Bug 711687 (CVE-2011-0786, CVE-2011-0788, CVE-2011-0817, CVE-2011-0866)

Summary: CVE-2011-0786 CVE-2011-0788 CVE-2011-0817 CVE-2011-0866 Oracle JDK: unspecified vulnerabilities fixed in 6u26 (Deployment, JRE)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ahughes, aph, dbhole, jvanek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-08 07:33:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-06-08 07:33:29 UTC 
Update 26 of Oracle/Sun Java fixes multiple unspecified vulnerabilities in the Deployment and JRE components.  Upstream has CVSSv2 scored these issues as:

CVE-2011-0786 Deployment 7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C
CVE-2011-0788 Deployment 7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C
CVE-2011-0817 Deployment 10/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2011-0866 JRE 7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C

http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

Upstream advisory lists these issues as only affecting JRE/JDK versions running on Windows platform.  Versions for Linux should not be affected.
Comment 1 Tomas Hoger 2011-06-09 07:43:44 UTC 
ZDI has published an advisory for CVE-2011-0817:

Oracle Java IE Browser Plugin Corrupted Window Procedure Hook Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-182/