ID DSA-2161 Type debian Reporter Debian Modified 2011-02-13T00:00:00
Description
It was discovered that the floating point parser in OpenJDK, an implementation of the Java platform, can enter an infinite loop when processing certain input strings. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack.
For the oldstable distribution (lenny), this problem will be fixed in version 6b18-1.8.3-2~lenny1. For technical reasons, this update will be released separately.
For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.3-2+squeeze1.
For the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon.
We recommend that you upgrade your openjdk-6 packages.
{"modified": "2011-02-13T00:00:00", "id": "DSA-2161", "edition": 1, "title": "openjdk-6 -- denial of service", "viewCount": 0, "objectVersion": "1.2", "description": "It was discovered that the floating point parser in OpenJDK, an implementation of the Java platform, can enter an infinite loop when processing certain input strings. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack.\n\nFor the oldstable distribution (lenny), this problem will be fixed in version 6b18-1.8.3-2~lenny1. For technical reasons, this update will be released separately.\n\nFor the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.3-2+squeeze1.\n\nFor the testing distribution (wheezy) and the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your openjdk-6 packages.", "type": "debian", "lastseen": "2016-09-02T18:22:06", "affectedPackage": [{"packageVersion": "6b18-1.8.3-2~lenny1", "packageFilename": "openjdk-6_6b18-1.8.3-2~lenny1_all.deb", "OS": "Debian GNU/Linux", "arch": "all", "OSVersion": "5", "operator": "lt", "packageName": "openjdk-6"}], "history": [], "href": "http://www.debian.org/security/dsa-2161", "hash": "8176467f3a11fb8f1ef97de4db43763532efccbd998f5ed93c6413700df96c3e", "published": "2011-02-13T00:00:00", "reporter": "Debian", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "references": [], "bulletinFamily": "unix", "cvelist": ["CVE-2010-4476"], "enchantments": {"vulnersScore": 8.3}}
{"result": {"cve": [{"id": "CVE-2010-4476", "type": "cve", "title": "CVE-2010-4476", "description": "The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.", "published": "2011-02-17T14:00:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-12-22T12:41:50"}], "f5": [{"id": "SOL12826", "type": "f5", "title": "SOL12826 - Java Runtime Environment (JRE) vulnerability: CVE-2010-4476", "description": "* These F5 product versions use the affected Java function to manage traffic in the Configuration utility. However, the system filters the input value to the function so the value falls within an expected range before the system passes data to the function. These expected ranges of data do not include data that can trigger this JRE vulnerability, so the system can safely use this function, and these F5 product versions are not vulnerable.\n\nA JRE vulnerability could allow a remote attacker to cause a denial-of-service (DoS) by using a crafted string that triggers an infinite loop.\n\nNone of the F5 product versions listed in this article, including those marked with an asterisk (*), use Java for production traffic packet processing and, therefore, are not vulnerable to this issue for production traffic.\n\n**Information about this advisory is available at the following location:**\n\n[Common Vulnerabilities and Exposures (CVE-2010-4476)](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476>)\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.\n", "published": "2011-05-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/12000/800/sol12826.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-26T17:23:27"}, {"id": "F5:K12826", "type": "f5", "title": "Java Runtime Environment (JRE) vulnerability: CVE-2010-4476", "description": "", "published": "2011-05-09T21:09:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K12826", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-06-08T00:16:13"}], "openvas": [{"id": "OPENVAS:881243", "type": "openvas", "title": "CentOS Update for tomcat5 CESA-2011:0336 centos5 x86_64", "description": "Check for the Version of tomcat5", "published": "2012-07-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881243", "cvelist": ["CVE-2010-4476"], "lastseen": "2018-01-02T10:56:37"}, {"id": "OPENVAS:68995", "type": "openvas", "title": "Debian Security Advisory DSA 2161-1 (openjdk-6)", "description": "The remote host is missing an update to openjdk-6\nannounced via advisory DSA 2161-1.", "published": "2011-03-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=68995", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-07-24T12:55:57"}, {"id": "OPENVAS:1361412562310870390", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2011:0214-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870390", "cvelist": ["CVE-2010-4476"], "lastseen": "2018-04-09T11:36:44"}, {"id": "OPENVAS:1361412562310122221", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2011-0336", "description": "Oracle Linux Local Security Checks ELSA-2011-0336", "published": "2015-10-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122221", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-07-24T12:53:38"}, {"id": "OPENVAS:870408", "type": "openvas", "title": "RedHat Update for tomcat5 RHSA-2011:0336-01", "description": "Check for the Version of tomcat5", "published": "2011-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870408", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-07-27T10:55:00"}, {"id": "OPENVAS:1361412562310881305", "type": "openvas", "title": "CentOS Update for java CESA-2011:0214 centos5 x86_64", "description": "Check for the Version of