Ubuntu
sun-java6 package

Security vulnerabilities in sun-java6-*

Bug #247380 reported by Mika Wahlroos
256
Affects Status Importance Assigned to Milestone
sun-java6 (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Feisty by Mika Wahlroos
Nominated for Gutsy by Mika Wahlroos
Hardy
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: sun-java6-jre

Sun Java 6 update 6 (both JRE and JDK, included in multiverse for Ubuntu 8.04 / Hardy Heron) has several known security vulnerabilities, including a vulnerability that may allow applets to remotely read sensitive data if a user enters a malicious web page, considered highly critical by Secunia [1].

Java 6 update 7 from Sun contains fixes for these vulnerabilities [2].

I know that these packages are non-free and not officially supported, but if it's possible for the sun-java6-* package maintainers to prepare and upload an updated package, that would be great since it would greatly improve the security of these packages. They are, although in multiverse, commonly installed on Ubuntu systems. Even a backport would be better than nothing -- update 7 already seems to be in intrepid.

[1] http://secunia.com/advisories/31010
[2] http://java.sun.com/javase/6/webnotes/ReleaseNotes.html#160_07

Revision history for this message
Mika Wahlroos (mpw) wrote :

Making public since the vulnerabilities have been public at least since the new upstream version anyway.

Revision history for this message
Matthias Klose (doko) wrote :

fixed in intrepid

Changed in sun-java6:
status: New → Fix Released
status: New → Confirmed
Revision history for this message
Mika Wahlroos (mpw) wrote :

Fixed in hardy-updates (see #254997). Older releases (gutsy, feisty) are probably still affected, and their sun-java6 versions are a lot older anyway. I don't suppose those are going to get SRUs for Java anymore?

I'm marking this as "fix released" for hardy. I added nominations for the older releases just so that we can keep track of where the vulnerabilities still exist.

Changed in sun-java6:
status: Confirmed → Fix Released
Revision history for this message
Matthias Klose (doko) wrote : Re: [Bug 247380] Re: Security vulnerabilities in sun-java6-*

Mika Wahlroos schrieb:
> I'm marking this as "fix released" for hardy. I added nominations for
> the older releases just so that we can keep track of where the
> vulnerabilities still exist.

sure, please prepare an update (based on the package for hardy).

Revision history for this message
Mika Wahlroos (mpw) wrote :

I don't currently have any feisty or gutsy systems installed. The nomination of the bug for those releases is based on the (upstream) version numbers of the packages available for them which suggest that the packages are vulnerable.

If I have time to install feisty and gutsy build/test environments, I'll try building a package. I wouldn't count on having the time soon, though. Feisty is nearing end-of-life anyway, but gutsy users might still benefit.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.