Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-ibm security update
Advisory ID:       RHSA-2018:2713-01
Product:           Red Hat Satellite
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2713
Issue date:        2018-09-17
CVE Names:         CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 
                   CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 
                   CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 
====================================================================
1. Summary:

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64

3. Description:

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP20.

Security Fix(es):

* IBM JDK: privilege escalation via insufficiently restricted access to
Attach API (CVE-2018-12539)

* openssl: BN_mod_exp may produce incorrect results on x86_64
(CVE-2017-3732)

* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

* IBM JDK: DoS in the java.math component (CVE-2018-1517)

* IBM JDK: path traversal flaw in the Diagnostic Tooling Framework
(CVE-2018-1656)

* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and
10.0.2 (Libraries) (CVE-2018-2940)

* OpenJDK: insufficient index validation in PatternSyntaxException
getMessage() (Concurrency, 8199547) (CVE-2018-2952)

* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and
10.0.2 (JSSE) (CVE-2018-2973)

* OpenSSL: Double-free in DSA code (CVE-2016-0705)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the OpenSSL project for reporting
CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the
original reporter of CVE-2016-0705.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For this update to take effect, Red Hat Satellite must be restarted
("/usr/sbin/rhn-satellite restart"). All running instances of IBM Java must
be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547)
1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE)
1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries)
1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API
1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework
1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component

6. Package List:

Red Hat Satellite 5.8 (RHEL v.6):

s390x:
java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm

x86_64:
java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key

7. References:

https://access.redhat.com/security/cve/CVE-2016-0705
https://access.redhat.com/security/cve/CVE-2017-3732
https://access.redhat.com/security/cve/CVE-2017-3736
https://access.redhat.com/security/cve/CVE-2018-1517
https://access.redhat.com/security/cve/CVE-2018-1656
https://access.redhat.com/security/cve/CVE-2018-2940
https://access.redhat.com/security/cve/CVE-2018-2952
https://access.redhat.com/security/cve/CVE-2018-2973
https://access.redhat.com/security/cve/CVE-2018-12539
https://access.redhat.com/security/updates/classification#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW5/AHdzjgjWX9erEAQg+hw//WsJgqQK6ShvKh5dX3ZPyw3BHMfK4arEn
2jBp1g/+/V/JW3aBb2DJ77NXT4gMGKk5ZdiAon1rkopTAylhrdRfYGHCV5MXNPvC
3KkhP14cjT7nus7j9AGpVmskw4RuqZgTiKvzf2bei9aMUXL/HAW8neh/nKXANDnS
WRWkGiGa1cqVdyrJLEqLMcU0JJJO3ogqTwkuH+PpdeQA51EBTA5ABv6h3ENzg62c
zHXPVZJonThECAVTuUNFutLNcM6fwIXHbnfgfHE3iPz8bZC3GF2xkcgcjJ+1twZI
MYJmZDfFjp1nRWXAuS+uyuVXVkgVhaIwhzog52A7mMzV+xVz/eCoaeUkP3bYmAKl
V/EpN8zhtCoUHYooUyOZ5OcKF6HqWLXqDnH4TEweNgJtBHRfr4jJCnmeD/w7Zj0Y
BVmmRZpF+8HrUO0CfF8iDYTwmB/0vnL1n4gnffZhKI9BRa5nV7ywfOXynRhvHIzz
lXuyxsQs4FAeJd3REqDixtptt68Zq4IL0m69q+i78/4MrNz7PpD7E5P5/Kn8UOls
wUAO8g2gHo1YORiBtsoggYrM2ida+k0lDYhxoPJkovD4YDjZIhIHqW7JsDZEKSeZ
OBRnahsduks5GtZ27xYd0sTsHHHXr5LCYSJQr7UXGIJg3DnzfzNOTPwCGgDSu8Hl
y4syJsg6LbE=Ter6
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

red hat

September 17, 2018

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For this update to take effect, Red Hat Satellite must be restarted ("/usr/sbin/rhn-satellite restart"). All running instances of IBM Java must be restarted for this update to take effect.

Summary

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR5-FP20.
Security Fix(es):
* IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539)
* openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* IBM JDK: DoS in the java.math component (CVE-2018-1517)
* IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656)
* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940)
* OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952)
* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973)
* OpenSSL: Double-free in DSA code (CVE-2016-0705)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.

Topics Covered

security advisory security issue moderate threat Java update IBM Java Red Hat Satellite

References

https://access.redhat.com/security/cve/CVE-2016-0705 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2018-1517 https://access.redhat.com/security/cve/CVE-2018-1656 https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/cve/CVE-2018-12539 https://access.redhat.com/security/updates/classification#moderate

Package List

Red Hat Satellite 5.8 (RHEL v.6):
s390x: java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm
x86_64: java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key

Advisory ID: RHSA-2018:2713-01

Product: Red Hat Satellite

Advisory URL: https://access.redhat.com/errata/RHSA-2018:2713

Issue date: 2018-09-17

Topic

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics Covered

security advisory security issue moderate threat Java update IBM Java Red Hat Satellite

Relevant Releases Architectures

Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64

Bugs Fixed

1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code

1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64

1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64

1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547)

1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE)

1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries)

1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API

1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework

1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

Topics Covered

Search Advisories & Updates

Recent Searches

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Red Hat Satellite 5.8: RHSA-2018:2713-01 Moderate: IBM Java Security Issues

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!