Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Java SE platform. The Common Vulnerabilities
and Exposures project identifies the following problems:
- CVE-2011-0862
Integer overflow errors in the JPEG and font parser allow
untrusted code (including applets) to elevate its privileges.
- CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
- CVE-2011-0865
A race condition in signed object deserialization could
allow untrusted code to modify signed content, apparently
leaving its signature intact.
- CVE-2011-0867
Untrusted code (including applets) could access information
about network interfaces which was not intended to be public.
(Note that the interface MAC address is still available to
untrusted code.)
- CVE-2011-0868
A float-to-long conversion could overflow, allowing
untrusted code (including applets) to crash the virtual
machine.
- CVE-2011-0869
Untrusted code (including applets) could intercept HTTP
requests by reconfiguring proxy settings through a SOAP
connection.
- CVE-2011-0871
Untrusted code (including applets) could elevate its
privileges through the Swing MediaTracker code.
In addition, this update removes support for the Zero/Shark and Cacao
Hotspot variants from the i386 and amd64 due to stability issues.
These Hotspot variants are included in the openjdk-6-jre-zero and
icedtea-6-jre-cacao packages, and these packages must be removed
during this update.
For the oldstable distribution (lenny), these problems will be fixed
in a separate DSA for technical reasons.
For the stable distribution (squeeze), these problems have been fixed
in version 6b18-1.8.9-0.1~squeeze1.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 6b18-1.8.9-0.1.
We recommend that you upgrade your openjdk-6 packages.