Sun Security Blog
Security
|
Sun recently announced two new security response enhancements for Java
SE. They include our plans for the synchronized release of Java SE
security fixes, and advance customer notification of security updates.
These new features are designed to complement Sun's existing
Sun Alert notifications,
as well as the built-in Java Auto Update tool for Microsoft Windows
users. Details are available here.
The following is our first advance notification of security updates for Java SE. On the week of October 1, 2007, Sun will be releasing security updates with JDK and JRE 6 Update 3, JDK and JRE 5.0 Update 13, and SDK and JRE 1.4.2_16. This will be followed by the release of SDK and JRE 1.3.1_21 on the second week of October 2007. This is Sun's first step towards the simultaneous release of security fixes across all supported Java SE release families. Sun expects to fully synchronize the release of security fixes across all supported releases, including J2SE 1.3.1 in 2008. Note that J2SE 1.3.1 has completed the Sun "End of Life" (EOL) process and is only supported for the Solaris Operating Environment and customers on Sun's Vintage Support Offering. Permalink | Comments [3]
26 Sep 2007
Sun Alert 103084 A Security Vulnerability in the Handling of Thread Contexts in the Solaris Kernel May Allow a Denial of Service (DoS)
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System A security vulnerability related to a race condition during the handling of thread contexts in the Solaris kernel may allow a local unprivileged user to panic the system and thereby cause a Denial of Service (DoS) condition. Avoidance: Patch State: Resolved First released: 26-Sep-2007
Permalink
|
Comments [0]
24 Sep 2007
Sun Alert 102866 Security Vulnerability in the IP Implementation for Solaris 8 and 9 May Allow a Denial of Service
Product: Solaris 9 Operating System, Solaris 8 Operating System A security vulnerability in the Solaris 8 and 9 IP implementation may allow a remote unprivileged user to degrade the performance of a networked Solaris system by sending specially crafted IP packets. This could result in a mild Denial of Service (DoS) against network services provided by the system and/or local services, due to increased CPU usage. Avoidance: Patch State: Resolved First released: 12-Apr-2007
Permalink
|
Comments [0]
14 Sep 2007
Sun Alert 102927 Security Vulnerabilities in the SOCKS Module of Sun Java System Web Proxy Server 4.0
Product: Sun Java System Web Proxy Server 4.0 Two buffer overflows have been found in the SOCKS module of Sun Java System Web Proxy Server 4.0 which may allow a local or remote unprivileged user the ability to execute arbitrary code with the privileges of the SOCKS server or cause a Denial of Service (DoS) to the SOCKS server. The SOCKS server normally runs with root privileges. One of the vulnerabilities (BugID 6537736) requires authentication before it can be exploited; however, the default configuration is for no authentication to be required to access the SOCKS server. Sun acknowledges with thanks, iDefense (http://www.idefense.com), for bringing these issues to our attention. These issues are also described in the following document: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=536 Avoidance: Upgrade State: Resolved First released: 25-May-2007
Permalink
|
Comments [0]
The removal of the Solaris Data Encryption Kit has been quite a difficult and long process for us, we are taking a different approach for Solaris 10 and for OpenSolaris. Valerie Bubb has info on how it has been done for Solaris 10 and is also currently running codereview for the OpenSolaris variant which is the full fix for this.
-
Darren
Permalink
|
Comments [1]
04 Sep 2007
Sun Alert 102945 Security Vulnerabilities in the Network Security Services (NSS) Library May Affect Sun Java System Application Server, Web Server and Web Proxy Server
Product: Sun Java System Application Server Platform Edition 8.1 2005Q1, Sun Java System Web Server 7.0, Sun Java System Web Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java System Application Server Enterprise Edition 8.1 2005Q1 Sun Java System Application Server, Web Server and Proxy Server make use of the Network Security Services (NSS) library and are impacted by a number of security vulnerabilities related to the SSL2 implementation in that library if SSL2 is enabled in these servers. These vulnerabilities may allow remote users to cause the server to exit unexpectedly, causing a denial of service (DoS) to the application, or to execute arbitrary code. These issues are also described in the following documents:
Other Sun products make use of the NSS library. For information regarding the impact to other products, please see Sun Alert 102856 at: Avoidance: Patch, Workaround State: Resolved First released: 11-Jun-2007
Permalink
|
Comments [0]
04 Sep 2007
Sun Alert 102874 A Security Vulnerability in Sun Cluster Software may Lead to Data Corruption and "send_mondo" Panics
Product: Sun Cluster 3.1, Solaris Cluster 3.2 A privileged user on a Sun Cluster node which is a current cluster member may be able to corrupt in-memory data structures of a sibling cluster node. This can lead to a system panic and/or data corruption on the sibling node which can affect application throughput or availability of data or applications to end users depending on how the Sun Cluster is configured and is thus a type of Denial of Service (DoS). Avoidance: Patch State: Resolved First released: 24-Apr-2007
Permalink
|
Comments [0]
04 Sep 2007
Sun Alert 103018 Security Vulnerability in Solaris 10 BIND: Susceptible to Cache Poisoning Attack
Product: Solaris 10 Operating System Remote unprivileged users may cause named(1M) to ultimately return incorrect addresses for Internet hosts thereby redirecting end users to unintended hosts and or services. This issue is also referenced in the following documents:
Avoidance: Patch State: Resolved First released: 25-Jul-2007
Permalink
|
Comments [0]
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
