 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 30 Jul 2008 15:25:26 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Synopsis: Critical: java (jdk 1.5.0) security update
Issue date: 2008-07-14
CVE Names: CVE-2008-1185 CVE-2008-1186 CVE-2008-1187
CVE-2008-1188 CVE-2008-1189 CVE-2008-1190
CVE-2008-1191 CVE-2008-1192 CVE-2008-1193
CVE-2008-1194 CVE-2008-1195 CVE-2008-1196
CVE-2008-3103 CVE-2008-3104 CVE-2008-3107
CVE-2008-3111 CVE-2008-3112 CVE-2008-3113
CVE-2008-3114
Flaws in the JRE allowed an untrusted application or applet to elevate its
privileges. This could be exploited by a remote attacker to access local
files or execute local applications accessible to the user running the JRE
(CVE-2008-1185, CVE-2008-1186)
A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)
Several buffer overflow flaws were found in Java Web Start (JWS). An
untrusted JNLP application could access local files or execute local
applications accessible to the user running the JRE.
(CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196)
A flaw was found in the Java Plug-in. A remote attacker could bypass the
same origin policy, executing arbitrary code with the permissions of the
user running the JRE. (CVE-2008-1192)
A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possible execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)
A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)
The JRE allowed untrusted JavaScript code to create local network
connections by the use of Java APIs. A remote attacker could use these
flaws to acesss local network services. (CVE-2008-1195)
A vulnerability was found in the Java Management Extensions (JMX)
management agent, when local monitoring is enabled. This allowed remote
attackers to perform illegal operations. (CVE-2008-3103)
Multiple vulnerabilities with unsigned applets were reported. A remote
attacker could misuse an unsigned applet to connect to localhost services
running on the host running the applet. (CVE-2008-3104)
A Java Runtime Environment (JRE) vulnerability could be triggered by an
untrusted application or applet. A remote attacker could grant an untrusted
applet extended privileges such as reading and writing local files, or
executing local programs. (CVE-2008-3107)
Several buffer overflow vulnerabilities in Java Web Start were reported.
These vulnerabilities may allow an untrusted Java Web Start application to
elevate its privileges and thereby grant itself permission to read and/or
write local files, as well as to execute local applications accessible to
the user running the untrusted application. (CVE-2008-3111)
Two file processing vulnerabilities in Java Web Start were found. A remote
attacker, by means of an untrusted Java Web Start application, was able to
create or delete arbitrary files with the permissions of the user running
the untrusted application. (CVE-2008-3112, CVE-2008-3113)
A vulnerability in Java Web Start when processing untrusted applications
was reported. An attacker was able to acquire sensitive information, such
as the cache location. (CVE-2008-3114)
SL 4.x
SRPMS:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl.jpp.src.rpm
i386:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl.jpp.noarch.rpm
jdk-1.5.0_16-fcs.i586.rpm
x86_64:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl.jpp.noarch.rpm
jdk-1.5.0_16-fcs.i586.rpm
SL 5.x
SRPMS:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl5.jpp.src.rpm
i386:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl5.jpp.noarch.rpm
jdk-1.5.0_16-fcs.i586.rpm
x86_64:
java-1.5.0-sun-compat-1.5.0.16-1.1.sl5.jpp.noarch.rpm
jdk-1.5.0_16-fcs.i586.rpm
jdk-1.5.0_16-fcs.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|
