What Are You Looking For?

Sign Up
Date:         Mon, 12 Apr 2010 16:18:58 -0500
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Critical: java (jdk 1.6.0) on SL4.x,
              SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Critical: java (jdk 1.6.0) security update
Issue date:	2010-03-31
CVE Names:	CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
                   CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
                   CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
                   CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
                   CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
                   CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
                   CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
                   CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
                   CVE-2010-0848 CVE-2010-0849


CVE-2009-3555 TLS: MITM attacks via session renegotiation
CVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead of 
only the base-classes (6626217)
CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. 
(6633872)
CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)
CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)
CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged 
information before drop action occurs(6887703)
CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR 
error (6888149)
CVE-2010-0093 OpenJDK System.arraycopy unable to reference elements 
beyond Integer.MAX_VALUE bytes (6892265)
CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects 
should enforce stricter checks (6893947)
CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly 
interpret network addresses (6893954)
CVE-2010-0845 OpenJDK  No ClassCastException for HashAttributeSet 
constructors if run with -Xcomp (6894807)
CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability 
(6899653)
CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)
CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege 
Escalation Vulnerability (6904691)
CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow 
Vulnerability (6909597)
CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)
CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability 
(6914866)
CVE-2010-0846 JDK unspecified vulnerability in ImageIO component
CVE-2010-0849 JDK unspecified vulnerability in Java2D component
CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component
CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple 
unspecified vulnerabilities
CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component
CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component

This update fixes several vulnerabilities in the Sun Java 6 Runtime
Environment and the Sun Java 6 Software Development Kit. Further
information about these flaws can be found on the "Oracle Java SE and 
Java for Business Critical Patch Update Advisory" page, listed in the
References section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084,
CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, 
CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, 
CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, 
CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, 
CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846,
CVE-2010-0847, CVE-2010-0848, CVE-2010-0849)

For the CVE-2009-3555 issue, this update disables renegotiation in the 
Java Secure Socket Extension (JSSE) component. Unsafe renegotiation can 
be re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property.

All running instances of Sun Java must be restarted for the update to 
take effect.

SL 4.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm
      x86_64:
java-1.6.0-sun-compat-1.6.0.19-1.sl4.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm

SL 5.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.i586.rpm
jdk-1.6.0_19-fcs.i586.rpm
      x86_64:
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.i586.rpm
java-1.6.0-sun-compat-1.6.0.19-1.sl5.jpp.x86_64.rpm
jdk-1.6.0_19-fcs.i586.rpm
jdk-1.6.0_19-fcs.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2009-3555 Critical: java (jdk 1.6.0) SL4.x,

Critical: java (jdk 1.6.0) security update

Summary

CVE-2010-0095 CVE-2010-0837 CVE-2010-0838CVE-2010-0839 CVE-2010-0840 CVE-2010-0841CVE-2010-0842 CVE-2010-0843 CVE-2010-0844CVE-2010-0845 CVE-2010-0846 CVE-2010-0847CVE-2010-0848 CVE-2010-0849CVE-2009-3555 TLS: MITM attacks via session renegotiationCVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead ofonly the base-classes (6626217)CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains.(6633872)CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)CVE-2010-0091 OpenJDK Unsigned applet can retrieve the draggedinformation before drop action occurs(6887703)CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERRerror (6888149)CVE-2010-0093 OpenJDK System.arraycopy unable to reference elementsbeyond Integer.MAX_VALUE bytes (6892265)CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objectsshould enforce stricter checks (6893947)CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectlyinterpret network addresses (6893954)CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSetconstructors if run with -Xcomp (6894807)CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability(6899653)CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining PrivilegeEscalation Vulnerability (6904691)CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer OverflowVulnerability (6909597)CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability(6914866)CVE-2010-0846 JDK unspecified vulnerability in ImageIO componentCVE-2010-0849 JDK unspecified vulnerability in Java2D componentCVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin componentCVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multipleunspecified vulnerabilitiesCVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin componentCVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin componentThis update fixes several vulnerabilities in the Sun Java 6 RuntimeEnvironment and the Sun Java 6 Software Development Kit. Furtherinformation about these flaws can be found on the "Oracle Java SE andJava for Business Critical Patch Update Advisory" page, listed in theReferences section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084,CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089,CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093,CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838,CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842,CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846,CVE-2010-0847, CVE-2010-0848, CVE-2010-0849)For the CVE-2009-3555 issue, this update disables renegotiation in theJava Secure Socket Extension (JSSE) component. Unsafe renegotiation canbe re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property.All running instances of Sun Java must be restarted for the update totake effect.



Security Fixes

Severity
Issued Date: : 2010-03-31
CVE Names: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
CVE-2010-0092 CVE-2010-0093 CVE-2010-0094

Related News

Nitrux 3.2.0 Linux Distro Released with Enhanced Security and New Features

Nov 28, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

LockBit Ransomware Exploiting Critical Citrix Bleed Vulnerability to Break In

Nov 25, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

Footer Logo