java-1_4_2-sun-jdbc: JDBC/ODBC bridge driver for java-1.4.2-sun ---------------------------------------------------------------------- Datei: java-1_4_2-sun-jdbc-1.4.2.16-0.1.i586.rpm Patchrpm: java-1_4_2-sun-jdbc-1.4.2.16-0.1.i586.patch.rpm Version: 1.4.2.16-0.1 Größe: 22 kB Patchgröße: 22 kB Datum: Don 11 Okt 2007 12:36:37 CEST Source: java-1_4_2-sun-1.4.2.16-0.1.src.rpm Security: Ja ---------------------------------------------------------------------- Beschreibung: Das Sun JAVA JDK 1.4.2 wurde auf Release 16 gebracht, die unter anderem folgende Sicherheitsprobleme behebt, aufgelistet in englisch: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1 CVE-2007-5232: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1 CVE-2007-5236: Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enfor ce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted applica tion. CVE-2007-5237: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities". CVE-2007-5238: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka "three vulnerabilities." http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1 CVE-2007-5239: Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1 CVE-2007-5240: Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen. http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1 CVE-2007-5273: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applet's outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applet's socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. CVE-2007-5274: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273.