Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security vulnerabilities, fixed in Update 29

Bug #881746 reported by Gary Timuss on 2011-10-26
334
This bug affects 18 people
Affects Status Importance Assigned to Milestone
Sun Java
Fix Released
Undecided
Unassigned
sun-java6 (CentOS)
Invalid
Medium
sun-java6 (Debian)
Fix Released
Unknown
sun-java6 (Ubuntu)
Undecided
Unassigned

Bug Description

Release notes from Oracle: http://www.oracle.com/technetwork/java/javase/6u29-relnotes-507960.html

Incorporating Security fixes with impact described in http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

"This Critical Patch Update contains 20 new security fixes for Oracle Java SE. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

Update 29 provides fixes to current lucid partner 1.6 Update 26 CVE references:
CVE-2011-3548
CVE-2011-3521
CVE-2011-3554
CVE-2011-3544
CVE-2011-3545
CVE-2011-3549
CVE-2011-3551
CVE-2011-3550
CVE-2011-3516
CVE-2011-3556
CVE-2011-3557
CVE-2011-3560
CVE-2011-3555
CVE-2011-3546
CVE-2011-3558
CVE-2011-3547
CVE-2011-3389
CVE-2011-3553
CVE-2011-3552
CVE-2011-3561

Update 29 of Oracle/Sun Java fixes an unspecified vulnerability in the Java Runtime Environment (CVE-2011-3555). Upstream has CVSSv2 scored this issue as: 4.0/AV:N/AC:H/Au:N/C:N/I:P/A:P

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2011:1384 https://rhn.redhat.com/errata/RHSA-2011-1384.html

Marc Deslauriers (mdeslaur) wrote :

Since Oracle has discontinued the Developer license of Java, we are no longer permitted to distribute newer versions. We will probably be removing sun-java6 from the partner archive.

http://jdk-distros.java.net/

visibility: private → public
visibility: private → public
Changed in sun-java6 (Debian):
status: Unknown → Fix Released
summary: - Security Update for Sun Java JRE 6: Update 29
+ Oracle (Sun) Java JRE/JDK 6: Update 26 has critical security
+ vulnerabilities, fixed in Update 29
Changed in sun-java:
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sun-java6 (Ubuntu):
status: New → Confirmed
Pjotr12345 (computertip) wrote :

"Fix released" is inaccurate, imho. A fix can only be one of these two things:

1. A release of 6u29 in a new way that is still allowed by the license, e.g. an installation script that pulls 6u29 directly from the Oracle website (like is being done with Adobe Flash Player);

2. An immediate and complete removal of sun-java6 from the Partner repo, *plus* a warning to all current users to remove 6u26 instantly from their systems (popup dialog from Update Manager?).

Just actived the sources Partner-Repros in Natty and I still get Sun-Java 6.26-1natty1 listed within Synaptic

So, if I'm not completely wrong it is still instable, even though I do know, that Canonical only guarantees security-updates for packages that lie within "main" It should not be possible to install known harmful software.

A nice Graphic regarding the thread hass been issued by ZDNet on Oct.20th11

http://www.zdnet.com/blog/security/java-update-plugs-20-critical-security-holes/9670

Debain has removed the packages from 'stable' on immediate action.

Pls help making Ubuntu better

Ubuntu status is still confirmed. Any news on this security issue yet? Why does Sun Java not get removed from the partner repositories?

To me it would be sad to see Ubuntu 10.04 - 11.04 appear in Secunia's statistics, for taking no action.

Oracle Java SE Multiple Vulnerabilities:
http://secunia.com/advisories/46512/ status: highly critical, last updated 27.10.2011

Impact:

Hijacking
Spoofing
Manipulation of data
Exposure of sensitive information
DoS
System access

Marc Deslauriers (mdeslaur) wrote :

We are trying to get permission to distribute a newer version. Once we get an official answer, we'll either update it, or remove it from the archive. Thank you for your patience.

Time has been passing by...

