PublicDate: 2008-08-01 14:41:00 UTC
Candidate: CVE-2008-3440
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3440
Description:
 Sun Java 1.6.0_03 and earlier versions, and possibly later versions, does
 not properly verify the authenticity of updates, which allows
 man-in-the-middle attackers to execute arbitrary code via a Trojan horse
 update, as demonstrated by evilgrade and DNS cache poisoning.
Ubuntu-Description:
Notes:
 mdeslaur> AFAICT, sun-java5, sun-java6 and openjdk-6 don't do auto-updates
 mdeslaur> Debian marked this CVE as Windows-only (java updater for Windows)
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_sun-java6:
upstream_sun-java6: needs-triage
dapper_sun-java6: DNE
feisty_sun-java6: needed (reached end-of-life)
gutsy_sun-java6: not-affected (6-03-0ubuntu2)
hardy_sun-java6: not-affected (6-06-0ubuntu1)
intrepid_sun-java6: not-affected (6-10-0ubuntu2)
devel_sun-java6: not-affected (6-11-0ubuntu1)

Patches_sun-java5:
upstream_sun-java5: needs-triage
dapper_sun-java5: needed
feisty_sun-java5: needed (reached end-of-life)
gutsy_sun-java5: not-affected (1.5.0-13-0ubuntu1)
hardy_sun-java5: not-affected (1.5.0-15-0ubuntu1)
intrepid_sun-java5: not-affected (1.5.0-16-3)
devel_sun-java5: not-affected (1.5.0-17-0ubuntu1)

Patches_openjdk-6:
upstream_openjdk-6: needs-triage
dapper_openjdk-6: DNE
feisty_openjdk-6: DNE
gutsy_openjdk-6: DNE
hardy_openjdk-6: not-affected (6b09-0ubuntu2)
intrepid_openjdk-6: not-affected (6b12-0ubuntu6)
devel_openjdk-6: not-affected (6b14-0ubuntu3)