[SECURITY] Security Vulnerability With Java Plug-in in JRE/SDK

Tue, 23 Nov 2004 02:53:01 -0800 

_______________________________________________________________________________

                Blackdown Java-Linux Security Advisory

        Advisory number: Blackdown-SA-2004-01
        Issue date: 2004, November 22
_______________________________________________________________________________


1. Problem

   A vulnerability in the Java Plug-in may allow an untrusted applet
   to escalate privileges, through JavaScript calling into Java code,
   including reading and writing files with the privileges of the user
   running the applet.

   This issue is described in the following document: CVE CAN-2004-1029
   at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029.


2. Vulnerable Versions

   All Blackdown VMs previous to J2SE v1.4.2-01.


3. Solution

   Upgrade to J2SE v1.4.2-01


4. Location of fixed packages:

   Java 2 Runtime Environment v1.4.2-01:

        amd64:  
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/01/j2re-1.4.2-01-linux-amd64.bin
                29c1f49b997e5bdf5aac5ebde4d8c59c
        x86:    
ftp://ftp.tux.org/java/JDK-1.4.2/i386/01/j2re-1.4.2-01-linux-i586.bin
                7943dbe0e6449ff9976b5bef9e892af6

   Java 2 SDK v1.4.2-01

        amd64:  
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/01/j2sdk-1.4.2-01-linux-amd64.bin
                00cb18fe9ea91c536360c70a219b1867
        x86:    
ftp://ftp.tux.org/java/JDK-1.4.2/i386/01/j2sdk-1.4.2-01-linux-i586.bin
                dbb87efd16b8d25cdd3fe6a8782a8e75


5. References

   http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029


_______________________________________________________________________________

   The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In
   particular, it is desired that the cleartext signature shows proof
   of the authenticity of the text.

   Blackdown Java-Linux makes no warranties of any kind whatsoever
   with respect to the information contained in this security
   advisory.
_______________________________________________________________________________


-- 
Juergen Kreileder, Blackdown Java-Linux Team
http://www.blackdown.org/java-linux/java2-status/

Attachment: pgpP5YG4zXnf3.pgp
Description: PGP signature

Reply via email to