java", "published": "2012-07-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881305", "cvelist": ["CVE-2010-4476"], "lastseen": "2018-04-06T11:17:09"}, {"id": "OPENVAS:1361412562310881243", "type": "openvas", "title": "CentOS Update for tomcat5 CESA-2011:0336 centos5 x86_64", "description": "Check for the Version of tomcat5", "published": "2012-07-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881243", "cvelist": ["CVE-2010-4476"], "lastseen": "2018-04-06T11:16:56"}, {"id": "OPENVAS:1361412562310880535", "type": "openvas", "title": "CentOS Update for tomcat5 CESA-2011:0336 centos5 i386", "description": "Check for the Version of tomcat5", "published": "2011-08-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880535", "cvelist": ["CVE-2010-4476"], "lastseen": "2018-04-09T11:36:05"}, {"id": "OPENVAS:870390", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2011:0214-01", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870390", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-07-27T10:55:16"}, {"id": "OPENVAS:1361412562310122245", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2011-0214", "description": "Oracle Linux Local Security Checks ELSA-2011-0214", "published": "2015-10-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122245", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-07-24T12:52:23"}], "jvn": [{"id": "JVN:97334690", "type": "jvn", "title": "JVN#97334690: IBM Lotus vulnerable to denial-of-service (DoS)", "description": "\n ## Description\n\nIBM Lotus product line contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE).\n\n ## Impact\n\nA remote attacker may cause a denial-of-service (DoS). \n\n\n ## Solution\n\n**Apply a patch** \nApply the appropriate patch according to the information provided by the developer. \n\n\n ## Products Affected\n\n * Lotus Web Content Management 7.0, 6.1\n * Workplace Web Content Management 6.0\n * Lotus Quickr for WebSphere Portal 8.5, 8.1, 8.0\n * Lotus ActiveInsight 6.1, 6.0\n * Lotus Workforce Management 6.1\n * WebSphere Dashboard Framework 6.1, 6.0\n * WebSphere Portlet Factory 7.0, 6.1\n * IBM Mashup Center 3.0, 2.0, 1.1, 1.0\n * Lotus Mashups 3.0, 2.0, 1.1, 1.0\n * IBM Forms 4.0, 3.5\n * Lotus Connections 3.0, 2.5, 2.0, 1.0\n * Lotus Sametime Standard 8.5\n * Lotus Sametime Unified Telephony 8.5.1, 8.0\n * Lotus Expeditor 6.2\n * Lotus Sametime Advanced 8.0\nRefer to information provided by the developer for the affected OS versions of each product. \n\n", "published": "2011-03-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://jvn.jp/en/jp/JVN97334690/index.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-03-23T17:09:40"}, {"id": "JVN:26301278", "type": "jvn", "title": "JVN#26301278: IBM WebSphere Application Server vulnerable to denial-of-service (DoS)", "description": "\n ## Description\n\nIBM WebSphere Application Server contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE).\n\n ## Impact\n\nA remote attacker may cause a denial-of-service (DoS). \n\n\n ## Solution\n\n**Apply a patch** \nApply the appropriate patch according to the [information](<http://www.ibm.com/support/docview.wss?uid=swg21462019>) provided by the developer. \n\n\n ## Products Affected\n\n * IBM WebSphere Application Server from V6.0 to V6.0.2.43\n * IBM WebSphere Application Server from V6.1 to V6.1.0.35\n * IBM WebSphere Application Server from V7.0 to V7.0.0.13 \nAccording to the developer: \n_ \n\" For other IBM software products that contain an affected version of WAS, require an update. Specifically, WebSphere Process Server (WPS), WebSphere Enterprise Service Bus (WESB), WebSphere Virtual Enterprise (WVE), WebSphere Commerce and others are applicable. Also, IBM HTTP Server is not affected by this vulnerability.\"_ \n\n", "published": "2011-03-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://jvn.jp/en/jp/JVN26301278/index.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-03-23T17:09:40"}, {"id": "JVN:81294135", "type": "jvn", "title": "JVN#81294135: IBM Tivoli vulnerable to denial-of-service (DoS)", "description": "\n ## Description\n\nIBM Tivoli contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). \n\n\n ## Impact\n\nA remote attacker may cause a denial-of-service (DoS).\n\n ## Solution\n\n**Apply a patch** \nApply the appropriate patch according to the information provided by the developer. \n\n\n ## Products Affected\n\nA wide range of products are affected. For more information, refer to the vendor's website. \n\n", "published": "2011-03-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://jvn.jp/en/jp/JVN81294135/index.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-03-23T17:09:40"}, {"id": "JVN:16308183", "type": "jvn", "title": "JVN#16308183: IBM DB2 vulnerable to denial-of-service (DoS)", "description": "\n ## Description\n\nIBM DB2 contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). \n\n\n ## Impact\n\nAn attacker that can create or execute stored procedures may cause a denial-of-service (DoS). \n\n\n ## Solution\n\n******Apply a patch** \nApply the appropriate patch according to the [information](<http://www.ibm.com/support/docview.wss?uid=swg21468291>) provided by the developer. \n\n\n ## Products Affected\n\n * DB2 for Linux, UNIX, and Windows Version 9.7 FP0 to FP3a\n * DB2 for Linux, UNIX, and Windows Version 9.5 FP0 to FP7\n * DB2 for Linux, UNIX, and Windows Version 9.1 FP0 to FP10\n", "published": "2011-03-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://jvn.jp/en/jp/JVN16308183/index.