84e0f899  2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
 035fccb2950b8a87cd4b597c866d5831  2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
 a76c326c10b87a62be32100d0eddd75f  2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
 09ad2b77e3c48b3e16010c8c93fa8f9b  2010.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
 042beb49ddd872902a8faea3e425b792  2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm 
 f44cc336bcd85dbfd7c589b1b34e1907  2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm

References