How does Oracle handle this?

http://www.oracle.com/technetwork/java/archive-139210.html

Quote start:
WARNING: These older versions of the JRE and JDK are provided to help developers debug issues in older systems. They are not updated with the latest security patches and are not recommended for use in production.

Quto end+++

Could be easy to add this, within Package-Management-Tools. It's just not fair to users of Ubuntu allowing to install packages with known sec-issues w/o according information.

QM should give a way how to deal with this. fyi Can u guess how many installations are made per day to expose private computers to run into this threat? 30/300/3000 ? Each day.

Probably it's less work to change a few Wiki-Pages that still recommend to install Java-sun-6-JRE on just a few wiki-pages (US -UK - Southamerikas - Asia- +++) and revert them back lateron than putting these files in a dead branch.

Some volunteers could do this in a few hours. A PARTNER is a Partner, with friends it's different.

Even though I might be a nuisance.

Software known for containing highly critical issues should be treated likewise as malicious.

 A PARTNER is a Partner, with friends it's different.

To explain this: Friends hopefully sort out problems. Partners kick ass sometimes, for their own good.

I do not wish to loose faith into Ubuntu itself. Reason enough 4 me to complain here.

Withdrawing from Launchpad.

Status: fix released?

Tks for impementation!

xcuses: should readout -> Tks 4 implementation // Merci bien!

Looks like we have the 1st person here complaining+asking 4 help: (sun)-java-browser-plugin stopped workin' after update in Lucid (Java-6-26-2), somewhat like 20111218-00:48

Pjotr12345 (computertip) wrote :

The security issues have most definitely *not* been fixed!

6.26-2 is a minor fix, and only repairs a bug in the alternatives system for amd64. It's still 6u26, and it's still insecure. It escapes me, why they took the trouble to release this minor fix, which does nothing about the security issues....

Anyway, a rescue attempt is under way. A programmer in the Dutch Ubuntu community has been working on a script that pulls the most recent Oracle Java (6u30, since this week) from the Oracle website, and installs it. Like the script for Adobe Flash Player. This is still allowed by the Oracle license.

I expect that this programmer will release his script soon; I've tested the prototype, and it works well. His intention is, to present it to both Ubuntu and Linux Mint (and maybe also to other distro's).

Marc Deslauriers (mdeslaur) wrote :

The 6.26-2 release disables the browser plugin as a first step before removing the packages completely from the archive. See:

https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-December/001528.html

and

https://wiki.ubuntu.com/LucidLynx/ReleaseNotes/Java6Transition

Pjotr12345 (computertip) wrote :

@Marc Deslauriers: apparently I misunderstood the meaning of the 6.26-2 update.... My compliments for your actions. :-)

As to the script that I mentioned in my previous post: when it becomes available, will you want to consider putting it in some repo? For example in Universe? Many people will still want Oracle Java......

Marc Deslauriers (mdeslaur) wrote :

We can at the very least link to the script from one of the java wiki pages. Let me know when it's ready.

Frank de Bruijn (grizzler) wrote :

As far as I'm concerned it's ready.

http://www.duinsoft.nl/packages.php

Pjotr12345 (computertip) wrote :

Great! Thank you, Frank de Bruijn! You've provided a fine example of the power of the community. :-)

This was incorrectly listed in RHSA-2011:1384. According to Oracle advisory, this only affected JDK and JRE 7.

Pjotr12345 (computertip) wrote :

The English web page for Frank de Bruijn's script is this:
http://www.duinsoft.nl/packages.php?t=en

@Marc Deslauriers: how about adding it to Universe?

J Queiroz (zekkerj) wrote :

Universe shouldn't be for packages supported by Canonical? I believe that Multiverse should be a better choice.

Changed in sun-java:
importance: Unknown → Undecided
status: Fix Released → New
status: New → Fix Released
Steve Beattie (sbeattie) wrote :

Lucid has reached end of support and sun-java-6 has been pulled from the partner archive. Marking the sun-java-6 task as Won't Fix.

Changed in sun-java6 (Ubuntu):
status: Confirmed → Won't Fix
Changed in sun-java6 (CentOS):
importance: Unknown → Medium
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.