The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial DoS when parsing strings into Java Double objects. However that code could likely occur in serialization routines, http header parsing and impair server availability. Runtime (java app hang): class runhang { public static void main(String[] args) { System.out.println("Test:"); double d = Double.parseDouble("2.2250738585072012e-308"); System.out.println("Value: " + d); } } DevTime (javac hang): class compilehang { public static void main(String[] args) { double d = 2.2250738585072012e-308; System.out.println("Value: " + d); } }
There is no bug in ecj. Running the native gcj version works fine. $ ecj CompileHang.java $ gij CompileHang Value: 2.225073858507201E-308 It's only broken when running on the broken JDK libraries.
Patch is now pubic: http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
Assuming the discussion goes well, can you make sure this gets into the IcedTea6 branches (1.7, 1.8, 1.9) prior to the SSR on the 15th of February to ensure a timely release? Thanks.
Note that the work-around I commented has a typo it should be: +++ RewriteEngine On RewriteCond %{HTTP:Accept-Language} [0-9]{4,} RewriteRule .+ - [G] +++
The work-around is in Tomcat 6.0.32 and 7.0.8 and will be in 5.5.33, and has been worked around in the following commits: http://svn.apache.org/viewvc?rev=1066244&view=rev 7.0.x http://svn.apache.org/viewvc?rev=1066315&view=rev 6.0.x http://svn.apache.org/viewvc?rev=1066318&view=rev 5.5.x
*** Bug 675347 has been marked as a duplicate of this bug. ***
Oracle have fixed it: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Would this be addressed for the java-1.6.0-sun in the supplementary-repo too? And when does 1.6.0_23 get released?
This issue has been addressed in following products: JBEAP 4.3.0 for RHEL 4 JBEAP 4.3.0 for RHEL 5 JBEAP 4.2.0 for RHEL 4 JBEAP 4.2.0 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2011:0210 https://rhn.redhat.com/errata/RHSA-2011-0210.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 Via RHSA-2011:0211 https://rhn.redhat.com/errata/RHSA-2011-0211.html
This issue has been addressed in following products: JBEAP 4.2.0 JBEAP 4.3.0 JBEAP 5 Via RHSA-2011:0212 https://rhn.redhat.com/errata/RHSA-2011-0212.html
This issue has been addressed in following products: JBEWP 5 Via RHSA-2011:0213 https://rhn.redhat.com/errata/RHSA-2011-0213.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0214 https://rhn.redhat.com/errata/RHSA-2011-0214.html
(In reply to comment #32) > Would this be addressed for the java-1.6.0-sun in the supplementary-repo too? > And when does 1.6.0_23 get released? I am also interested in this info, as well when will the 1.6.0_24 update be released? This update will also fix the parseDouble bug and be released shortly by Oracle.
Oracle announced [1] that CVE-2010-4476 in Sun JDK will be fixed with next Critical Patch Update, scheduled for release on Feb 15th [2]. JDK 6u24 will then be made available in Red Hat Enterprise Linux 4 Extras and 5 and 6 Supplementary shortly after this release. [1] http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html [2] http://www.oracle.com/technetwork/topics/security/alerts-086861.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Extras for RHEL 4 Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Extras for RHEL 4 Via RHSA-2011:0292 https://rhn.redhat.com/errata/RHSA-2011-0292.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Extras for RHEL 4 Via RHSA-2011:0291 https://rhn.redhat.com/errata/RHSA-2011-0291.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Extras for RHEL 4 Via RHSA-2011:0290 https://rhn.redhat.com/errata/RHSA-2011-0290.html
This issue has been addressed in following products: RHEL 4 for SAP RHEL 5 for SAP RHEL 6 for SAP Via RHSA-2011:0299 https://rhn.redhat.com/errata/RHSA-2011-0299.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 Via RHSA-2011:0333 https://rhn.redhat.com/errata/RHSA-2011-0333.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 Via RHSA-2011:0334 https://rhn.redhat.com/errata/RHSA-2011-0334.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0335 https://rhn.redhat.com/errata/RHSA-2011-0335.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0336 https://rhn.redhat.com/errata/RHSA-2011-0336.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 4 JBEWS 1.0 for RHEL 5 Via RHSA-2011:0348 https://rhn.redhat.com/errata/RHSA-2011-0348.html
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 4 Via RHSA-2011:0349 https://rhn.redhat.com/errata/RHSA-2011-0349.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0350 https://rhn.redhat.com/errata/RHSA-2011-0350.html
https://www.redhat.com/security/data/cve/CVE-2010-4476.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2011:0880 https://rhn.redhat.com/errata/RHSA-2011-0880.html