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-03-23T17:09:40"}], "nessus": [{"id": "REDHAT-RHSA-2011-0292.NASL", "type": "nessus", "title": "RHEL 4 / 5 : java-1.4.2-ibm (RHSA-2011:0292)", "description": "Updated java-1.4.2-ibm packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe IBM 1.4.2 SR13-FP8 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM 1.4.2 SR13-FP8 Java release. All running instances of IBM Java must be restarted for this update to take effect.", "published": "2011-02-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52065", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:41:53"}, {"id": "FEDORA_2011-1263.NASL", "type": "nessus", "title": "Fedora 14 : java-1.6.0-openjdk-1.6.0.0-52.1.9.6.fc14 (2011-1263)", "description": "- Security updates\n\n - S4421494, CVE-2010-4476: infinite loop while parsing double literal.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-02-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51961", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:41:53"}, {"id": "SL_20110210_JAVA_1_6_0_OPENJDK_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL6.x i386/x86_64", "description": "A denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java-based applications to hang, for instance if they parse Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60953", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:38:08"}, {"id": "ORACLELINUX_ELSA-2011-0336.NASL", "type": "nessus", "title": "Oracle Linux 5 : tomcat5 (ELSA-2011-0336)", "description": "From Red Hat Security Advisory 2011:0336 :\n\nUpdated tomcat5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Tomcat to hang via a specially crafted HTTP request.\n(CVE-2010-4476)\n\nUsers of Tomcat should upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68225", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:37:55"}, {"id": "SUSE_JAVA-1_6_0-IBM-7369.NASL", "type": "nessus", "title": "SuSE 10 Security Update : java-1_6_0-ibm, java-1_6_0-ibm-32bit, java-1_6_0-ibm-64bit, java-1_6_0-ibm-alsa, java-1_6_0-ibm-alsa-32bit, java-1_6_0-ibm-demo, java-1_6_0-ibm-devel, java-1_6_0-ibm-devel-32bit, java-1_6_0-ibm-fonts, java-1_6_0-ibm-jdbc, java-1_6_0-ibm-jdbc-32bit, java-1_6_0-ibm-jdbc-64bit, java-1_6_0-ibm-plugin, java-1_6_0-ibm-plugin-32bit, java-1_6_0-ibm-src (ZYPP Patch Number 7369)", "description": "IBM Java 6 SR9 FP1 was updated to fix a critical security bug in float number handling :\n\n - The Java Runtime Environment hangs forever when converting '2.2250738585072012e-308' to a binary floating-point number. (CVE-2010-4476)", "published": "2011-03-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52752", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:33:39"}, {"id": "REDHAT-RHSA-2011-0290.NASL", "type": "nessus", "title": "RHEL 4 / 5 / 6 : java-1.6.0-ibm (RHSA-2011:0290)", "description": "Updated java-1.6.0-ibm packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR9 Java release. All running instances of IBM Java must be restarted for the update to take effect.", "published": "2011-02-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52063", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:42:03"}, {"id": "CENTOS_RHSA-2011-0214.NASL", "type": "nessus", "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2011:0214)", "description": "Updated java-1.6.0-openjdk packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java-based applications to hang, for instance if they parse Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve this issue. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-04-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=53419", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:40:48"}, {"id": "REDHAT-RHSA-2011-0291.NASL", "type": "nessus", "title": "RHEL 4 / 5 / 6 : java-1.5.0-ibm (RHSA-2011:0291)", "description": "Updated java-1.5.0-ibm packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java based applications to hang, for example, if they parsed Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR12-FP3 Java release. All running instances of IBM Java must be restarted for this update to take effect.", "published": "2011-02-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=52064", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:39:45"}, {"id": "DEBIAN_DSA-2161.NASL", "type": "nessus", "title": "Debian DSA-2161-1 : openjdk-6 - denial of service", "description": "It was discovered that the floating point parser in OpenJDK, an implementation of the Java platform, can enter an infinite loop when processing certain input strings. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack.", "published": "2011-02-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51977", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:36:08"}, {"id": "REDHAT-RHSA-2011-0214.NASL", "type": "nessus", "title": "RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2011:0214)", "description": "Updated java-1.6.0-openjdk packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were converted to Double objects. A remote attacker could use this flaw to cause Java-based applications to hang, for instance if they parse Double values in a specially crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve this issue. All running instances of OpenJDK Java must be restarted for the update to take effect.", "published": "2011-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51952", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-29T13:36:53"}], "redhat": [{"id": "RHSA-2011:0299", "type": "redhat", "title": "(RHSA-2011:0299) Moderate: java-1.4.2-ibm-sap security update", "description": "The IBM 1.4.2 SR13-FP8 Java release includes the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava based applications to hang, for example, if they parsed Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nNote: The java-1.4.2-ibm packages were renamed to java-1.4.2-ibm-sap to\ncorrect a naming overlap; however, java-1.4.2-ibm-sap does not\nautomatically obsolete the previous java-1.4.2-ibm packages for Red Hat\nEnterprise Linux 4 and 5 for SAP. Refer to the RHBA-2010:0491 and\nRHBA-2010:0530 advisories, listed in the References, for further\ninformation.\n\nAll users of java-1.4.2-ibm-sap for Red Hat Enterprise Linux 4, 5 and 6 for\nSAP are advised to upgrade to these updated packages, which contain the IBM\n1.4.2 SR13-FP8 Java release. All running instances of IBM Java must be\nrestarted for this update to take effect.\n", "published": "2011-02-23T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0299", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-09-09T07:20:38"}, {"id": "RHSA-2011:0211", "type": "redhat", "title": "(RHSA-2011:0211) Important: jbossweb security update", "description": "JBoss Web Server is a web container based on Apache Tomcat. It provides a\nsingle deployment platform for the JavaServer Pages (JSP) and Java Servlet\ntechnologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJBoss Web Server to hang via a specially-crafted HTTP request.\n(CVE-2010-4476)\n\nUsers of JBoss Web Server should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The JBoss server process\nmust be restarted for this update to take effect.\n", "published": "2011-02-10T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0211", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-04T11:17:46"}, {"id": "RHSA-2011:0214", "type": "redhat", "title": "(RHSA-2011:0214) Moderate: java-1.6.0-openjdk security update", "description": "These packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava-based applications to hang, for instance if they parse Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve this issue. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "published": "2011-02-10T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0214", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-12-25T20:05:49"}, {"id": "RHSA-2011:0336", "type": "redhat", "title": "(RHSA-2011:0336) Important: tomcat5 security update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nTomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476)\n\nUsers of Tomcat should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. Tomcat must be restarted for this\nupdate to take effect.\n", "published": "2011-03-09T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0336", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-09-09T07:20:23"}, {"id": "RHSA-2011:0290", "type": "redhat", "title": "(RHSA-2011:0290) Moderate: java-1.6.0-ibm security update", "description": "The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava based applications to hang, for example, if they parsed Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.6.0 SR9 Java release. All running instances\nof IBM Java must be restarted for the update to take effect.\n", "published": "2011-02-22T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0290", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-09-09T07:20:01"}, {"id": "RHSA-2011:0349", "type": "redhat", "title": "(RHSA-2011:0349) Important: tomcat5 security update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nTomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476)\n\nUsers of Tomcat should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. Tomcat must be restarted for this\nupdate to take effect.\n", "published": "2011-03-10T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0349", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-04T11:17:38"}, {"id": "RHSA-2011:0210", "type": "redhat", "title": "(RHSA-2011:0210) Important: jbossweb security update", "description": "JBoss Web Server is the web container, based on Apache Tomcat, in JBoss\nEnterprise Application Platform. It provides a single deployment platform\nfor the JavaServer Pages (JSP) and Java Servlet technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJBoss Web Server to hang via a specially-crafted HTTP request.\n(CVE-2010-4476)\n\nUsers of JBoss Web Server should upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The JBoss server process\nmust be restarted for this update to take effect.\n", "published": "2011-02-10T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0210", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-04T11:17:45"}, {"id": "RHSA-2011:0292", "type": "redhat", "title": "(RHSA-2011:0292) Moderate: java-1.4.2-ibm security update", "description": "The IBM 1.4.2 SR13-FP8 Java release includes the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava based applications to hang, for example, if they parsed Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.4.2-ibm are advised to upgrade to these updated\npackages, which contain the IBM 1.4.2 SR13-FP8 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2011-02-22T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0292", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-09-09T07:20:15"}, {"id": "RHSA-2011:0291", "type": "redhat", "title": "(RHSA-2011:0291) Moderate: java-1.5.0-ibm security update", "description": "The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and\nthe IBM Java 2 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava based applications to hang, for example, if they parsed Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM 1.5.0 SR12-FP3 Java release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "published": "2011-02-22T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0291", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-09-09T07:19:36"}, {"id": "RHSA-2011:0348", "type": "redhat", "title": "(RHSA-2011:0348) Important: tomcat6 security update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nTomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476)\n\nA flaw was found in the Tomcat NIO (Non-Blocking I/O) connector. A remote\nattacker could use this flaw to cause a denial of service (out-of-memory\ncondition) via a specially-crafted request containing a large NIO buffer\nsize request value. (CVE-2011-0534)\n\nUsers of Tomcat should upgrade to these updated packages, which contain\nbackported patches to correct these issues. Tomcat must be restarted for\nthis update to take effect.\n", "published": "2011-03-10T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:0348", "cvelist": ["CVE-2011-0534", "CVE-2010-4476"], "lastseen": "2016-09-04T11:17:47"}], "seebug": [{"id": "SSV:20439", "type": "seebug", "title": "IBM WebSphere Application Server\u672a\u9a8c\u8bc1\u8bbf\u95ee\u6f0f\u6d1e", "description": "CVE ID: CVE-2010-4476\r\n\r\nIBM WebSphere Application Server (WAS)\u662f\u7531IBM\u9075\u7167\u5f00\u653e\u6807\u51c6\uff0c\u4f8b\u5982Java EE, XML \u8fd8\u6709Web Services\uff0c\u5f00\u53d1\u5e76\u53d1\u884c\u7684\u4e00\u79cd\u5e94\u7528\u670d\u52a1\u5668\u3002\u4e0e\u5176\u517c\u5bb9\u7684Web\u670d\u52a1\u5668\u5305\u62ec\uff1aApache HTTP Server\uff0cNetscape Enterprise Server\uff0cMicrosoft Internet Information Services (IIS)\u4ee5\u53caIBM HTTP Server\u3002\r\n\r\n\u8fd0\u884cz/OS\u7684IBM WAS\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u6388\u6743\u7528\u6237\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u8bbf\u95eeWebSphere\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\n\u5728WebSphere\u7528Local OS\u7528\u6237\u6ce8\u518c\u8868\u914d\u7f6e\u6216\u7528RACF\u9002\u914d\u5668\u914d\u7f6eFederated Repository\u65f6\u4f1a\u51fa\u73b0\u6b64\u95ee\u9898\u3002Local OS\u7528\u6237\u6ce8\u518c\u8868\u548c\u4f7f\u7528RACF\u9002\u914d\u5668\u7684Federated Repository\u4f7f\u7528SAF\u5b9e\u73b0\uff0c\u610f\u5473\u7740RACF\u4f7f\u7528\u548c\u76f8\u5bf9\u4ea7\u54c1\u7684\u4f7f\u7528\u90fd\u53d7\u5230\u5f71\u54cd\u3002\n\nIBM Websphere Application Server\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nIBM\r\n---\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.ers.ibm.com/", "published": "2011-04-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-20439", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-11-19T18:06:06"}], "oraclelinux": [{"id": "ELSA-2011-0214", "type": "oraclelinux", "title": "java-1.6.0-openjdk security update", "description": "[1.6.0.0-1.36.b17]\r\n- removed plugin. How it comes in?!\r\n- Resolves: rhbz#676295\r\n \n[1.6.0.0-1.33.b17]\r\n- bumped release number, it was accidentaly reduced, and now lower version then last one was released.\r\n- Resolves: rhbz#676295\r\n \n[1.6.0.0-1.22.b17]\r\n- Updated to 1.7.9 tarball\r\n- removed patch6, fixed upstrream\r\n- Resolves: rhbz#676295", "published": "2011-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0214.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-04T11:16:10"}, {"id": "ELSA-2011-0336", "type": "oraclelinux", "title": "tomcat5 security update", "description": "[0:5.5.23-0jpp.17]\n- Resolves: rhbz 674599 JDK Double.parseDouble DoS", "published": "2011-03-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0336.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-09-04T11:16:21"}, {"id": "ELSA-2011-0335", "type": "oraclelinux", "title": "tomcat6 security and bug fix update", "description": "[0:6.0.24-24]\n- Resolves: rhbz#674601\n- Removed wildcard in main %files that caused duplicate ownership\n- of log4j.properties\n[0:6.0.24-23]\n- Resolves: rhbz#674601\n- Reverse - tomcat user requires login shell\n- Reverse - rhbz 611244 tomcat-juli missing symlink\n- PM/QE decision to include only the security fixes. The rhbzs\n- will be taken care of during the rebase to 6.0.33.\n- Did not Reverse - rhbz 676922 - additionally instancs of tomcat are broken\n- Too many users depend upon it.\n[0:6.0.24-22]\n- Resolves - tomcat user requires login shell\n[0:6.0.24-21]\n- Resolves: 676922 - additionally created instances of tomcat\n- are broken\n[0:6.0.24-20]\n- Resolves: rbz# 676922\n- Resolves: init script LSB compliance\n- Resolves: multiple instances of tomcat.\n- Resolves: tomcat-juli missing symlink\n[0:6.0.24-18]\n- Resolves directory permission problems\n[0:6.0.24-17]\n- Resolves: CVE-2011-0534 rhbz#674601\n[0:6.0.24-16]\n- Resolves rhbz#674601 JDK Double.parseDouble DoS", "published": "2011-03-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0335.html", "cvelist": ["CVE-2011-0534", "CVE-2010-4476"], "lastseen": "2016-09-04T11:16:13"}, {"id": "ELSA-2011-0791", "type": "oraclelinux", "title": "tomcat6 security and bug fix update", "description": "[6.0.24-33]\n- resolves: rhbz 695284 - multiple instances logging fiasco\n[6.0.24-32]\n- Resolves: rhbz 698624 - inet4address can't be cast to String\n[6.0.24-31]\n- Resolves: rhbz 656403 - cve-2010-4172 jsp syntax error\n[6.0.24-30]\n- Resolves: rhbz#697504 initscript logging location\n[6.0.24-29]\n- Resolves: rhbz#656403, rhbz#675926, rhbz#676011\n- CVE-2010-4172, CVE-2010-3718, CVE-2011-0013, CVE-2010-4476,\n- CVE-2011-0534\n[6.0.24-28]\n- Resovles rhbz#695284 - wrapper logs to different locations\n- CVE-2010-4172, CVE-2011-0013, CVE-2010-3718 commented out \n- until needed.\n[6.0.24-27]\n- naming-factory-dbcp missing fix in tomcat6.conf\n- Add Obsoletes for log4j\n[6.0.24-26]\n- Add log4j to package lib. Corrected typo in log4 Provides\n- epock versus epoch\n[6.0.24-25]\n- Installed permissions do not allow tomcat to start\n- incrementing NVR so yum won't get confused with the zstream", "published": "2011-05-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0791.html", "cvelist": ["CVE-2010-4172", "CVE-2011-0013", "CVE-2011-0534", "CVE-2010-4476", "CVE-2010-3718"], "lastseen": "2016-09-04T11:16:56"}], "centos": [{"id": "CESA-2011:0336", "type": "centos", "title": "tomcat5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:0336\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nTomcat to hang via a specially-crafted HTTP request. (CVE-2010-4476)\n\nUsers of Tomcat should upgrade to these updated packages, which contain a\nbackported patch to correct this issue. Tomcat must be restarted for this\nupdate to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017319.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017320.html\n\n**Affected packages:**\ntomcat5\ntomcat5-admin-webapps\ntomcat5-common-lib\ntomcat5-jasper\ntomcat5-jasper-javadoc\ntomcat5-jsp-2.0-api\ntomcat5-jsp-2.0-api-javadoc\ntomcat5-server-lib\ntomcat5-servlet-2.4-api\ntomcat5-servlet-2.4-api-javadoc\ntomcat5-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-0336.html", "published": "2011-04-14T10:58:50", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-April/017319.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-03T18:25:34"}, {"id": "CESA-2011:0214", "type": "centos", "title": "java security update", "description": "**CentOS Errata and Security Advisory** CESA-2011:0214\n\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJava-based applications to hang, for instance if they parse Double values\nin a specially-crafted HTTP request. (CVE-2010-4476)\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve this issue. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017311.html\nhttp://lists.centos.org/pipermail/centos-announce/2011-April/017312.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2011-0214.html", "published": "2011-04-14T10:31:40", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2011-April/017311.html", "cvelist": ["CVE-2010-4476"], "lastseen": "2017-10-03T18:24:30"}], "exploitdb": [{"id": "EDB-ID:35304", "type": "exploitdb", "title": "Oracle Java Floating-Point Value Denial of Service Vulnerability", "description": "Oracle Java Floating-Point Value Denial of Service Vulnerability. CVE-2010-4476. Dos exploits for multiple platform", "published": "2011-02-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/35304/", "cvelist": ["CVE-2010-4476"], "lastseen": "2016-02-04T01:02:07"}], "ubuntu": [{"id": "USN-1079-3", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM) architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu 10.10.\n\nOriginal advisory details:\n\nIt was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-3/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:19:10"}, {"id": "USN-1079-1", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-1/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:18:40"}, {"id": "USN-1079-2", "type": "ubuntu", "title": "OpenJDK 6 vulnerabilities", "description": "USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM) architectures. This update provides the corresponding updates for OpenJDK 6 for use with the armel (ARM) architectures.\n\nIn order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04 LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu 10.04 LTS updates.\n\nOriginal advisory details:\n\nIt was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448)\n\nIt was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450)\n\nIt was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465)\n\nIt was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469)\n\nIt was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470)\n\nIt was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471)\n\nIt was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472)\n\nKonstantin Preisser and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476)\n\nIt was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706)", "published": "2011-03-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/1079-2/", "cvelist": ["CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4470", "CVE-2011-0706"], "lastseen": "2018-03-29T18:18:13"}], "suse": [{"id": "SUSE-SU-2011:0823-1", "type": "suse", "title": "Security update for IBM Java 1.4.2 (important)", "description": "IBM Java 1.4.2 SR13 for SAP fixes various bugs and the\n following security issues:\n\n * CVE-2010-4447\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447</a>\n >\n * CVE-2010-4448\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448</a>\n >\n * CVE-2010-4454\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454</a>\n >\n * CVE-2010-4462\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462</a>\n >\n * CVE-2010-4465\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465</a>\n >\n * CVE-2010-4466\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466</a>\n >\n * CVE-2010-4473\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473</a>\n >\n * CVE-2010-4475\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475</a>\n >\n * CVE-2010-4476\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476</a>\n >\n * CVE-2011-0311\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0311\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0311</a>\n >\n\n", "published": "2011-07-22T05:08:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00010.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4473", "CVE-2010-4476", "CVE-2010-4447", "CVE-2010-4466", "CVE-2011-0311"], "lastseen": "2016-09-04T12:14:44"}, {"id": "SUSE-SA:2011:024", "type": "suse", "title": "remote code execution in java-1_4_2-ibm", "description": "IBM Java 1.4.2 was updated to SR 13 Fix Pack 9, fixing bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-05-13T13:10:27", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00004.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4473", "CVE-2010-4476", "CVE-2010-4447", "CVE-2010-4466", "CVE-2011-0311"], "lastseen": "2016-09-04T11:27:16"}, {"id": "SUSE-SA:2011:010", "type": "suse", "title": "remote code execution in java-1_6_0-sun", "description": "Sun Java 1.6 was updated to Update 24 fixing various bugs and security issues.