Your message dated Tue, 26 Jan 2010 19:54:46 +0100
with message-id <[email protected]>
and subject line Re: Bug#560908 closed by Matthias Klose (Re: openjdk-6: deluge 
of vulnerabilities)
has caused the Debian Bug report #566769,
regarding openjdk-6: security issues published in early 2009
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
566769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566769
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openjdk-6
Version: 6_6b17~pre3-1
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for openjdk-6.  It is very likely that they are all
fixed; however, this needs to be manually verified. Please check and
reply in-line with the fixed package version for each issue. Thank you.

CVE-2009-1093[0]:
| LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java
| Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and
| earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier
| does not close the connection when initialization fails, which allows
| remote attackers to cause a denial of service (LDAP service hang).

CVE-2009-1094[1]:
| Unspecified vulnerability in the LDAP implementation in Java SE
| Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17
| and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and
| earlier; and 1.4.2_19 and earlier allows remote LDAP servers to
| execute arbitrary code via unknown vectors related to serialized data.

CVE-2009-1095[2]:
| Integer overflow in unpack200 in Java SE Development Kit (JDK) and
| Java Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update
| 12 and earlier, allows remote attackers to access files or execute
| arbitrary code via a JAR file with crafted Pack200 headers.

CVE-2009-1096[3]:
| Buffer overflow in unpack200 in Java SE Development Kit (JDK) and Java
| Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12
| and earlier, allows remote attackers to access files or execute
| arbitrary code via a JAR file with crafted Pack200 headers.

CVE-2009-1097[4]:
| Multiple buffer overflows in Java SE Development Kit (JDK) and Java
| Runtime Environment (JRE) 6 Update 12 and earlier allow remote
| attackers to access files or execute arbitrary code via (1) a crafted
| PNG image that triggers an integer overflow during memory allocation
| for display on the splash screen, aka CR 6804996; and (2) a crafted
| GIF image from which unspecified values are used in calculation of
| offsets, leading to object-pointer corruption, aka CR 6804997.

CVE-2009-1098[5]:
| Buffer overflow in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier;
| 1.4.2_19 and earlier; and 1.3.1_24 and earlier allows remote attackers
| to access files or execute arbitrary code via a crafted GIF image, aka
| CR 6804998.

CVE-2009-1099[6]:
| Integer signedness error in Java SE Development Kit (JDK) and Java
| Runtime Environment (JRE) 5.0 Update 17 and earlier, and 6 Update 12
| and earlier, allows remote attackers to access files or execute
| arbitrary code via crafted glyph descriptions in a Type1 font, which
| bypasses a signed comparison and triggers a buffer overflow.

CVE-2009-1101[7]:
| Unspecified vulnerability in the lightweight HTTP server
| implementation in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 6 Update 12 and earlier allows remote attackers to
| cause a denial of service (probably resource consumption) for a JAX-WS
| service endpoint via a connection without any data, which triggers a
| file descriptor "leak."

CVE-2009-1102[8]:
| Unspecified vulnerability in the Virtual Machine in Java SE
| Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12
| and earlier allows remote attackers to access files and execute
| arbitrary code via unknown vectors related to "code generation."

CVE-2009-1103[9]:
| Unspecified vulnerability in the Java Plug-in in Java SE Development
| Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and
| earlier; 6 Update 12 and earlier; 1.4.2_19 and earlier; and 1.3.1_24
| and earlier allows remote attackers to access files and execute
| arbitrary code via unknown vectors related to "deserializing applets,"
| aka CR 6646860.

CVE-2009-1104[10]:
| The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier;
| and 1.4.2_19 and earlier does not prevent Javascript that is loaded
| from the localhost from connecting to other ports on the system, which
| allows user-assisted attackers to bypass intended access restrictions
| via LiveConnect, aka CR 6724331.  NOTE: this vulnerability can be
| leveraged with separate cross-site scripting (XSS) vulnerabilities for
| remote attack vectors.

CVE-2009-1105[11]:
| The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 6 Update 12, 11, and 10 allows user-assisted remote
| attackers to cause a trusted applet to run in an older JRE version,
| which can be used to exploit vulnerabilities in that older version,
| aka CR 6706490.

