ID

VAR-201102-0280

CVE

CVE-2010-4476

TITLE

IBM DB2 vulnerable to denial-of-service (DoS)

DESCRIPTION

The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. plural Oracle Product Java Runtime Environment Components include Java language and APIs There are vulnerabilities that affect availability due to flaws in the handling of.Service disruption by a third party (DoS) An attack may be carried out. IBM Tivoli contains a denial-of-service (DoS) vulnerability. IBM Tivoli contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). A wide range of products are affected. For more information, refer to the vendor's website.A remote attacker may cause a denial-of-service (DoS). Customers should open a support case to request the following hotfixes. NNMi Version / Operating System Required Patch Hotfix 9.1x HP-UX Patch 4 Hotfix-NNMi-9.1xP4-HP-UX-JDK-20120710.zip 9.1x Linux Patch 4 Hotfix-NNMi-9.1xP4-Linux-JDK-20120523.zip 9.1x Solaris Patch 4 Hotfix-NNMi-9.1xP4-Solaris-JDK-20120523.zip 9.1x Windows Patch 4 Hotfix-NNMi-9.1xP4-Windows-JDK-20120523.zip Note: The hotfix must be installed after the required patch. The hotfix must be reinstalled if the required patch is reinstalled. MANUAL ACTIONS: Yes - Update Install the applicable patch and hotfix. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite 5.4.1 for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Network Satellite Server 5.4 (RHEL v.5) - i386, s390x, x86_64 3. Description: This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite 5.4.1. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476) Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to these updated java-1.6.0-ibm packages, which contain the IBM 1.6.0 SR9-FP1 Java release. For this update to take effect, Red Hat Network Satellite must be restarted. Refer to the Solution section for details. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 Run the following command to restart the Red Hat Network Satellite server: # rhn-satellite restart 5. Bugs fixed (http://bugzilla.redhat.com/): 533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation 582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005) 639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775) 639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710) 639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813) 639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564) 639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023) 639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489) 639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692) 642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002) 642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017) 642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603) 642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004) 642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426) 642558 - CVE-2010-3555 JDK unspecified vulnerability in Deployment component 642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component 642573 - CVE-2010-3560 JDK unspecified vulnerability in Networking component 642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component 642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component 642589 - CVE-2010-3563 JDK unspecified vulnerability in Deployment component 642593 - CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component 642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component 674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service 675984 - CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662) 676019 - CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453) 676023 - CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922) 677957 - CVE-2010-4475 JDK unspecified vulnerability in Deployment component 677958 - CVE-2010-4473 JDK unspecified vulnerability in Sound component 677959 - CVE-2010-4468 JDK unspecified vulnerability in JDBC component 677960 - CVE-2010-4467 JDK unspecified vulnerability in Deployment component 677961 - CVE-2010-4466 JDK unspecified vulnerability in Deployment component 677963 - CVE-2010-4463 JDK unspecified vulnerability in Deployment component 677966 - CVE-2010-4462 JDK unspecified vulnerability in Sound component 677967 - CVE-2010-4454 JDK unspecified vulnerability in Sound component 677968 - CVE-2010-4452 JDK unspecified vulnerability in Deployment component 677970 - CVE-2010-4447 JDK unspecified vulnerability in Deployment component 677971 - CVE-2010-4422 JDK unspecified vulnerability in Deployment component 6. Package List: Red Hat Network Satellite Server 5.4 (RHEL v.5): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.src.rpm i386: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.i386.rpm s390x: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3555.html https://www.redhat.com/security/data/cve/CVE-2010-1321.html https://www.redhat.com/security/data/cve/CVE-2010-3541.html https://www.redhat.com/security/data/cve/CVE-2010-3548.html https://www.redhat.com/security/data/cve/CVE-2010-3549.html https://www.redhat.com/security/data/cve/CVE-2010-3550.html https://www.redhat.com/security/data/cve/CVE-2010-3551.html https://www.redhat.com/security/data/cve/CVE-2010-3553.html https://www.redhat.com/security/data/cve/CVE-2010-3555.html https://www.redhat.com/security/data/cve/CVE-2010-3556.html https://www.redhat.com/security/data/cve/CVE-2010-3557.html https://www.redhat.com/security/data/cve/CVE-2010-3558.html https://www.redhat.com/security/data/cve/CVE-2010-3560.html https://www.redhat.com/security/data/cve/CVE-2010-3562.html https://www.redhat.com/security/data/cve/CVE-2010-3563.html