[Thermostat-announce] [SECURITY UPDATE] Thermostat 1.0.6 update released!
Jon VanAlten
jvanalte at redhat.com
Tue Dec 16 20:08:46 UTC 2014
Hi all,
Despite "retiring" the 1.0 branch, we've decided to put out one more
release, because we've had to fix a vulnerability affecting 1.0.4 (and
earlier) users.
We highly recommend that all users of earlier versions update to this
release. It contains no incompatible changes from any of the 1.0-series
releases.
The vulnerability is effectively a privilege escalation issue. It does
require user access to the machine running the Thermostat agent; it is
not exploitable remotely. From the CVE:
"It was discovered that, in certain configurations, the Thermostat agent
disclosed JMX management URLs of all local Java virtual machines to any local
user. A local, unprivileged user could use this flaw to escalate their
privileges on the system."
It may take some time to be published, but more information should
appear soon at:
http://cve.mitre.org/cgi-bin/cvename.gci?name=CVE=2014-8120
This release can be downloaded from:
http://icedtea.classpath.org/download/thermostat/thermostat-1.0.6.tar.gz
http://icedtea.classpath.org/download/thermostat/thermostat-1.0.6.tar.gz.md5
Special thanks to Elliott Baron for discovering, and fixing, this issue.
Please see below for project information. If you have tried out Thermostat
and have constructive feedback for us, if you are a Java developer and have
specific use cases not handled yet by Thermostat, or if you would like to
contribute to the core of Thermostat or by trying out our plugin API, we
would especially like to hear from you via mailing list or IRC.
URL: http://icedtea.classpath.org/thermostat
Mailing list: http://icedtea.classpath.org/mailman/listinfo/thermostat
Repository: http://icedtea.classpath.org/hg/thermostat
IRC: #thermostat on irc.freenode.com
More information about the Thermostat-announce
mailing list