On Mon, Mar 10, 2008 at 2:56 PM, Andrew Haley <aph@xxxxxxxxxx> wrote: > Given thaht we don't know what vulnerabilities were described in the > notification, the answer must be no. Unless someone on this list > has some idea what vulnerabilities you're talking about... Copying from the US-CERT notice: Overview Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code. I. Description The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the US-CERT Vulnerability Notes Database. Sun released the following alerts to address these issues: * 233321 Two Security Vulnerabilities in the Java Runtime Environment Virtual Machine * 233322 Security Vulnerability in the Java Runtime Environment With the Processing of XSLT Transformations * 233323 Multiple Security Vulnerabilities in Java Web Start May Allow an Untrusted Application to Elevate Privileges * 233324 A Security Vulnerability in the Java Plug-in May Allow an Untrusted Applet to Elevate Privileges * 233325 Vulnerabilties in the Java Runtime Environment image Parsing Library * 233326 Security Vulnerability in the Java Runtime Environment May Allow Untrusted JavaScript Code to Elevate Privileges Through Java APIs * 233327 Buffer Overflow Vulnerability in Java Web Start May Allow an Untrusted Application to Elevate its Privileges II. Impact The impacts of these vulnerabilities vary. The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code. -- mike