Bug #659937 “Security Update for Sun Java JRE 6: Update 22” : Bugs : sun-java6 package : Ubuntu

Revision history for this message

Tod (todb) wrote on 2010-10-13:

#1

Link to security impact:

http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

Tod (todb) on 2010-10-13

visibility:

private → public

Revision history for this message

Mark Foster (fostermarkd) wrote on 2010-10-15:

#2

This looks pretty urgent/scary/important. Please expedite a fix.
Thanks.

Revision history for this message

Mark Foster (fostermarkd) wrote on 2010-10-15:

#3

Download full text (3.2 KiB)

(Adding advisory information from @RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 42)
(2) HIGH: Oracle Java Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux Java SE
JDK 5.0 Update 25 and earlier for Solaris Java SE
SDK 1.4.2_27 and earlier for Solaris Java SE
JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux Java for Business
JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux Java for Business
SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux Java for Business

Description: Oracle has recently released a critical update addressing
multiple security vulnerabilities. According to Oracle, the patch
addresses 29 vulnerabilities, 28 of which could lead to code execution.
Some of these vulnerabilities exist because of flaws in the low-level
implementation of the Java Runtime Environment (JRE). Although Java is
intended to be type safe, low-level code sometimes writes user-defined
strings to C buffers, giving an attacker the opportunity to overwrite
return addresses and execute code. Vulnerabilities like these allow Java
applets, which start without user interaction when a target navigates
to a malicious site, to execute with the permissions of the Java process
running them. Normally applets run with restricted privileges.

Status: vendor confirmed, updates available

(Adding advisory information from @RISK: The Consensus Security Vulnerability Alert Vol. 9 No. 42)
(2) HIGH: Oracle Java Multiple Vulnerabilities
Affected:
JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux Java SE
JDK 5.0 Update 25 and earlier for Solaris Java SE
SDK 1.4.2_27 and earlier for Solaris Java SE
JDK and JRE 6 Update 21 and earlier for Windows, Solaris and Linux Java for Business
JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux Java for Business
SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux Java for Business

Description: Oracle has recently released a critical update addressing
multiple security vulnerabilities. According to Oracle, the patch
addresses 29 vulnerabilities, 28 of which could lead to code execution.
Some of these vulnerabilities exist because of flaws in the low-level
implementation of the Java Runtime Environment (JRE). Although Java is
intended to be type safe, low-level code sometimes writes user-defined
strings to C buffers, giving an attacker the opportunity to overwrite
return addresses and execute code. Vulnerabilities like these allow Java
applets, which start without user interaction when a target navigates
to a malicious site, to execute with the permissions of the Java process
running them. Normally applets run with restricted privileges.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.oracle.com
Oracle Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
SecurityFocus Bugtraq IDs
http://www.securityfocus.com/bid/36935
http://www.securityfocus.com/bid/40235
http://www.securityfocus.com/bid/43965
http://www.securityfocus.com/bid/43971
http://www.securityfocus.com/bid/43979
http://www.securityfocus.com/bid/43985
http://www.securityfocus.com/bid/43988
http://www.securityfocus.com/bid/43992
http://www.securityfocus.com/bid/43994
http://www.securityfocus.com/bid/43999
http://www.securityfocus.com/bid/44009
http://www.securityfocus.com/bid/44011
http://www.securityfocus.com/bid/44012
http://www.securityfocus.com/bid/44013
http://www.securityfocus.com/bid/44013
http://www.securityfocus.com/bid/44014
http://www.securityfocus.com/bid/44016
http://www.securityfocus.com/bid/44017
http://www.securityfocus.com/bid/44020
http://www.securityfocus.com/bid/44020
http://www.securityfocus.com/bid/44021
http://www.securityfocus.com/bid/44023
http://www.securityfocus.com/bid/44024
http://www.securityfocus.com/bid/44026
http://www.securityfocus.com/bid/44027
http://www.securityfocus.com/bid/44028
http://www.securityfocus.com/bid/44030
http://www.securityfocus.com/bid/44032
http://www.securityfocus.com/bid/44035
http://www.securityfocus.com/bid/44038
http://www.securityfocus.com/bid/44038
http://www.securityfocus.com/bid/44040
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-10-202/
http://www.zerodayinitiative.com/advisories/ZDI-10-203/
http://www.zerodayinitiative.com/advisories/ZDI-10-204/
http://www.zerodayinitiative.com/advisories/ZDI-10-205/
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://www.zerodayinitiative.com/advisories/ZDI-10-207/
http://www.zerodayinitiative.com/advisories/ZDI-10-208/

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-10-15:

#4

To canonical-partner-dev: can you subscribe your team to this package? Thanks!

Revision history for this message

Todd Vierling (duh) wrote on 2010-10-15:

#5

For the moment, I have made 6.22 versions under the DLJ license for Lucid-Maverick-Natty, plus UNTESTED backports to Hardy-Karmic, in the following PPA:

https://launchpad.net/~duh/+archive/sun-java6

The packaging is based on the DLJ-based packaging in 6.21-1ubuntu1 as published in Maverick, plus a fix for the alternatives priority for ia32-java-6-sun documented in LP: #643658.

I'm using this updated version extensively on my Lucid-based systems without incident. The version numbering used is "6.22-0~duhN" so any updated official versions will properly supersede these.

Revision history for this message

Sylvestre Ledru (sylvestre) wrote on 2010-10-16:

#6

For information, I uploaded this new upstream release into debian.

Revision history for this message

Pjotr12345 (computertip) wrote on 2010-10-16:

#7

For people who need a temporary workaround: I've written a how-to for manual installation of 6u22: http://sites.google.com/site/easylinuxtipsproject/java

Easy to undo when the package becomes available in the repo's.

Pjotr12345 (computertip) on 2010-10-18

Changed in sun-java6 (Ubuntu):
status:	New → Confirmed

Revision history for this message

blackest_knight (blackest-knight) wrote on 2010-10-19:

#8

The official update is now available but thanks for the ppa version.

Revision history for this message

Tod (todb) wrote on 2010-10-20:

#9

Confirmed that the update 22 is now in the usual repos.

$ java -version
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

This bug can be closed.

In the future, Java maintainers, please move a little quicker? Java security bugs are a big deal.

Pjotr12345 (computertip) on 2010-10-20

Changed in sun-java6 (Ubuntu):
status:	Confirmed → Fix Released

Ubuntu
sun-java6 package

Security Update for Sun Java JRE 6: Update 22

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntusun-java6 package

Security Update for Sun Java JRE 6: Update 22

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
sun-java6 package