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-02-22T14:41:11", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00005.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4468", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4451", "CVE-2010-4422", "CVE-2010-4469", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-4473", "CVE-2010-4474", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-4447", "CVE-2010-4470", "CVE-2010-4467", "CVE-2010-4466"], "lastseen": "2016-09-04T11:41:42"}, {"id": "SUSE-SA:2011:014", "type": "suse", "title": "remote code execution in java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm", "description": "IBM Java 6 was updated to SR9 FP1 was updated to fix a critical security bug in float number handling and also contains other security bugfixes.\n#### Solution\nThere is no known workaround, please install the update packages.", "published": "2011-03-22T13:32:34", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2011-03/msg00003.html", "cvelist": ["CVE-2010-4475", "CVE-2010-4468", "CVE-2010-3557", "CVE-2010-3553", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-4454", "CVE-2010-4422", "CVE-2010-4463", "CVE-2010-3574", "CVE-2010-4473", "CVE-2010-3571", "CVE-2010-4476", "CVE-2010-4471", "CVE-2010-1321", "CVE-2010-4447", "CVE-2010-4467", "CVE-2010-4466"], "lastseen": "2016-09-04T12:32:47"}], "vmware": [{"id": "VMSA-2011-0013", "type": "vmware", "title": "VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX", "description": "a. ESX third party update for Service Console openssl RPM \nThe Service Console openssl RPM is updated to openssl-0.9.8e.12.el5_5.7 resolving two security issues. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-7270 and CVE-2010-4180 to these issues. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2011-10-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2011-0013.html", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2011-0865", "CVE-2010-2054", "CVE-2010-4468", "CVE-2010-3557", "CVE-2010-3563", "CVE-2010-3551", "CVE-2011-0802", "CVE-2010-3552", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2010-3565", "CVE-2010-4180", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4451", "CVE-2010-4422", "CVE-2010-4469", "CVE-2011-0002", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-3574", "CVE-2010-4473", "CVE-2010-4474", "CVE-2010-3541", "CVE-2011-0873", "CVE-2010-3571", "CVE-2010-3173", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-3559", "CVE-2008-7270", "CVE-2011-0815", "CVE-2010-1321", "CVE-2010-3556", "CVE-2011-0867", "CVE-2010-3561", "CVE-2010-4447", "CVE-2010-3549", "CVE-2010-3554", "CVE-2010-3170", "CVE-2010-4470", "CVE-2010-3555", "CVE-2011-0864", "CVE-2010-3570", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3548", "CVE-2010-4467", "CVE-2010-3568", "CVE-2011-0862", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569", "CVE-2011-0871", "CVE-2011-0814"], "lastseen": "2016-09-04T11:19:38"}], "oracle": [{"id": "ORACLE:CPUAPR2011-301950", "type": "oracle", "title": "cpuapr2011", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 73 new security fixes across all product families listed below.\n", "published": "2011-04-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2011-0799", "CVE-2011-0412", "CVE-2011-0801", "CVE-2011-0808", "CVE-2011-0859", "CVE-2011-0856", "CVE-2011-0793", "CVE-2011-0791", "CVE-2010-4468", "CVE-2010-3450", "CVE-2011-0837", "CVE-2011-0787", "CVE-2011-0821", "CVE-2011-0812", "CVE-2011-0827", "CVE-2011-0805", "CVE-2011-0846", "CVE-2011-0824", "CVE-2011-0807", "CVE-2010-4452", "CVE-2011-0810", "CVE-2011-0790", "CVE-2010-4462", "CVE-2011-0851", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0803", "CVE-2011-0798", "CVE-2010-3689", "CVE-2011-0820", "CVE-2010-4454", "CVE-2011-0806", "CVE-2010-4253", "CVE-2011-0809", "CVE-2011-0789", "CVE-2011-0841", "CVE-2011-0861", "CVE-2010-3451", "CVE-2011-0795", "CVE-2010-4450", "CVE-2011-0834", "CVE-2011-0825", "CVE-2011-0823", "CVE-2011-0850", "CVE-2010-4473", "CVE-2011-0860", "CVE-2011-0828", "CVE-2011-0858", "CVE-2011-0847", "CVE-2009-3555", "CVE-2010-3454", "CVE-2010-4476", "CVE-2010-4472", "CVE-2011-0843", "CVE-2010-4471", "CVE-2011-0849", "CVE-2011-0800", "CVE-2011-0826", "CVE-2011-0840", "CVE-2011-0857", "CVE-2011-0792", "CVE-2011-0818", "CVE-2010-4643", "CVE-2011-0853", "CVE-2011-0794", "CVE-2010-3453", "CVE-2011-0836", "CVE-2011-0839", "CVE-2010-4470", "CVE-2011-0796", "CVE-2011-0833", "CVE-2011-0813", "CVE-2011-0804", "CVE-2011-0819", "CVE-2011-0844", "CVE-2011-0829", "CVE-2011-0855", "CVE-2011-0797", "CVE-2011-0411", "CVE-2011-0785", "CVE-2010-3452", "CVE-2011-0854"], "lastseen": "2018-04-18T20:24:09"}], "gentoo": [{"id": "GLSA-201111-02", "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "description": "### Background\n\nThe Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE) provide the Oracle Java platform (formerly known as Sun Java Platform). \n\n### Description\n\nMultiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below and the associated Oracle Critical Patch Update Advisory for details. \n\n### Impact\n\nA remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Oracle JDK 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jdk-1.6.0.29\"\n \n\nAll Oracle JRE 1.