Security Alert For CVE-2010-4476 Released

The official Java 6 binaries update 24 are available from Oracle. Oracle claims that CVE-2010-4476 is fixed in it.
I guess it is time for Ubuntu to create packages from it ASAP.

http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html

Sorry for the bad assigned. I uploaded in Natty (I did that in Debian yesterday). I don't know if you want to upload in maverick or not ?!

Well it is needed for Maverick and Lucid as well.
Affects Karmic, Hardy and even Dapper which are supported but not from partner repository.

CVE-2010-4476 is about a bug whereby inputting "2.2250738585072014e-308" or variations of it [1] to the java.lang.Double.parseDouble(String) method causes it to enter an infinite loop; control is not returned to the calling thread.

This bug can be used to cause remote unauthenticated denial of service on long-running servers by way of CPU time exhaustion and/or causing all threads of an application server's thread pool to enter infinite loops and becoming unable to service requests.

As Doki explained in comment #3, Ubuntu Lucid and Maverick are affected by the vulnerability caused by this bug. I also added Affects: openjdk-6, since the current version in Lucid (6b20-1.9.5-0ubuntu1~10.04.1) is affected.

Oracle has released a fix for this bug in the OpenJDK codebase [2].

[1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ (HTML)
[2] http://hg.openjdk.java.net/jdk7/tl/jdk/rev/82c8c54ac1d5 (patch)

Grrrrr, I am bored by the bloody permissions (I wished Ubuntu implemented dynamic "per package upload" for DD...)
"The signer of this package has no upload rights to this distribution's primary archive. Did you mean to upload to a PPA?"

Using sun-java6_6.24-1.dsc from:
http://ftp.de.debian.org/debian/pool/non-free/s/sun-java6/
will do it.

@Sylvestre Ledru
sun-java6 is in the partner repository since Lucid, so only a few individuals can actually upload it.

Thanks Sylvestre, I'll see about getting you upload rights for sun-java6 in Partner; I'm just not sure we have such fine grained control there or not. In the meantime, I will grab your package and test it on Lucid+ tomorrow and push it to Jamie S. for review. The work is much appreciated!

Brian, the hardy and karmic packages need to be backported to a non-source format v3 package as this was only first supported in Lucid: https://bugs.launchpad.net/launchpad/+bug/293106/comments/9

Lucid and Maverick now have packages in partner.

Hardy and Karmic updates are building in the security PPA.

Brian, will you be providing an update for natty in partner?

Partner for Natty is empty now, (we don't do migrations there until Beta 1)
but yes, I'll make sure the newer version is copied over at that time.

On Wed, Feb 23, 2011 at 1:35 PM, Jamie Strandboge <email address hidden> wrote:

> Brian, will you be providing an update for natty in partner?
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/716689
>
> Title:
> Security Alert For CVE-2010-4476 Released
>

This bug was fixed in the package sun-java6 - 6.24-1build0.9.10.1

---------------
sun-java6 (6.24-1build0.9.10.1) karmic-security; urgency=low

  * Fake sync from Debian (LP: #716689)
  * Removed debian/source dir reverting back to 1.0 packaging format as
    3.0 (quilt) isn't available prior to Lucid
 -- Brian Thomason <email address hidden> Mon, 21 Feb 2011 15:42:33 -0500

This bug was fixed in the package sun-java6 - 6.24-1build0.8.04.1

---------------
sun-java6 (6.24-1build0.8.04.1) hardy-security; urgency=low

  * Fake sync from Debian (LP: #716689)
  * Removed debian/source dir reverting back to 1.0 packaging format as
    3.0 (quilt) isn't available prior to Lucid
 -- Brian Thomason <email address hidden> Mon, 21 Feb 2011 15:42:33 -0500

For openjdk-6, USN 1079-1 was published: http://www.ubuntu.com/usn/usn-1079-1

According to the changelog of the version of sun-java6 in Natty:
 * https://launchpad.net/ubuntu/+source/sun-java6/6.24-1build0.10.10.1

This bug should be fix-released for Natty. Updating accordingly.

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.