Alerts This Week
Warning Icon 1 681
Alerts This Week
Warning Icon 1 681

Red Hat 5: RHSA-2012:1222-01 Important: OpenJDK Security Update

Calendar Sep 03, 2012 User Avatar LinuxSecurity Advisories
3 - 6 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory security issue Red Hat update DoS important java
Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: java-1.6.0-openjdk security update
Advisory ID:       RHSA-2012:1222-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2012:1222.html
Issue date:        2012-09-03
CVE Names:         CVE-2012-0547 CVE-2012-1682 
====================================================================
1. Summary:

Updated java-1.6.0-openjdk packages that fix two security issues are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

It was discovered that the Beans component in OpenJDK did not perform
permission checks properly. An untrusted Java application or applet could
use this flaw to use classes from restricted packages, allowing it to
bypass Java sandbox restrictions. (CVE-2012-1682)

A hardening fix was applied to the AWT component in OpenJDK, removing
functionality from the restricted SunToolkit class that was used in
combination with other flaws to bypass Java sandbox restrictions.
(CVE-2012-0547)

This erratum also upgrades the OpenJDK package to IcedTea6 1.10.9. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

846709 - Kerberos auth failing to work in openjdk due to two upstream bugs
853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:

i386:
java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:

i386:
java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://access.redhat.com/security/cve/CVE-2012-0547
https://access.redhat.com/security/cve/CVE-2012-1682
https://access.redhat.com/security/updates/classification/#important
https://www.oracle.com/security-alerts/alert-cve-2012-4681.html

8. Contact:

The Red Hat security contact is .  More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFQRKx0XlSAg2UNWIIRAvYLAKDDSO9dy44uzKkJIqo3l4S1J0T6lgCdHkqG
XqkxJT8OdIpLqE4b/b5pAGg=96Z2
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://

Red Hat 5: RHSA-2012:1222-01 Important: OpenJDK Security Update

red hat
Calendar Grey September 3, 2012
Dist Redhat Esm H88
Essential upgrade for java-1.6.0-openjdk in Red Hat, resolving significant security vulnerabilities linked to CVE identifiers.
Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258

Summary

These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.
It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions. (CVE-2012-1682)
A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions. (CVE-2012-0547)
This erratum also upgrades the OpenJDK package to IcedTea6 1.10.9. Refer to the NEWS file, linked to in the References, for further information.
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

Topics%20covered

Topics Covered

security advisory security issue Red Hat update DoS important java

References

https://access.redhat.com/security/cve/CVE-2012-0547 https://access.redhat.com/security/cve/CVE-2012-1682 https://access.redhat.com/security/updates/classification/#important https://www.oracle.com/security-alerts/alert-cve-2012-4681.html

Package List

Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
i386: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
x86_64: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
i386: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.28.1.10.9.el5_8.i386.rpm
x86_64: java-1.6.0-openjdk-1.6.0.0-1.28.1.10.9.el5_8.x86_64.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2012:1222-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2012:1222.html
Issue date: 2012-09-03

Topic

Updated java-1.6.0-openjdk packages that fix two security issues are nowavailable for Red Hat Enterprise Linux 5.The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

Topics%20covered

Topics Covered

security advisory security issue Red Hat update DoS important java

Relevant Releases Architectures

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Bugs Fixed

846709 - Kerberos auth failing to work in openjdk due to two upstream bugs

853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)

853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here