SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Java Runtime Environment (JRE) Vendors:   Sun
(Apple Issues Fix for OS X) Oracle Java Runtime Environment (JRE) Lets Remote Users Decrypt SSL/TLS Traffic
SecurityTracker Alert ID:  1026296
SecurityTracker URL:  http://securitytracker.com/id/1026296
CVE Reference:   CVE-2011-3389   (Links to External Site)
Date:  Nov 9 2011
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): JDK and JRE 7; JDK and JRE 6 Update 27 and prior; JDK and JRE 5.0 Update 31 and prior; SDK and JRE 1.4.2_33 and prior
Description:   A vulnerability was reported in Java Runtime Environment (JRE). A remote user can decrypt SSL/TLS sessions in certain cases.

A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.

Thai Duong and Juliano Rizzo reported this vulnerability.
Impact:   A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
Solution:   Apple has issued a fix (Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6), available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: be0ac75b8bac967f1d39a94ebf9482a61fb7d70b

For Mac OS X v10.7 systems
The download file is named: JavaForMacOSX10.7.dmg
Its SHA-1 digest is: 7768e6aeb5adaa638c74d4c04150517ed99fed20

The Apple advisory is available at:

http://support.apple.com/kb/HT5045
Vendor URL:  www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html (Links to External Site)
Cause:   Access control error
Underlying OS:   UNIX (OS X)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 19 2011 Oracle Java Runtime Environment (JRE) Lets Remote Users Decrypt SSL/TLS Traffic


 Source Message Contents
Date:  Wed, 09 Nov 2011 01:37:04 +0000
Subject:  http://support.apple.com/kb/HT5045


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2011-11-08-1 Java for Mac OS X 10.7 Update 1 and Java for Mac
OS X 10.6 Update 6

Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6
are now available and address the following:

Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
Mac OS X v10.7.2, Mac OS X Server v10.7.2
Impact: Multiple vulnerabilities in Java 1.6.0_26
Description: Multiple vulnerabilities exist in Java 1.6.0_26, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_29.
Further information is available via the Java website at
http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
CVE-ID
CVE-2011-3389
CVE-2011-3521
CVE-2011-3544
CVE-2011-3545
CVE-2011-3546
CVE-2011-3547
CVE-2011-3548
CVE-2011-3549
CVE-2011-3551
CVE-2011-3552
CVE-2011-3553
CVE-2011-3554
CVE-2011-3556
CVE-2011-3557
CVE-2011-3558
CVE-2011-3560
CVE-2011-3561

Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6
may be obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: be0ac75b8bac967f1d39a94ebf9482a61fb7d70b

For Mac OS X v10.7 systems
The download file is named: JavaForMacOSX10.7.dmg
Its SHA-1 digest is: 7768e6aeb5adaa638c74d4c04150517ed99fed20

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQEcBAEBAgAGBQJOuZNKAAoJEGnF2JsdZQeece8H/1I98YQ1LF4iDD442zB+WjZP
2Vxd3euXYwySD6qDCYNLJ0hUKu90c/4nr5d5rRH3xYdBzAHuZG39m069lpN1UZIW
t5ube+j9zjiejnXlPbAgq+vIAg22nu0EdxhOOZZeQOoEYqyoKhXNCt3fR+tzo3o4
mN/LWMO1NwrM0sGDPuUGs2TWdPZbC4QJJz4Z4S+FsTlujYh9MRd3dyxLBIg7BKCL
wgnFdpFW8bPmVdiTj91pC0Gb3XtolQxexXGHsdI15KeFMbQ06nKV/AyvxMF8O5jS
D089GEHE52NAQCZ0YJ6TJsisrGqTZZ77js55cPU259FogxEKKBuwfdFbn4qVeD8=
=4KBF
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC