_______________________________________________________________________________
Blackdown Java-Linux Security Advisory Advisory number: Blackdown-SA-2004-01 Issue date: 2004, November 22 _______________________________________________________________________________ 1. Problem A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. This issue is described in the following document: CVE CAN-2004-1029 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029. 2. Vulnerable Versions All Blackdown VMs previous to J2SE v1.4.2-01. 3. Solution Upgrade to J2SE v1.4.2-01 4. Location of fixed packages: Java 2 Runtime Environment v1.4.2-01: amd64: ftp://ftp.tux.org/java/JDK-1.4.2/amd64/01/j2re-1.4.2-01-linux-amd64.bin 29c1f49b997e5bdf5aac5ebde4d8c59c x86: ftp://ftp.tux.org/java/JDK-1.4.2/i386/01/j2re-1.4.2-01-linux-i586.bin 7943dbe0e6449ff9976b5bef9e892af6 Java 2 SDK v1.4.2-01 amd64: ftp://ftp.tux.org/java/JDK-1.4.2/amd64/01/j2sdk-1.4.2-01-linux-amd64.bin 00cb18fe9ea91c536360c70a219b1867 x86: ftp://ftp.tux.org/java/JDK-1.4.2/i386/01/j2sdk-1.4.2-01-linux-i586.bin dbb87efd16b8d25cdd3fe6a8782a8e75 5. References http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1029 _______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. Blackdown Java-Linux makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. _______________________________________________________________________________ -- Juergen Kreileder, Blackdown Java-Linux Team http://www.blackdown.org/java-linux/java2-status/
pgpP5YG4zXnf3.pgp
Description: PGP signature