CVE-2009-1106[12]:
| The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 6 Update 12, 11, and 10 does not properly parse
| crossdomain.xml files, which allows remote attackers to bypass
| intended access restrictions and connect to arbitrary sites via
| unknown vectors, aka CR 6798948.

CVE-2009-1107[13]:
| The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime
| Environment (JRE) 6 Update 12 and earlier, and 5.0 Update 17 and
| earlier, allows remote attackers to trick a user into trusting a
| signed applet via unknown vectors that misrepresent the security
| warning dialog, related to a "Swing JLabel HTML parsing
| vulnerability," aka CR 6782871.

CVE-2009-2675[14]:
| Integer overflow in the unpack200 utility in Sun Java Runtime
| Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE
| 5.0 before Update 20, allows context-dependent attackers to gain
| privileges via unspecified length fields in the header of a
| Pack200-compressed JAR file, which leads to a heap-based buffer
| overflow during decompression.

CVE-2009-2676[15]:
| Unspecified vulnerability in JNLPAppletlauncher in Sun Java SE, and SE
| for Business, in JDK and JRE 6 Update 14 and earlier and JDK and JRE
| 5.0 Update 19 and earlier; and Java SE for Business in SDK and JRE
| 1.4.2_21 and earlier; allows remote attackers to create or modify
| arbitrary files via vectors involving an untrusted Java applet that
| accesses an old version of JNLPAppletLauncher.

CVE-2009-2788[16]:
| Multiple SQL injection vulnerabilities in Mobilelib GOLD 3 allow
| remote attackers to execute arbitrary SQL commands via the (1)
| adminName parameter to cp/auth.php, (2) cid parameter to artcat.php,
| and (3) catid parameter to show.php.

CVE-2009-2789[17]:
| SQL injection vulnerability in the Permis (com_groups) component 1.0
| for Joomla! allows remote attackers to execute arbitrary SQL commands
| via the id parameter in a list action to index.php.  NOTE: the
| provenance of this information is unknown; the details are obtained
| solely from third party information.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
    http://security-tracker.debian.org/tracker/CVE-2009-1093
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
    http://security-tracker.debian.org/tracker/CVE-2009-1094
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095
    http://security-tracker.debian.org/tracker/CVE-2009-1095
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
    http://security-tracker.debian.org/tracker/CVE-2009-1096
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
    http://security-tracker.debian.org/tracker/CVE-2009-1097
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
    http://security-tracker.debian.org/tracker/CVE-2009-1098
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099
    http://security-tracker.debian.org/tracker/CVE-2009-1099
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
    http://security-tracker.debian.org/tracker/CVE-2009-1101
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
    http://security-tracker.debian.org/tracker/CVE-2009-1102
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103
    http://security-tracker.debian.org/tracker/CVE-2009-1103
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104
    http://security-tracker.debian.org/tracker/CVE-2009-1104
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105
    http://security-tracker.debian.org/tracker/CVE-2009-1105
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106
    http://security-tracker.debian.org/tracker/CVE-2009-1106
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107
    http://security-tracker.debian.org/tracker/CVE-2009-1107
[14] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
    http://security-tracker.debian.org/tracker/CVE-2009-2675
[15] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
    http://security-tracker.debian.org/tracker/CVE-2009-2676
[16] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2788
    http://security-tracker.debian.org/tracker/CVE-2009-2788
[17] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2789
    http://security-tracker.debian.org/tracker/CVE-2009-2789



--- End Message ---
--- Begin Message ---
Michael Gilbert wrote:
> On Fri, 18 Dec 2009 10:54:15 +0000, Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > which was filed against the openjdk-6 package:
> > 
> > #560908: openjdk-6: deluge of vulnerabilities
> > 
> > It has been closed by Matthias Klose.
> 
> are you 100% sure that all 28 of these issues are fixed in this
> version?  how did you check this?

The patches are bundled in batches for the respective Sun Java releases
and included in openjdk releases where applicable (some components like
Web Start are not present in OpenJDK). 

There's no particular reason to believe that upstream missed some patches
in this process. You can check them individually and annotate them in the
Debian Security Tracker if you like, but it doesn't warrant RC bugs.

Cheers,
        Moritz


--- End Message ---

Reply via email to