CVE-2008-3440

Publication date 1 August 2008

Last updated 24 July 2024

Ubuntu priority

Description

Sun Java 1.6.0_03 and earlier versions, and possibly later versions, does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openjdk-6	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not in release
	7.04 feisty	Not in release
	6.06 LTS dapper	Not in release
sun-java5	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Ignored end of life, was needed
	6.06 LTS dapper	Ignored end of life, was needed
sun-java6	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Ignored end of life, was needed
	6.06 LTS dapper	Not in release

Notes

mdeslaur

AFAICT, sun-java5, sun-java6 and openjdk-6 don't do auto-updates Debian marked this CVE as Windows-only (java updater for Windows)

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-3440