Detections
Analytics
Debian DSA-2311-1 : openjdk-6 - several vulnerabilities
critical Nessus Plugin ID 56307
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java SE platform. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.
- CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.
- CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.
- CVE-2011-0867 Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)
- CVE-2011-0868 A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.
- CVE-2011-0869 Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.
- CVE-2011-0871 Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.
In addition, this update removes support for the Zero/Shark and Cacao Hotspot variants from the i386 and amd64 due to stability issues.
These Hotspot variants are included in the openjdk-6-jre-zero and icedtea-6-jre-cacao packages, and these packages must be removed during this update.
Solution
Upgrade the openjdk-6 packages.For the oldstable distribution (lenny), these problems will be fixed in a separate DSA for technical reasons.
For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.9-0.1~squeeze1.
See Also
https://security-tracker.debian.org/tracker/CVE-2011-0865
https://security-tracker.debian.org/tracker/CVE-2011-0867
https://security-tracker.debian.org/tracker/CVE-2011-0868
https://security-tracker.debian.org/tracker/CVE-2011-0869
https://security-tracker.debian.org/tracker/CVE-2011-0871
https://packages.debian.org/source/squeeze/openjdk-6
https://www.debian.org/security/2011/dsa-2311
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629852
Plugin Details
Severity: Critical
ID: 56307
File Name: debian_DSA-2311.nasl
Version: 1.11
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 9/28/2011
Updated: 1/11/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:openjdk-6, cpe:/o:debian:debian_linux:6.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 9/27/2011
Reference Information
CVE: CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871
BID: 48137, 48139, 48140, 48142, 48144, 48146, 48147
DSA: 2311