https://www.redhat.com/security/data/cve/CVE-2010-3565.html https://www.redhat.com/security/data/cve/CVE-2010-3566.html https://www.redhat.com/security/data/cve/CVE-2010-3568.html https://www.redhat.com/security/data/cve/CVE-2010-3569.html https://www.redhat.com/security/data/cve/CVE-2010-3571.html https://www.redhat.com/security/data/cve/CVE-2010-3572.html https://www.redhat.com/security/data/cve/CVE-2010-3573.html https://www.redhat.com/security/data/cve/CVE-2010-3574.html https://www.redhat.com/security/data/cve/CVE-2010-4422.html https://www.redhat.com/security/data/cve/CVE-2010-4447.html https://www.redhat.com/security/data/cve/CVE-2010-4448.html https://www.redhat.com/security/data/cve/CVE-2010-4452.html https://www.redhat.com/security/data/cve/CVE-2010-4454.html https://www.redhat.com/security/data/cve/CVE-2010-4462.html https://www.redhat.com/security/data/cve/CVE-2010-4463.html https://www.redhat.com/security/data/cve/CVE-2010-4465.html https://www.redhat.com/security/data/cve/CVE-2010-4466.html https://www.redhat.com/security/data/cve/CVE-2010-4467.html https://www.redhat.com/security/data/cve/CVE-2010-4468.html https://www.redhat.com/security/data/cve/CVE-2010-4471.html https://www.redhat.com/security/data/cve/CVE-2010-4473.html https://www.redhat.com/security/data/cve/CVE-2010-4475.html https://www.redhat.com/security/data/cve/CVE-2010-4476.html https://access.redhat.com/security/updates/classification/#low http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. The updates are available for download from http://software.hp.com Note: HP-UX Web Server Suite v3.20 contains HP-UX Tomcat-based Servlet Engine v5.5.34.01 Web Server Suite Version Apache Depot name HP-UX Web Server Suite v.3.20 HP-UX B.11.23 HPUXWS22ATW-B320-64.depot HP-UX B.11.23 HPUXWS22ATW-B320-32.depot HP-UX B.11.31 HPUXWS22ATW-B320-64.depot HP-UX B.11.31 HPUXWS22ATW-B320-32.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.20 or subsequent. =========================================================== Ubuntu Security Notice USN-1079-1 March 01, 2011 openjdk-6 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~9.10.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1~10.04.1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1~10.04.1 Ubuntu 10.10: icedtea6-plugin 6b20-1.9.7-0ubuntu1 openjdk-6-jre 6b20-1.9.7-0ubuntu1 openjdk-6-jre-headless 6b20-1.9.7-0ubuntu1 openjdk-6-jre-lib 6b20-1.9.7-0ubuntu1 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Prei\xdfer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.diff.gz Size/MD5: 132023 8f8f9a8e3c033dbb852547dcfaa9213b http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~9.10.1.dsc Size/MD5: 3018 9a6f0f82ce6e6963199fa5f1e0da963a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 19980542 c56f9b378efdad1e9f0e6612eedb14f7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 6168608 3193825377cfc1b486c2ab8ad1995d5a http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1~9.10.1_all.deb Size/MD5: 26867734 4764b5997e7f34e22a0cde19ea31e230 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 433362 194f199c99819e8230676d9f5d370520 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 83644 1850fd6280ba241df9afde6ebe99912f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 119625978 0d16cfb58e678ba32291d17c6d549d9c http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 2364474 d4eaa941ec07ca4514c52c76d05fa25d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 10865094 d7640162bc43f00bbe3f12dc2e49bac7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 25652090 e8558953483cec1a6ae3dadf60cfb368 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 270614 2fcec193a6f2f8ad0a22463af666be35 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_amd64.deb Size/MD5: 5595434 2c2e3038fe36644ccdb150442f166976 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 418330 b3381b114b8f3d75dcf889b047695a9f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 79216 1fe94a88a1519ed36fc6b02e383e8730 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 173001600 360b4b602a9d47c8849d8ed34f6fbb36 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 2351062 f12b8f456b08e941c8fc72cf175cc6c2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 10860096 f8a4b1b7b634bf676c49d8c10e98e90d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 27503578 b2268b855dd46ab7d09d687018dc1bab http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 255760 eaa165fe5896e278c1556e06b359ba5a http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_i386.deb Size/MD5: 5090354 3200d4375dc339d7bea9bf6891371e8a lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 422460 c1860838f90962bd062bc94e15a54882 http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 81886 fe55f899cbd5229d2a0bc700c5adcbaf http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 173186376 5f012c5e1da278fd45768c0f3d03fdbd http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 2348232 c299fb1a25242f12d5ac6d64bbee37b9 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 10856042 01d04643edafefa871c3097c20620004 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 27546882 cac5bed09db3d8ab61d037bb4f072c9d http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 251964 f6cf95b2324ccdc94c32ca6f028a05c2 http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~9.10.1_lpia.deb Size/MD5: 5080344 e539a9d0ccaed2e5ab986439d5b936d1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 79628 2d9343fbbfb3354635ff44ad959f675a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 119246950 959d148ae623498f4771b5a5c047c144 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 2364678 efa3630d68a7dd14a310661f306287ad http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 10861170 3fd7739be63e6a7db17bfa1feb699743 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 27390710 0f1a7e8cd028570183bc794d3829657a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~9.10.1_sparc.deb Size/MD5: 256834 9e9918705b010beb561d4c3d954ab1c9 Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~10.04.1.diff.gz Size/MD5: 131924 fb001ec87e0d1eede115ebea43284a18 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1~10.04.1.dsc Size/MD5: 3077 83502b062785deb8f22fc8e4041b47f9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 19980692 4c61d9b4f4083542287ae07afac74ca1 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 6155846 8dc7a0e065b6fd89eef7a709187ce2de http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1~10.04.1_all.deb Size/MD5: 26867826 304a038eeeae71442b4e501b3e283714 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 434572 e1fc47200cf11b3c81a8e6639c80e382 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 84120 3bcde6d60e334229526d60db1b498938 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 119346732 c7629c22f432fb7fc10231d6897a946d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 2385162 d4353bd1f6c45d0651e603866121664d http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 11089866 0184ade5d87685c2a7307c575a540e9f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 25658636 9c13db46dcb373942672f3967d5548a2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 270708 f6d713158d9932df48164c891d3eb145 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_amd64.deb Size/MD5: 2267148 a44010b2453cce581860e870f32dd087 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 415624 d15cc6c0c52d503c38f98faff1bc30e2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 79614 077be5976430a61454f8523a0c95e9b9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 172710800 fd4c441fe3d9f0c774cca6a67a895bff http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 2351412 b085460c2ba7349a7958272976655f05 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 10866004 fdd33f76031612cd89241c10985e7f57 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 27524020 34ba802f981629a53afb5873be695257 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 255930 e0399bdfc68f3d5f62a584bb95b48a8d http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_i386.deb Size/MD5: 1950358 a284c70b9f14e1b5c867fd1202d08f4c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 445820 d6a7b3a6c5f189778835cf34628b7ddd http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 83644 c0257ca2ef07736055eb16433168af41 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 103439294 f09b1899938c0182f7ce902edfaaf317 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 2365544 274fe490551a9b1f401f8fa5553520c8 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 8800212 198652d4cdfdf0c556d2bbb8bef737d8 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 23984718 cdc5f5218f5a52e43e851669c83bc78a http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 275112 d6d1d43bdc1ffc183ff445ab13520d99 http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1~10.04.1_powerpc.deb Size/MD5: 2081124 8331f8dd7984affdf80b6f9d23730092 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 77768 5c106bae12bb4179d85fff87223c99e1 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 119229200 36817084227488a4e1a492f7e31401fc http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 2365852 820fbb1e9582d1d873d91628212b9318 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 10890122 44edcc5ec2865e1ccf83fa6078f2ba41 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 27312064 b14155e1c81c72e8cc417b048e0bd248 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1~10.04.1_sparc.deb Size/MD5: 257342 b32c4d79c2c40d7e4fbb64eaf2526855 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1.diff.gz Size/MD5: 134634 7aedf5fbd40f1f2130973bfefe27967f http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7-0ubuntu1.dsc Size/MD5: 3004 51ee24f36d60d02346ee005c0aee2088 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b20-1.9.7.orig.tar.gz Size/MD5: 73265927 c7367808152f71091603546acca43633 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 20562864 46095f1897eea0e6d70423d7a23269c6 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 6198968 774addae41a72893e60f02650de568b7 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b20-1.9.7-0ubuntu1_all.deb Size/MD5: 26928136 10019899c8fc6063e8b643a3d0829aa7 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 433966 6c101b0579693816e711cdc9d76c3bab http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 83388 359c1e0d27682752a895345af75b47f4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 119379672 d136a0ab23a9bf7c07b24812599d07bb http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 2380008 37eb9917cd8fcf9f08f7ca77890277e0 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 11087378 a77b777520f47ce4bff9437eb26129ed http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 25646582 1f645f4e5c95b63633baae8f7ab9fda8 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 266940 de3f27cae5f34810e42c470d18fefecc http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_amd64.deb Size/MD5: 2268542 f23b61fe5f230e554fb41a3ff323672f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 417050 9c003b4582a4e6b7d97ba8bbb18b80b2 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 78710 771ce5238b907b978b3a7b67230dbca4 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 172785086 09ec100605da4543d8231f4ca6cf4704 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 2356270 4286ca0e879d8f3f5eca9c25cf9164a3 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 11080866 7c7b7961c81029664a5c06f2760574f9 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 27498842 f697dde85d12ccd09b03278ad1f82d4b http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 251716 d7780c05caa3795f8d85f0377fe8cb33 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_i386.deb Size/MD5: 1948114 ad3d65cf6efa37624c258e3402403a2e powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea-6-jre-cacao_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 445086 c7b85f64fb0604452ff4cbb93330cc3b http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 82778 a0b66d5cc190a476807f6e62c9a760bb http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 103486780 19b9ec766df638f96405821ca0cf3ee9 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 2363402 8fbddd30efec8ec28b18ebe2d483d657 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 8794584 7c9fc5c447ec6d8c8a8e10ec263c87b0 http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 23970202 11a3b23dc513235f424a2839f36c6dad http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 270480 40f0248590069e6cdc330fe0f7d42abf http://ports.ubuntu.com/pool/universe/o/openjdk-6/openjdk-6-jre-zero_6b20-1.9.7-0ubuntu1_powerpc.deb Size/MD5: 2080594 d3662a60a1d921f02a4594991c54c7e2 . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. The vulnerability is caused due to an error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point and can be exploited to cause an infinite loop. * Sun JDK 5.0 Update 27 and prior. * Sun SDK 1.4.2_29 and prior. SOLUTION: Apply patch via the FPUpdater tool. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02822093 Version: 1 HPSBOV02634 SSRT100390 rev.1 - HP OpenVMS running Java, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-05-05 Last Updated: 2011-05-05 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential vulnerability has been identified with HP OpenVMS running Java. The vulnerability could be remotely exploited to create a Denial of Service (DoS). References: CVE-2010-4476 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenVMS running J2SE 1.42 on Alpha platforms: v 1.42-9 and earlier. HP OpenVMS running J2SE 1.42 on I64 platforms: v 1.42-6 and earlier. HP OpenVMS running J2SE 5.0 on Alpha platforms: v 1.50-7 and earlier. HP OpenVMS running J2SE 5.0 on I64 platforms: v 1.50-6 and earlier. HP OpenVMS running Java SE 6 on Alpha and I64 platforms: v 6.0-2 and earlier. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software tool available to resolve the vulnerability. The FPUpdater tool (Floating Point Updater) must be run to update the Java Development Kit (JDK) and/or the Java Runtime Environment (JRE) for Java v 1.4-x, v 5.0-x, and v 6.0-x. To download the FPUpdater tool, go to http://h18012.www1.hp.com/java/alpha/fpupdater_index.html HISTORY Version:1 (rev.1) - 5 May 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3C8qwACgkQ4B86/C0qfVkgSwCdErQezT2ZMSfx61jDn8lgarYF hCgAoMpFi1D/6TkGP5C1KwKiMsbNUM0A =KFeW -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apache Tomcat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43198 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43198/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43198 RELEASE DATE: 2011-02-07 DISCUSS ADVISORY: http://secunia.com/advisories/43198/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43198/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43198 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apache Tomcat, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service). 1) An error due to the "ServletContect" attribute improperly being restricted to read-only when running under a SecurityManager can be exploited by a malicious web application to use an arbitrary working directory with read-write privileges. 2) Certain input (e.g. display names) is not properly sanitised in the HTML Manager interface before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 3) An error within the JVM when accessing a page that calls "javax.servlet.ServletRequest.getLocale()" or "javax.servlet.ServletRequest.getLocales()" functions can be exploited to cause the process to hang via a web request containing specially crafted headers (e.g. "Accept-Language"). This vulnerability is reported in versions prior to 5.5.33. SOLUTION: Update to version 5.5.33. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor. 3) Konstantin Preiber ORIGINAL ADVISORY: Apache Tomcat: http://tomcat.apache.org/security-5.html http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0075.html Konstantin Preiber: http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The updates are available from: http://www.hp.com/go/java These issues are addressed in the following versions of the HP Java: HP-UX B.11.11 / SDK and JRE v1.4.2.28 or subsequent HP-UX B.11.23 / SDK and JRE v1.4.2.28 or subsequent HP-UX B.11.31 / SDK and JRE v1.4.2.28 or subsequent MANUAL ACTIONS: Yes - Update For Java v1.4.2.27 and earlier, update to Java v1.4.2.28 or subsequent. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack. For the oldstable distribution (lenny), this problem will be fixed in version 6b18-1.8.3-2~lenny1. For technical reasons, this update will be released separately. For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.3-2+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your openjdk-6 packages

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote, local

TYPE

xss

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES