SciLinux: CVE-2009-3555 Critical: java (jdk 1.6.0) SL4.x,
Summary
CVE-2010-0095 CVE-2010-0837 CVE-2010-0838CVE-2010-0839 CVE-2010-0840 CVE-2010-0841CVE-2010-0842 CVE-2010-0843 CVE-2010-0844CVE-2010-0845 CVE-2010-0846 CVE-2010-0847CVE-2010-0848 CVE-2010-0849CVE-2009-3555 TLS: MITM attacks via session renegotiationCVE-2010-0082 OpenJDK Loader-constraint table allows arrays instead ofonly the base-classes (6626217)CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains.(6633872)CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)CVE-2010-0091 OpenJDK Unsigned applet can retrieve the draggedinformation before drop action occurs(6887703)CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERRerror (6888149)CVE-2010-0093 OpenJDK System.arraycopy unable to reference elementsbeyond Integer.MAX_VALUE bytes (6892265)CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objectsshould enforce stricter checks (6893947)CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectlyinterpret network addresses (6893954)CVE-2010-0845 OpenJDK No ClassCastException for HashAttributeSetconstructors if run with -Xcomp (6894807)CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability(6899653)CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining PrivilegeEscalation Vulnerability (6904691)CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer OverflowVulnerability (6909597)CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)CVE-2010-0847 OpenJDK ImagingLib arbitrary code execution vulnerability(6914866)CVE-2010-0846 JDK unspecified vulnerability in ImageIO componentCVE-2010-0849 JDK unspecified vulnerability in Java2D componentCVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin componentCVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multipleunspecified vulnerabilitiesCVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin componentCVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin componentThis update fixes several vulnerabilities in the Sun Java 6 RuntimeEnvironment and the Sun Java 6 Software Development Kit. Furtherinformation about these flaws can be found on the "Oracle Java SE andJava for Business Critical Patch Update Advisory" page, listed in theReferences section. (CVE-2009-3555, CVE-2010-0082, CVE-2010-0084,CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089,CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093,CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838,CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842,CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846,CVE-2010-0847, CVE-2010-0848, CVE-2010-0849)For the CVE-2009-3555 issue, this update disables renegotiation in theJava Secure Socket Extension (JSSE) component. Unsafe renegotiation canbe re-enabled using the sun.security.ssl.allowUnsafeRenegotiation property.All running instances of Sun Java must be restarted for the update totake effect.