Summary
Ubuntu Update for Linux kernel vulnerabilities USN-1010-1
Solution
Please Install the Updated Packages.
Insight
Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. USN-923-1 disabled SSL/TLS renegotiation by default
this update implements
the TLS Renegotiation Indication Extension as defined in RFC 5746, and thus supports secure renegotiation between updated clients and servers. (CVE-2009-3555)
It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3541)
It was discovered that JNDI could leak information that would allow an attacker to to access information about otherwise-protected internal network names. (CVE-2010-3548)
It was discovered that HttpURLConnection improperly handled the "
chunked"
transfer encoding method, which could allow attackers to conduct HTTP response splitting attacks. (CVE-2010-3549)
It was discovered that the NetworkInterface class improperly checked the network "
connect"
permissions for local network
addresses. This could allow an attacker to read local network addresses. (CVE-2010-3551)
It was discovered that UIDefault.ProxyLazyValue had unsafe reflection usage, allowing an attacker to create objects. (CVE-2010-3553)
It was discovered that multiple flaws in the CORBA reflection implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects. (CVE-2010-3554)
It was discovered that unspecified flaws in the Swing library could allow untrusted applications to modify the behavior and state of certain JDK classes. (CVE-2010-3557)
It was discovered that the privileged accept method of the ServerSocket class in the CORBA implementation allowed it to receive connections from any host, instead of just the host of the current connection.
An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561)
It was discovered that there exists a double free in java's indexColorModel that could allow an attacker to cause an applet or application to crash, or possibly execute arbitrary code with the privilege of the user running the java applet or application. (CVE-2010-3562)
It was discovered that the Kerberos implementation improperly checked AP-REQ requests ...
Description truncated, for more information please check the Reference URL
Affected
openjdk-6, openjdk-6b18 vulnerabilities on Ubuntu 8.04 LTS , Ubuntu 9.10 ,
Ubuntu 10.04 LTS
References
Updated on 2015-03-25
Severity
Classification
-
CVSS Base Score: 10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related Vulnerabilities