Date:         Mon, 12 Apr 2010 16:18:58 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Critical: java (jdk 1.6.0) on SL4.x,
              SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Critical: java (jdk 1.6.0) security update
Issue date:	2010-03-31
CVE Names:	CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
                   CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
                   CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
                   CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
                   CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
                   CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
                   CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
                   CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
                   CVE-2010-0848 CVE-2010-0849


CVE-2009-3555 TLS: MITM attacks via session renegotiation
CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of 
only the base-classes (6626217)
CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. 
(6633872)
CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)
CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)
CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged 
information before drop action occurs(6887703)
CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR 
error (6888149)
CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements 
beyond Integer.MAX_VALUE bytes (6892265)
CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects 
should enforce stricter checks (6893947)
CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly 
interpret network addresses (6893954)
CVE-2010-0845 OpenJDK  No ClassCastException for HashAttributeSet 
constructors if run with -Xcomp (6894807)
CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability 
(6899653)
CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)
CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege 
Escalation Vulnerability (6904691)
CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow 
Vulnerability (6909597)
CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)
CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability 
(6914866)
CVE-2010-0846 JDK unspecified vulnerability in ImageIO component
CVE-2010-0849 JDK unspecified vulnerability in Java2D component
CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component
CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple 
unspecified vulnerabilities
CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component
CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component

This update fixes several vulnerabilities in the Sun Java 6 Runtime
Environment and the Sun Java 6 Software Development Kit. Further
information about these flaws can be found on the "Oracle Java SE and 
Java for Business Critical Patch Update Advisory" page, listed in the
References section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084,
CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, 
CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, 
CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, 
CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, 
CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846,
CVE-2010-0847, CVE-2010-0848, CVE-2010-0849)

For the CVE-2009-3555 issue, this update disables renegotiation in the 
Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can 
be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property.

All running instances of Sun Java must be restarted for the update to 
take effect.

SL 4.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm
      x86_64:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm

SL 5.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm
      x86_64:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.i586.rpm
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.x86_64.rpm
jdk-1.6.0_19-fcs.i586.rpm
jdk-1.6.0_19-fcs.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2009-3555 Critical: java (jdk 1.6.0) SL4.x,

Critical: java (jdk 1.6.0) security update

Summary

CVE-2010-0095 CVE-2010-0837 CVE-2010-0838CVE-2010-0839 CVE-2010-0840 CVE-2010-0841CVE-2010-0842 CVE-2010-0843 CVE-2010-0844CVE-2010-0845 CVE-2010-0846 CVE-2010-0847CVE-2010-0848 CVE-2010-0849CVE-2009-3555 TLS: MITM attacks via session renegotiationCVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead ofonly the base-classes (6626217)CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains.(6633872)CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)CVE-2010-0091 OpenJDK Unsigned applet can retrieve the draggedinformation before drop action occurs(6887703)CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERRerror (6888149)CVE-2010-0093 OpenJDK System.arraycopy unable to reference elementsbeyond Integer.MAX_VALUE bytes (6892265)CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objectsshould enforce stricter checks (6893947)CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectlyinterpret network addresses (6893954)CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSetconstructors if run with -Xcomp (6894807)CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability(6899653)CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining PrivilegeEscalation Vulnerability (6904691)CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer OverflowVulnerability (6909597)CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability(6914866)CVE-2010-0846 JDK unspecified vulnerability in ImageIO componentCVE-2010-0849 JDK unspecified vulnerability in Java2D componentCVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin componentCVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multipleunspecified vulnerabilitiesCVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin componentCVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin componentThis update fixes several vulnerabilities in the Sun Java 6 RuntimeEnvironment and the Sun Java 6 Software Development Kit. Furtherinformation about these flaws can be found on the "Oracle Java SE andJava for Business Critical Patch Update Advisory" page, listed in theReferences section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084,CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089,CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093,CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838,CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842,CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846,CVE-2010-0847, CVE-2010-0848, CVE-2010-0849)For the CVE-2009-3555 issue, this update disables renegotiation in theJava Secure Socket Extension (JSSE) component. Unsafe renegotiation canbe re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property.All running instances of Sun Java must be restarted for the update totake effect.



Security Fixes

Severity
Issued Date: : 2010-03-31
CVE Names: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
CVE-2010-0092 CVE-2010-0093 CVE-2010-0094

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved