USN-859-1: OpenJDK vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10

Packages

• openjdk-6 -

Details

Dan Kaminsky discovered that SSL certificates signed with MD2 could be
spoofed given enough time. As a result, an attacker could potentially
create a malicious trusted certificate to impersonate another site. This
update handles this issue by completely disabling MD2 for certificate
validation in OpenJDK. (CVE-2009-2409)

It was discovered that ICC profiles could be identified with
".." pathnames. If a user were tricked into running a specially
crafted applet, a remote attacker could gain information about a local
system. (CVE-2009-3728)

Peter Vreugdenhil discovered multiple flaws in the processing of graphics
in the AWT library. If a user were tricked into running a specially
crafted applet, a remote attacker could crash the application or run
arbitrary code with user privileges. (CVE-2009-3869, CVE-2009-3871)

Multiple flaws were discovered in JPEG and BMP image handling. If a user
were tricked into loading a specially crafted image, a remote attacker
could crash the application or run arbitrary code with user privileges.
(CVE-2009-3873, CVE-2009-3874, CVE-2009-3885)

Coda Hale discovered that HMAC-based signatures were not correctly
validated. Remote attackers could bypass certain forms of authentication,
granting unexpected access. (CVE-2009-3875)

Multiple flaws were discovered in ASN.1 parsing. A remote attacker
could send a specially crafted HTTP stream that would exhaust system
memory and lead to a denial of service. (CVE-2009-3876, CVE-2009-3877)

It was discovered that the graphics configuration subsystem did
not correctly handle arrays. If a user were tricked into running
a specially crafted applet, a remote attacker could exploit this
to crash the application or execute arbitrary code with user
privileges. (CVE-2009-3879)

It was discovered that loggers and Swing did not correctly handle
certain sensitive objects. If a user were tricked into running a
specially crafted applet, private information could be leaked to a remote
attacker, leading to a loss of privacy. (CVE-2009-3880, CVE-2009-3882,
CVE-2009-3883)

It was discovered that the ClassLoader did not correctly handle certain
options. If a user were tricked into running a specially crafted
applet, a remote attacker could execute arbitrary code with user
privileges. (CVE-2009-3881)

It was discovered that time zone file loading could be used to determine
the existence of files on the local system. If a user were tricked into
running a specially crafted applet, private information could be leaked
to a remote attacker, leading to a loss of privacy. (CVE-2009-3884)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• icedtea6-plugin - 6b16-1.6.1-3ubuntu1
• openjdk-6-jre - 6b16-1.6.1-3ubuntu1

Ubuntu 9.04

• icedtea6-plugin - 6b14-1.4.1-0ubuntu12
• openjdk-6-jre - 6b14-1.4.1-0ubuntu12

Ubuntu 8.10

• icedtea6-plugin - 6b12-0ubuntu6.6
• openjdk-6-jre - 6b12-0ubuntu6.6

After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.

References

• CVE-2009-3728
• CVE-2009-3883
• CVE-2009-3884
• CVE-2009-3877
• CVE-2009-3880
• CVE-2009-3881
• CVE-2009-3879
• CVE-2009-3874
• CVE-2009-3871
• CVE-2009-3873
• CVE-2009-3876
• CVE-2009-3882
• CVE-2009-3885
• CVE-2009-3875
• CVE-2009-3869
• CVE-2009-2409

Related notices

• USN-830-1: openssl, libssl0.9.8
• USN-810-1: nss, libnss3-1d
• USN-809-1: libgnutls13, gnutls26, libgnutls12, libgnutls26, gnutls12, gnutls13