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/sun-jre-bin-1.6.0.29\"\n \n\nAll users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/emul-linux-x86-java-1.6.0.29\"\n \n\nNOTE: As Oracle has revoked the DLJ license for its Java implementation, the packages can no longer be updated automatically. This limitation is not present on a non-fetch restricted implementation such as dev-java/icedtea-bin.", "published": "2011-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201111-02", "cvelist": ["CVE-2010-3562", "CVE-2010-4475", "CVE-2011-0865", "CVE-2011-3557", "CVE-2010-4468", "CVE-2010-3557", "CVE-2011-3551", "CVE-2010-3563", "CVE-2011-3549", "CVE-2010-3551", "CVE-2011-0802", "CVE-2011-0868", "CVE-2010-3552", "CVE-2010-3553", "CVE-2010-3550", "CVE-2010-4452", "CVE-2011-3561", "CVE-2010-4462", "CVE-2010-3566", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2010-3565", "CVE-2011-0863", "CVE-2010-4454", "CVE-2010-3572", "CVE-2010-4451", "CVE-2011-3548", "CVE-2010-4422", "CVE-2011-3547", "CVE-2010-4469", "CVE-2011-3521", "CVE-2011-3389", "CVE-2010-4450", "CVE-2010-4463", "CVE-2010-3574", "CVE-2011-3544", "CVE-2011-3553", "CVE-2010-4473", "CVE-2010-4474", "CVE-2011-3516", "CVE-2010-3541", "CVE-2011-3558", "CVE-2011-0873", "CVE-2010-3571", "CVE-2011-3555", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2010-3560", "CVE-2010-3559", "CVE-2011-0815", "CVE-2011-3546", "CVE-2010-3556", "CVE-2011-3554", "CVE-2011-0867", "CVE-2010-3561", "CVE-2010-4447", "CVE-2010-3549", "CVE-2011-3556", "CVE-2010-3554", "CVE-2010-4470", "CVE-2011-3560", "CVE-2010-3555", "CVE-2011-0864", "CVE-2010-3570", "CVE-2011-3545", "CVE-2011-3552", "CVE-2010-3567", "CVE-2010-3573", "CVE-2010-3548", "CVE-2011-3550", "CVE-2010-4467", "CVE-2010-3568", "CVE-2011-0862", "CVE-2010-3558", "CVE-2010-4466", "CVE-2010-3569", "CVE-2011-0871", "CVE-2011-0814", "CVE-2011-0872"], "lastseen": "2016-09-06T19:47:03"}, {"id": "GLSA-201406-32", "type": "gentoo", "title": "IcedTea JDK: Multiple vulnerabilities", "description": "### Background\n\nIcedTea is a distribution of the Java OpenJDK source code built with free build tools. \n\n### Description\n\nMultiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll IcedTea JDK users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.3\"", "published": "2014-06-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201406-32", "cvelist": ["CVE-2012-5089", "CVE-2013-0426", "CVE-2013-2431", "CVE-2010-3562", "CVE-2013-2420", "CVE-2011-0865", "CVE-2013-2384", "CVE-2013-2415", "CVE-2012-1711", "CVE-2014-2397", "CVE-2013-1571", "CVE-2013-5782", "CVE-2011-3557", "CVE-2013-2417", "CVE-2013-1500", "CVE-2013-2448", "CVE-2010-3557", "CVE-2011-3551", "CVE-2013-4002", "CVE-2013-0401", "CVE-2012-5074", "CVE-2012-5073", "CVE-2013-0427", "CVE-2012-1725", "CVE-2013-2424", "CVE-2014-0457", "CVE-2013-5850", "CVE-2013-2407", "CVE-2013-5778", "CVE-2013-1478", "CVE-2013-2456", "CVE-2010-3551", "CVE-2011-0868", "CVE-2013-0428", "CVE-2014-0446", "CVE-2013-2436", "CVE-2013-2454", "CVE-2013-2470", "CVE-2013-1485", "CVE-2013-0169", "CVE-2010-3553", "CVE-2012-1719", "CVE-2014-1876", "CVE-2014-0458", "CVE-2013-0429", "CVE-2014-2427", "CVE-2011-3563", "CVE-2013-1475", "CVE-2013-2421", "CVE-2013-1518", "CVE-2013-0435", "CVE-2012-5087", "CVE-2013-0809", "CVE-2013-0442", "CVE-2010-3566", "CVE-2013-2452", "CVE-2013-2451", "CVE-2013-5842", "CVE-2010-4448", "CVE-2013-0431", "CVE-2010-4465", "CVE-2012-5085", "CVE-2012-4540", "CVE-2011-0869", "CVE-2010-3565", "CVE-2012-5076", "CVE-2013-5830", "CVE-2013-2473", "CVE-2013-6954", "CVE-2012-4416", "CVE-2012-5075", "CVE-2014-0453", "CVE-2013-1488", "CVE-2012-0424", "CVE-2013-0434", "CVE-2013-5784", "CVE-2013-5809", "CVE-2013-5802", "CVE-2013-5851", "CVE-2011-3548", "CVE-2012-5081", "CVE-2011-3547", "CVE-2013-5817", "CVE-2010-4469", "CVE-2012-0503", "CVE-2011-3521", "CVE-2013-0443", "CVE-2011-5035", "CVE-2013-2419", "CVE-2014-0461", "CVE-2012-1723", "CVE-2013-2463", "CVE-2011-3571", "CVE-2010-3860", "CVE-2011-3389", "CVE-2013-2469", "CVE-2014-0459", "CVE-2014-0456", "CVE-2010-4450", "CVE-2012-1726", "CVE-2013-2465", "CVE-2013-1537", "CVE-2014-0429", "CVE-2013-5806", "CVE-2010-3574", "CVE-2011-3544", "CVE-2013-5805", "CVE-2011-3553", "CVE-2013-0444", "CVE-2012-0506", "CVE-2013-0433", "CVE-2013-1480", "CVE-2013-5825", "CVE-2012-1717", "CVE-2013-2423", "CVE-2010-3541", "CVE-2013-5823", "CVE-2011-3558", "CVE-2014-2403", "CVE-2012-1713", "CVE-2013-2461", "CVE-2012-1716", "CVE-2009-3555", "CVE-2013-2429", "CVE-2013-5849", "CVE-2014-2412", "CVE-2010-2548", "CVE-2012-5086", "CVE-2013-2471", "CVE-2012-0497", "CVE-2012-5077", "CVE-2013-1486", "CVE-2013-1476", "CVE-2010-4476", "CVE-2010-4472", "CVE-2013-5780", "CVE-2010-4471", "CVE-2014-2421", "CVE-2012-5069", "CVE-2012-3216", "CVE-2014-0460", "CVE-2011-0870", "CVE-2011-0815", "CVE-2013-0432", "CVE-2012-0505", "CVE-2012-5084", "CVE-2012-1718", "CVE-2010-2783", "CVE-2013-2458", "CVE-2011-3554", "CVE-2013-0424", "CVE-2013-2459", "CVE-2013-0450", "CVE-2012-5071", "CVE-2013-5814", "CVE-2010-3561", "CVE-2011-0025", "CVE-2012-0501", "CVE-2010-3564", "CVE-2013-0440", "CVE-2013-2443", "CVE-2010-3549", "CVE-2012-3422", "CVE-2013-2446", "CVE-2011-3556", "CVE-2012-0547", "CVE-2013-5829", "CVE-2010-3554", "CVE-2013-5803", "CVE-2012-5072", "CVE-2013-2450", "CVE-2013-2472", "CVE-2014-2423", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2013-1493", "CVE-2013-2444", "CVE-2013-2447", "CVE-2013-2457", "CVE-2010-4351", "CVE-2011-0864", "CVE-2013-2453", "CVE-2013-1557", "CVE-2013-2426", "CVE-2013-2455", "CVE-2013-2422", "CVE-2013-2383", "CVE-2013-0425", "CVE-2013-1484", "CVE-2011-3552", "CVE-2013-5774", "CVE-2012-1724", "CVE-2010-3567", "CVE-2010-3573", "CVE-2013-6629", "CVE-2012-5068", "CVE-2013-3829", "CVE-2013-0441", "CVE-2010-3548", "CVE-2011-0706", "CVE-2012-5979", "CVE-2012-0502", "CVE-2013-5783", "CVE-2010-4467", "CVE-2012-3423", "CVE-2013-5800", "CVE-2013-5820", "CVE-2013-5790", "CVE-2014-2398", "CVE-2010-3568", "CVE-2014-0451", "CVE-2013-1569", "CVE-2013-2412", "CVE-2014-0452", "CVE-2011-0862", "CVE-2013-2445", "CVE-2013-2430", "CVE-2013-2460", "CVE-2013-5840", "CVE-2014-2414", "CVE-2010-3569", "CVE-2011-0871", "CVE-2013-2449", "CVE-2011-0872", "CVE-2012-5070", "CVE-2013-5797", "CVE-2013-5804", "CVE-2013-5772"], "lastseen": "2016-09-06T19:46:20"}]}}