Ubuntu
sun-java6 package

Please make sun-java6 6.22 security release available for karmic, jaunty and hardy

Bug #665684 reported by Wolfgang Pietsch
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sun-java6 (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Hardy by Wolfgang Pietsch
Nominated for Jaunty by Wolfgang Pietsch
Nominated for Karmic by Wolfgang Pietsch

Bug Description

On Oct.18th 2010 release 6.22-0ubuntu1~10.10 and ...10.04 of sun-java6 package were released to maverick and lucid but karmic, jaunty and hardy are still on older versions. As 6.22 fixes a lot of CVE security issues, this should be made available to the other supported ubuntu releases as well.

As jaunty-updates closes very soon, that may be the last update there??

From the lucid package update description...

Changes:
 sun-java6 (6.22-0ubuntu1~10.04) lucid; urgency=low
 .
   * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
     - (CVE-2010-3556): JDK unspecified vulnerability in 2D component
     - (CVE-2010-3562): JDK IndexColorModel double-free
     - (CVE-2010-3565): JDK JPEG writeImage remote code execution
     - (CVE-2010-3566): JDK ICC Profile remote code execution
     - (CVE-2010-3567): Crash in ICU Opentype layout engine due to mismatch in character counts
     - (CVE-2010-3571): JDK unspecified vulnerability in 2D component
     - (CVE-2010-3554): JDK corba reflection vulnerabilities
     - (CVE-2010-3563): JDK unspecified vulnerability in Deployment component
     - (CVE-2010-3568): JDK Deserialization Race condition
     - (CVE-2010-3569): JDK Serialization inconsistencies
     - (CVE-2010-3558): JDK unspecified vulnerability in Java Web Start component
     - (CVE-2010-3552): JDK unspecified vulnerability in New Java Plugin component
     - (CVE-2010-3559): JDK unspecified vulnerability in Sound component
     - (CVE-2010-3572): JDK unspecified vulnerability in Sound component
     - (CVE-2010-3553): UIDefault.ProxyLazyValue has unsafe reflection usage
     - (CVE-2010-3555): JDK unspecified vulnerability in Deployment component
     - (CVE-2010-3550): JDK unspecified vulnerability in Java Web Start component
     - (CVE-2010-3570): JDK unspecified vulnerability in Deployment Toolkit
     - (CVE-2010-3561): Privileged ServerSocket.accept allows receiving connections from any host
     - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
     - (CVE-2010-1321): krb5: null pointer dereference in GSS-API library leads to DoS
     - (CVE-2010-3549): HttpURLConnection chunked encoding issue (Http request splitting)
     - (CVE-2010-3557): JDK Swing mutable static
     - (CVE-2010-3541): limit setting of some request headers in HttpURLConnection
     - (CVE-2010-3573): limit HTTP request cookie headers in HttpURLConnection
     - (CVE-2010-3574): limit use of TRACE method in HttpURLConnection
     - (CVE-2010-3548): JDK DNS server IP address information leak
     - (CVE-2010-3551): NetworkInterface reveals local network address to untrusted code
     - (CVE-2010-3560): JDK unspecified vulnerability in Networking component

Revision history for this message
Wolfgang Pietsch (wolfgang-pietsch) wrote :

Uploaded as Security Update for Karmic, Jaunty and Hardy on Oct.25th 2010. Tx! FIX RELEASED.

Changed in sun-java6 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.