Date: Thu, 30 Aug 2012 09:03:22 +0000 (UTC) From: Eygene Ryabinkin <rea@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r303364 - head/security/vuxml Message-ID: <201208300903.q7U93MRp011807@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rea Date: Thu Aug 30 09:03:22 2012 New Revision: 303364 URL: http://svn.freebsd.org/changeset/ports/303364 Log: VuXML: document CVE-2012-4681, security manager bypass in Java 7.x Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 30 08:57:33 2012 (r303363) +++ head/security/vuxml/vuln.xml Thu Aug 30 09:03:22 2012 (r303364) @@ -51,6 +51,55 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="16846d1e-f1de-11e1-8bd8-0022156e8794"> + <topic>Java 1.7 -- security manager bypass</topic> + <affects> + <package> + <name>openjdk</name> + <range><ge>7.0</ge><lt>7.6.24_1</lt></range> + </package> + <package> + <name>linux-sun-jdk</name> + <range><ge>7.0</ge></range> + </package> + <package> + <name>linux-sun-jre</name> + <range><ge>7.0</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>US-CERT reports:</p> + <blockquote cite="http://www.kb.cert.org/vuls/id/636312">; + <p>Oracle Java Runtime Environment (JRE) 1.7 contains a + vulnerability that may allow an applet to call + setSecurityManager in a way that allows setting of arbitrary + permissions.</p> + <p>By leveraging the public, privileged getField() function, + an untrusted Java applet can escalate its privileges by + calling the setSecurityManager() function to allow full + privileges, without requiring code signing.</p> + <p>This vulnerability is being actively exploited in the + wild, and exploit code is publicly available.</p> + </blockquote> + <p>This exploit does not only affect Java applets, but every + piece of software that relies on the Java Security Manager for + sandboxing executable code is affected: malicious code can + totally disable Security Manager.</p> + </body> + </description> + <references> + <cvename>CVE-2012-4681</cvename> + <certvu>636312</certvu> + <url>http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html</url>; + <url>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html</url>; + </references> + <dates> + <discovery>2012-08-27</discovery> + <entry>2012-08-30</entry> + </dates> + </vuln> + <vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec"> <topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201208300903.q7U93MRp011807>