Ubuntu 9.10 / 10.04 LTS / 10.10 : openjdk-6, openjdk-6b18 vulnerabilities (USN-1055-1)

Ubuntu Security Notice (C) 2011-2014 Canonical, Inc. / NASL script (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

It was discovered that IcedTea for Java did not properly verify
signatures when handling multiply signed or partially signed JAR
files, allowing an attacker to cause code to execute that appeared to
come from a verified source. (CVE-2011-0025)

USN 1052-1 fixed a vulnerability in OpenJDK for Ubuntu 9.10 and Ubuntu
10.04 LTS on all architectures, and Ubuntu 10.10 for all architectures
except for the armel (ARM) architecture. This update provides the
corresponding update for Ubuntu 10.10 on the armel (ARM) architecture.

It was discovered that the JNLP SecurityManager in IcedTea for Java
OpenJDK in some instances failed to properly apply the intended
scurity policy in its checkPermission method. This could allow an
attacker to execute code with privileges that should have been
prevented. (CVE-2010-4351).

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 51848 ()

Bugtraq ID: 45894

CVE ID: CVE-2010-4351
CVE-2011-0025