Home / mailings APPLE-SA-2010-10-20-2 Java for Mac OS X 10.5 Update 8
Posted on 20 October 2010
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2010-10-20-2 Java for Mac OS X 10.5 Update 8
Java for Mac OS X 10.5 Update 8 is now available and addresses the
following:
Java
CVE-ID: CVE-2009-3555, CVE-2010-1321
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in Java 1.6.0_20
Description: Multiple vulnerabilities exist in Java 1.6.0_20, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_22.
Further information is available via the Java website at
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
Java
CVE-ID: CVE-2009-3555, CVE-2010-1321
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in Java 1.5.0_24
Description: Multiple vulnerabilities exist in Java 1.5.0_24, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.5.0_26.
Further information is available via the Java website at
http://java.sun.com/j2se/1.5.0/ReleaseNotes.html
Java
CVE-ID: CVE-2010-1826
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: A local user may be able to execute arbitrary code with the
privileges of another user who runs a Java application
Description: A command injection issue exists in updateSharingD's
handling of Mach RPC messages. A local user may be able to execute
arbitrary code with the privileges of another user who runs a Java
application. This issue is addressed by implementing a per-user Java
shared archive. This issue only affects the Mac OS X implementation
of Java. Credit to Dino Dai Zovi for reporting this issue.
Java
CVE-ID: CVE-2010-1827
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Visiting a web page containing a maliciously crafted Java
applet tag may lead to an unexpected application termination or
arbitrary code execution with the privileges of the current user
Description: A memory corruption issue exists in Java's handling of
applet window bounds. Visiting a web page containing a maliciously
crafted Java applet tag may lead to an unexpected application
termination or arbitrary code execution with the privileges of the
current user. This issue is addressed through improved validation of
window bounds. This issue only affects the Mac OS X implementation of
Java.
Java for Mac OS X 10.5 Update 8 may be obtained from the Software
Update pane in System Preferences, or Apple's Software Downloads
web site: http://www.apple.com/support/downloads/
The download file is named: JavaForMacOSX10.5Update8.dmg
Its SHA-1 digest is: 19058d949c9cd4a09e932a5ede4186686632fc4b
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/