[ubuntu/lucid] sun-java6 6.19-0ubuntu1 (Accepted)

Matthias Klose doko at canonical.com
Wed Mar 31 01:40:25 BST 2010 

sun-java6 (6.19-0ubuntu1) lucid; urgency=low

  * New upstream version.
  * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
    - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299).
    - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors
      if run with -Xcomp (6894807).
    - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability
      (6899653).
    - (CVE-2010-0082): Loader-constraint table allows arrays instead of
      only the base-classes (6626217).
    - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret
      network addresses (6893954) [ZDI-CAN-603].
    - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390).
    - (CVE-2010-0091): Unsigned applet can retrieve the dragged information
      before drop action occurs (6887703).
    - (CVE-2010-0088): Inflater/Deflater clone issues (6745393).
    - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains
      (6633872).
    - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR
      error (6888149).
    - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should
      enforce stricter checks (6893947) [ZDI-CAN-588].
    - (CVE-2010-0093): System.arraycopy unable to reference elements
      beyond Integer.MAX_VALUE bytes (6892265).
    - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation
      Vulnerability (6904691).
    - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823).
    - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability
      (6914866).
    - (CVE-2009-3555): TLS: MITM attacks via session renegotiation.
    - 6639665: ThreadGroup finalizer allows creation of false root
      ThreadGroups.
    - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly.
      encoded CommonName OIDs.
    - 6910590: Application can modify command array in ProcessBuilder.
    - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability.
    - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
    - 6898739: TLS renegotiation issue.

Date: Tue, 30 Mar 2010 23:07:56 +0000
Changed-By: Matthias Klose <doko at canonical.com>
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Signed-By: Matthias Klose <matthias.klose at canonical.com>
https://launchpad.net/ubuntu/lucid/+source/sun-java6/6.19-0ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 30 Mar 2010 23:07:56 +0000
Source: sun-java6
Binary: sun-java6-jre sun-java6-bin sun-java6-plugin ia32-sun-java6-bin ia32-sun-java6-plugin sun-java6-fonts sun-java6-jdk sun-java6-demo sun-java6-source sun-java6-javadb
Architecture: source
Version: 6.19-0ubuntu1
Distribution: lucid
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Matthias Klose <doko at canonical.com>
Description: 
 ia32-sun-java6-bin - Sun Java(TM) Runtime Environment (JRE) 6 (32-bit)
 ia32-sun-java6-plugin - The Java(TM) Plug-in, Java SE 6 (32-bit)
 sun-java6-bin - Sun Java(TM) Runtime Environment (JRE) 6 (architecture dependent
 sun-java6-demo - Sun Java(TM) Development Kit (JDK) 6 demos and examples
 sun-java6-fonts - Lucida TrueType fonts (from the Sun JRE)
 sun-java6-javadb - Java(TM) DB, Sun Microsystems' distribution of Apache Derby
 sun-java6-jdk - Sun Java(TM) Development Kit (JDK) 6
 sun-java6-jre - Sun Java(TM) Runtime Environment (JRE) 6 (architecture independen
 sun-java6-plugin - The Java(TM) Plug-in, Java SE 6
 sun-java6-source - Sun Java(TM) Development Kit (JDK) 6 source files
Changes: 
 sun-java6 (6.19-0ubuntu1) lucid; urgency=low
 .
   * New upstream version.
   * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
     - (CVE-2010-0837): JAR "unpack200" must verify input parameters (6902299).
     - (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors
       if run with -Xcomp (6894807).
     - (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability
       (6899653).
     - (CVE-2010-0082): Loader-constraint table allows arrays instead of
       only the base-classes (6626217).
     - (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret
       network addresses (6893954) [ZDI-CAN-603].
     - (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390).
     - (CVE-2010-0091): Unsigned applet can retrieve the dragged information
       before drop action occurs (6887703).
     - (CVE-2010-0088): Inflater/Deflater clone issues (6745393).
     - (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains
       (6633872).
     - (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR
       error (6888149).
     - (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should
       enforce stricter checks (6893947) [ZDI-CAN-588].
     - (CVE-2010-0093): System.arraycopy unable to reference elements
       beyond Integer.MAX_VALUE bytes (6892265).
     - (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation
       Vulnerability (6904691).
     - (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823).
     - (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability
       (6914866).
     - (CVE-2009-3555): TLS: MITM attacks via session renegotiation.
     - 6639665: ThreadGroup finalizer allows creation of false root
       ThreadGroups.
     - 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly.
       encoded CommonName OIDs.
     - 6910590: Application can modify command array in ProcessBuilder.
     - 6909597: JPEGImageReader stepX Integer Overflow Vulnerability.
     - 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
     - 6898739: TLS renegotiation issue.
Checksums-Sha1: 
 a22e9a0a20458cd0edc36bf355764be87e024619 1626 sun-java6_6.19-0ubuntu1.dsc
 32559c3b5339d1dff20e1c0c985730858e8353e5 167178948 sun-java6_6.19.orig.tar.gz
 4d112c54f37276720211109ed4d3993692285b9a 84864 sun-java6_6.19-0ubuntu1.diff.gz
Checksums-Sha256: 
 04f968ad5b2f375a31e9a19e8e3cc1ffda4c94997c1667a74363e02885f6bad1 1626 sun-java6_6.19-0ubuntu1.dsc
 35e000e7caee8735ef5111ea9408c2890178935879d2d12b5d8920d377f7b075 167178948 sun-java6_6.19.orig.tar.gz
 cf789eb48184bb0620a7eba495971a86fc65ec37dc61b63a987555233daa6d1f 84864 sun-java6_6.19-0ubuntu1.diff.gz
Files: 
 db156b4e40eb998ec8171415e3dc006c 1626 partner/java optional sun-java6_6.19-0ubuntu1.dsc
 aeabf58432479385e09ca43b952f3290 167178948 partner/java optional sun-java6_6.19.orig.tar.gz
 c499fe00c66ff57e45589ad71d453644 84864 partner/java optional sun-java6_6.19-0ubuntu1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuymVoACgkQStlRaw+TLJzNfQCcDVpV53DWqGD9ZhZPx2v/X2ey
GaQAoJ2EQAlzgvg2xuwsDPdfIu4MI7ax
=5VKw
-----END PGP SIGNATURE-----

More information about the Lucid-changes mailing list