Ubuntu
sun-java5 package

Java 1.5.0_08 security problem

Bug #80569 reported by Piero Ottuzzi
270
Affects Status Importance Assigned to Milestone
sun-java5 (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
High
Matthias Klose
Ubuntu dapper-updates
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned

Bug Description

Hi there,

the Ubuntu 6.10 bundled JRE/JDK (java -version shows 1.5.0_08) suffers from a security problem (mostly classified as CRITICAL) handling GIF images as you can see in [1], [2], [3], [4], [5].
Please update to the latest JRE/JDK 1.5 (version 1.5.0_10).

Thanks
Bye
Piero

[1]http://www.zerodayinitiative.com/advisories/ZDI-07-005.html
[2]http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
[3]http://www.frsirt.com/english/advisories/2007/0211
[4]http://secunia.com/advisories/23757/

CVE References

Revision history for this message
Matthias Klose (doko) wrote :

fixed in gutsy

Changed in sun-java5:
status: New → Fix Released
assignee: nobody → doko
importance: Undecided → High
status: New → In Progress
Revision history for this message
Matthias Klose (doko) wrote :

People do want to see an update of the sun-java5 packages for dapper, however
due to the nature of binary-only packages we don't know much about the update
and where it belongs to:

 - it fixes security issues, so it should probably a candidate for -security

 - it fixes other bugs, so it is not appropriate for -security, but maybe
   should go to -proposed and then to -updates.

 - it introduces new features, so it should go to -backports, but there it's
   not picked up by many people.

Proposing this now for -updates, agreed with the sru team and the security team.

The list of all changes can be found at http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Revision history for this message
Matthias Klose (doko) wrote :

test packages from http://people.ubuntu.com/~doko/tmp/sun-java5/
were tested by tmarble and tspindler (please confirm).

Revision history for this message
Piero Ottuzzi (ottuzzi) wrote :

Hi there,

Java was a binary package so we cannot know for sure what they change between a version and another one but, in the interest of SUN and the Java platform, minor version are always binary compatible.
It's usually safe to upgrade from 1.5.0_08 to whatever else 1.5.0_xx and the same applies for 1.4.0, 1.4.1, 1.4.2 and 1.6.0.
I also know that these packages live in Universe and support is limited but, specially for applet, this is a vital component for system security: I would suggest an upgrade of packages both for Edgy and Feisty.

Many thanks for your attention
Bye
Piero

Revision history for this message
Torsten Spindler (tspindler) wrote : Re: [Bug 80569] Re: Java 1.5.0_08 security problem

> test packages from http://people.ubuntu.com/~doko/tmp/sun-java5/
> were tested by tmarble and tspindler (please confirm).

Test confirmed.

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into dapper-proposed, please give some testing feedback once they are built. Thanks a lot, Matthias!

Changed in sun-java5:
status: In Progress → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Copied to dapper-updates.

Changed in sun-java5:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Unsubscribing ubuntu-sru. If it is desired to get this fixed in edgy and feisty, please sub motu-sru.

Changed in sun-java5:
status: New → Won't Fix
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.