SciLinux: CVE-2009-2409 Critical: java (jdk 1.6.0) SL4.x,
Summary
Date: Mon, 16 Nov 2009 15:29:16 -0600Reply-To: Troy DawsonSender: Security Errata for Scientific Linux From: Troy Dawson Subject: Security ERRATA Critical: java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov" Synopsis: Critical: java (jdk 1.6.0) security updateIssue date: 2009-11-09CVE Names: CVE-2009-2409 CVE-2009-3728 CVE-2009-3729 CVE-2009-3865 CVE-2009-3866 CVE-2009-3867 CVE-2009-3868 CVE-2009-3869 CVE-2009-3871 CVE-2009-3872 CVE-2009-3873 CVE-2009-3874 CVE-2009-3875 CVE-2009-3876 CVE-2009-3877 CVE-2009-3879 CVE-2009-3880 CVE-2009-3881 CVE-2009-3882 CVE-2009-3883 CVE-2009-3884 CVE-2009-3886CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643)CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533)CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650)CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138)CVE-2009-3880 OpenJDK UI logging information leakage(6664512)CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)CVE-2009-3729 JRE TrueType font parsing crash (6815780)CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969)CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar files (6870531)CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752)CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824)CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303)CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970)This update fixes several vulnerabilities in the Sun Java 6 RuntimeEnvironment and the Sun Java 6 Software Development Kit. Thesevulnerabilities are summarized on the "Advance notification of SecurityUpdates for Java SE" page from Sun Microsystems, listed in the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,CVE-2009-3883, CVE-2009-3884, CVE-2009-3886)All running instances of Sun Java must be restarted for the update to take effect.SL 4.x SRPMS:java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.src.rpm i386:java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.i586.rpmjdk-1.6.0_17-fcs.i586.rpm x86_64:java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.i586.rpmjdk-1.6.0_17-fcs.i586.rpmSL 5.x SRPMS:java-1.6.0-sun-compat-1.6.0.17-3.sl5.jpp.src.rpm i386:java-1.6.0-sun-compat-1.6.0.17-3.sl5.jpp.i586.rpmjdk-1.6.0_17-fcs.i586.rpm x86_64:-Connie Sieh-Troy Dawson