USN-1055-1: OpenJDK vulnerabilities

1 February 2011

openjdk-6, openjdk-6b18 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS
  • Ubuntu 9.10

Summary

Software Description

  • openjdk-6
  • openjdk-6b18

Details

It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source. (CVE-2011-0025)

USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu 10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures except for the armel (ARM) architecture. This update provides the corresponding update for Ubuntu 10.10 on the armel (ARM) architecture.

Original advisory details:

It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method. This could allow an attacker to execute code with privileges that should have been prevented. (CVE-2010-4351)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
icedtea6-plugin - 6b20-1.9.5-0ubuntu1
Ubuntu 10.04 LTS
icedtea6-plugin - 6b20-1.9.5-0ubuntu1~10.04.1
Ubuntu 9.10
icedtea6-plugin - 6b20-1.9.5-0ubuntu1~9.10.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes.

References