Bug 533205 (CVE-2009-3864)

Summary: CVE-2009-3864 java-1.5.0-sun, java-1.6.0-sun: Updates availability notification system failure (6869694)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, langel, mschoene, rcvalle, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-09 20:56:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-11-05 16:13:22 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3864 to
the following vulnerability:

The Java Update functionality in Java Runtime Environment (JRE) in Sun
Java SE in JDK and JRE 5.0 before Update 22 and JDK and JRE 6 before
Update 17, when a non-English version of Windows is used, does not
retrieve available new JRE versions, which allows remote attackers to
leverage vulnerabilities in older releases of this software, aka Bug
Id 6869694. 

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3864 
http://java.sun.com/javase/6/webnotes/6u17.html 
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1 
http://www.securityfocus.com/bid/36881 
http://secunia.com/advisories/37231 
http://www.vupen.com/english/advisories/2009/3131
Comment 1 Jan Lieskovsky 2009-11-05 16:38:28 UTC 
This issue does not affect the versions of the java-1.5.0-sun package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue does not affect the versions of the java-1.6.0-sun package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This flaw only affects the JDK when running on the Windows platform.