Your message dated Sat, 05 Mar 2011 15:32:58 +0100
with message-id <4d72499a.6060...@ubuntu.com>
and subject line Re: [Openjdk] Bug#612660: openjdk-6: CVE-2010-4476 Trivial DoS
when parsing strings into Java Double objects
has caused the Debian Bug report #612660,
regarding openjdk-6: CVE-2010-4476 Trivial DoS when parsing strings into Java
Double objects
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
612660: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=612660
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: openjdk-6
Version: 6b11-9.1+lenny2
Severity: grave
Tags: security
Justification: trivial denial of service by unauthenticated remote users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for openjdk-6.
CVE-2010-4476[0]: (description from upstream announcement)
| This Security Alert addresses security issue CVE-2010-4476 (Java Runtime
| Environment hangs when converting "2.2250738585072012e-308" to a binary
| floating-point number), which is a vulnerability in the Java Runtime
| Environment component of the Oracle Java SE and Java for Business products.
| This vulnerability allows unauthenticated network attacks ( i.e. it may be
| exploited over a network without the need for a username and password).
| Successful attack of this vulnerability can result in unauthorized ability
| to cause a hang or frequently repeatable crash (complete Denial of Service)
| of the Java Runtime Environment. Java based application and web servers are
| especially at risk from this vulnerability.
In particular, there is a trivial attack involving a crafted HTTP header,
which probably affects many systems.
There is a patch available [1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://security-tracker.debian.org/tracker/CVE-2010-4476
[1]
http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
- -- System Information:
Debian Release: 6.0
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJNUu1AAAoJEFOUR53TUkxRcWAP/iMKvgancaw2RdctEZY54qKX
9W7MdhosFyeP4BAwtHUrge1SeRO9FzTitXXuAXEOcYD0nkKKnfN6c8HdqGly2TbJ
CFQXGgExyd3zuaSJwXohW9eFk983qLXokBHU0fMj0zDSIV7m3uqpo+hqQfdbQLyb
NYbDP+rfiCP+G7EisrEJjcqyMAQsxXLHhHlAmZHsgBFFc/3YbG+h/hEmoNzugfvU
ZQ+YE4GxTUBFlH5l+NjKey+r8kGrAg9A9cR2cz4+pKRCG6Li2MJGRewVy0GK92OL
ePjeKAFe0yfHTzFjKZz1FMnCeB+5341C7FpEqGdINNOet5fDjjkGPinXHAm8ysYu
en3GikXBf1xFmLhKOtpM4KgPTx6xt+zPOxY4xmQt+4xXl8WUHE9whsqWmrwtjoyh
8u9x5tXQkIK5hdHH1ZGAUBN9SoaYBc3Ml0H7h5jEilkvovqjZhTbvf8mt+LDAaBL
RUEeg1pH9UybHzpxqCdMmGABZTed+eLDxY+YvYL8IxPxLDlnHkwUPuD59lMU+l/c
OWQyYCETHIrlKVK6rTMkycJbpHryGxWb54XPWJ0oG/egXL1Rujm6njfnwEqXkKMk
y6pmAYjEDxs8VTnkeUjRiEbs9TIOTh/mN2fQ3NsSEYvgAeHnoIDijSo8XC/N5ove
e4zN86De2nUl9G1TPxLX
=SwDF
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 6b18-1.8.7-2
Fixed in 6b18-1.8.7-2.
On 09.02.2011 20:38, Jonathan Wiltshire wrote:
> Package: openjdk-6
> Version: 6b11-9.1+lenny2
> Severity: grave
> Tags: security
> Justification: trivial denial of service by unauthenticated remote users
--- End Message ---
