Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux Pro for Mac OS X Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repository (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 11 Sep 2012 11:11:28 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Florian Weimer <fweimer@...hat.com>,
        Oracle Security Team <secalert_us@...cle.com>
Subject: Re: CVE Request (minor) -- JVM: heap memory disclosure
 (possibly various JDKs)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2012 03:18 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> an information disclosure flaw was found in the way certain Java
> Virtual Machines (JVM) used to initialize integer arrays (they have
> had nonzero elements right after the allocation in certain
> circumstances). An attacker could use this flaw to obtain
> potentially sensitive information.
> 
> References (including the reproducer, workaround and further
> details): [1]
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7196857 [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=856124
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.:  Issue brought to us by Florian Weimer, Red Hat Product
> Security Team (for case someone is tracking the initial reporter)
> 
> P.S#2: Oracle Security Team Cc-ed on this request too (to clarify 
> if CVE id has been assigned to this already or not).
> 

Please use CVE-2012-4416 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQT3DAAAoJEBYNRVNeJnmT6EoP/iTl5HN/lsfqOi83/7UiYXVA
MJyovSVnwWZ0Aqp0Ezw7AJei+VS0koiZAPy54I0ht4idSW2HDOFxH6mAbwAX2i7E
pr3SZecVLb+V9OQs09hShV8eik4lQ+YuHVo/Ag3Q29QSBbncHH1WxbwQhcdttoW3
W3Flwp7+z3cLhINHV1nMEufjwwgATBkM92h6/rM9wTZBDpW7yfE5mFWMUgL7fhxd
9B4H4NJqiARKJ4Tuk6I9UOTNtQxG4Gvrb/3nWY6vWVJjU7N7ti4pHUa6pEMnM35T
K6SYVQEeBgyLC5qxPQtbvYhjn8iT6NXkdtrDGlYXTeDBTqWJb5Mr6QnM4dbYZFfx
y5dFJWyHhxKuvNMQU3Xi5/ht3ta7gGHtWpAPz6LB0l6MXR35Pdiuhf5ZzEWvLCkl
jmtCK6WRcmcks6Bkseff/XDpdh7Fd9Pcot2XYOBxs4FkjV+Krqrmkf0DFemaxxO+
QEX1tRJlZY+2iwmlhfAoc3Msnid0yS4pMcDOvWwhwjkxeZ0BIkn8Vjvo+BaZt3uG
aQnr8GyveaXaF7xWwMmjUuoyo3WbeOlPo2C+go3MyUZbCLJsuRislJtPF4gDLrcr
NvzlKPZuZ5DBNKUD2eRhPMM4r8tBQ0Dn5jcsR8cFsx0D7h8u19lgUsREJP8sqPxF
aABJ8sMvexuvy7D0rrm9
=NGRD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