diff options
| author | Eygene Ryabinkin <rea@FreeBSD.org> | 2012-08-30 09:03:22 +0000 |
|---|---|---|
| committer | Eygene Ryabinkin <rea@FreeBSD.org> | 2012-08-30 09:03:22 +0000 |
| commit | 5a241795eb755cb7d2979d3d3fd85aec900f95b6 (patch) | |
| tree | c4f5918ef503be41490985024b1db91d04b83803 | |
| parent | a5f1be5349893cf278b8205c5c5371b41b82c148 (diff) | |
| download | ports-5a241795eb755cb7d2979d3d3fd85aec900f95b6.tar.gz ports-5a241795eb755cb7d2979d3d3fd85aec900f95b6.zip | |
Notes
| -rw-r--r-- | security/vuxml/vuln.xml | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 4e17c2977341..5b2a0fad0c1e 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,55 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="16846d1e-f1de-11e1-8bd8-0022156e8794"> + <topic>Java 1.7 -- security manager bypass</topic> + <affects> + <package> + <name>openjdk</name> + <range><ge>7.0</ge><lt>7.6.24_1</lt></range> + </package> + <package> + <name>linux-sun-jdk</name> + <range><ge>7.0</ge></range> + </package> + <package> + <name>linux-sun-jre</name> + <range><ge>7.0</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>US-CERT reports:</p> + <blockquote cite="http://www.kb.cert.org/vuls/id/636312"> + <p>Oracle Java Runtime Environment (JRE) 1.7 contains a + vulnerability that may allow an applet to call + setSecurityManager in a way that allows setting of arbitrary + permissions.</p> + <p>By leveraging the public, privileged getField() function, + an untrusted Java applet can escalate its privileges by + calling the setSecurityManager() function to allow full + privileges, without requiring code signing.</p> + <p>This vulnerability is being actively exploited in the + wild, and exploit code is publicly available.</p> + </blockquote> + <p>This exploit does not only affect Java applets, but every + piece of software that relies on the Java Security Manager for + sandboxing executable code is affected: malicious code can + totally disable Security Manager.</p> + </body> + </description> + <references> + <cvename>CVE-2012-4681</cvename> + <certvu>636312</certvu> + <url>http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html</url> + <url>http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html</url> + </references> + <dates> + <discovery>2012-08-27</discovery> + <entry>2012-08-30</entry> + </dates> + </vuln> + <vuln vid="18ce9a90-f269-11e1-be53-080027ef73ec"> <topic>fetchmail -- chosen plaintext attack against SSL CBC initialization vectors</topic> <affects> |