SuSE 10 Security Update : Sun Java 1.4.2 (ZYPP Patch Number 4533)

High Nessus Plugin ID 29473

Synopsis

The remote SuSE 10 host is missing a security-related patch.

Description

The Sun JAVA JDK 1.4.2 was upgraded to release 16 to fix various bugs, including the following security bugs :

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack. (CVE-2007-5232)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1

- Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enfor ce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted applica tion. (CVE-2007-5236)

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka 'two vulnerabilities'.
(CVE-2007-5237)

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka 'three vulnerabilities.'. (CVE-2007-5238)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications.
(CVE-2007-5239)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1

- Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen. (CVE-2007-5240)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applet's outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applet's socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. (CVE-2007-5273)

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273. (CVE-2007-5274)

Solution

Apply ZYPP patch number 4533.

See Also

http://support.novell.com/security/cve/CVE-2007-5232.html

http://support.novell.com/security/cve/CVE-2007-5236.html

http://support.novell.com/security/cve/CVE-2007-5237.html

http://support.novell.com/security/cve/CVE-2007-5238.html

http://support.novell.com/security/cve/CVE-2007-5239.html

http://support.novell.com/security/cve/CVE-2007-5240.html

http://support.novell.com/security/cve/CVE-2007-5273.html

http://support.novell.com/security/cve/CVE-2007-5274.html

Plugin Details

Severity: High

ID: 29473

File Name: suse_java-1_4_2-sun-4533.nasl

Version: 1.17

Type: local

Agent: unix

Published: 2007/12/13

Updated: 2019/10/25

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2007/10/11

Reference Information

CVE: CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5273, CVE-2007-5274

CWE: 264