[NaLug] Blackdown-SA-2005-02

acrux acrux_it a libero.it
Gio 30 Giu 2005 11:29:54 CDT 


_______________________________________________________________________________

                Blackdown Java-Linux Security Advisory

        Advisory number: Blackdown-SA-2005-02
        Issue date: 2005, June 14
        Synopsis: Java Runtime Environment May Allow Untrusted Applet
to Elevate Privileges

_______________________________________________________________________________


1. Problem

   A vulnerability in the Java Runtime Environment may allow an
   untrusted applet to elevate its privileges. For example, an applet
   may grant itself permissions to read and write local files or
   execute local applications that are accessible to the user running
   the untrusted applet.


2. Vulnerable Versions

   Blackdown J2SE 1.4.2-01 and earlier 1.4 releases.  1.3.1 release are
not affected.


3. Solution

   Upgrade to J2SE v1.4.2-02


4. Location of fixed packages:

   Java 2 Runtime Environment v1.4.2-02:

        amd64:
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/02/j2re-1.4.2-02-linux-amd64.bin
dc4d79332f7fc5a1a729415584ab0f22 x86:
ftp://ftp.tux.org/java/JDK-1.4.2/i386/02/j2re-1.4.2-02-linux-i586.bin
c209c959ce4ab0188e77d065ec57901a

   Java 2 SDK v1.4.2-02

        amd64:
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/02/j2sdk-1.4.2-02-linux-amd64.bin
71a00fbf52e39987790c3216a219c281 x86:
ftp://ftp.tux.org/java/JDK-1.4.2/i386/02/j2sdk-1.4.2-02-linux-i586.bin
a65733528562794b7838407084cabd9a

   Debian packages are available at ftp://ftp.tux.org/java/debian/


5. References

   http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1


_______________________________________________________________________________

   The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In
   particular, it is desired that the cleartext signature shows proof
   of the authenticity of the text.

   Blackdown Java-Linux makes no warranties of any kind whatsoever
   with respect to the information contained in this security
   advisory.













-- 
vesuvio | LinuxMachine 156116
powered by GNU/Linux Crux
 # GnuPG/PGP Key_ID: 0x378EECB8
-------------- parte successiva --------------
Un allegato non testuale è stato rimosso....
Nome:        non disponibile
Tipo:        application/pgp-signature
Dimensione:  189 bytes
Descrizione: non disponibile
Url:         /pipermail/nalug_shaney.org/attachments/20050630/23f28c88/attachment.bin

Maggiori informazioni sulla lista NaLug