Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 516
Alerts This Week
Warning Icon 1 516

Critical Security Alert: CVE-2011-5035 for Scientific Linux Java 1.6.0

Scientific Large Esm H446
Critical: java-1.6.0-openjdk security update
Date: Wed, 15 Feb 2012 08:20:51 -0600
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Organization: Fermilab
Subject: Informative Announcement for SL4.x Less Than 2 weeks End Of Life
 Notice
MIME-Version: 1.0

In accordance with our Upstream Vendor's Errata Support Policy, the
regular life-cycle of Scientific Linux 4 will end in February 2012.

After this date, The Upstream Vendor will discontinue the regular update
services. We must follow them in this matter. Therefore, new bug fix,
enhancement, and security errata updates will no longer be available for
Scientific Linux 4 after the End of Life date. They will not be
providing updates and so we cannot provide them.

Anyone still running production workloads on Scientific Linux 4 are
advised to begin upgrading to Scientific Linux 5 or 6. Upstream
recommends a reinstall and not an upgrade. Please be advised that we
also believe that a clean reinstall is the preferred method for moving
from Scientific Linux 4 to a newer version.

We will continue to provide updates as they become available to us for
Scientific Linux 4 for the remaining few weeks.

Again, this is a reminder of the coming end of life for Scientific
Linux 4 at the end of February 2012.

- Scientific Linux Development Team
Date: Wed, 15 Feb 2012 09:16:46 -0600
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Security ERRATA Critical: java-1.6.0-openjdk on SL6.x i386/x86_64
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Critical: java-1.6.0-openjdk security update
Issue Date: 2012-02-14
CVE Numbers: CVE-2011-5035
 CVE-2012-0501
 CVE-2012-0503
 CVE-2011-3571
 CVE-2011-3563
 CVE-2012-0502
 CVE-2012-0505
 CVE-2012-0506
 CVE-2012-0497

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

It was discovered that Java2D did not properly check graphics rendering
objects before passing them to the native renderer. Malicious input, or an
untrusted Java application or applet could use this flaw to crash the Java
Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497)

It was discovered that the exception thrown on deserialization failure did
not always contain a proper identification of the cause of the failure. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2012-0505)

The AtomicReferenceArray class implementation did not properly check if
the array was of the expected Object[] type. A malicious Java application
or applet could use this flaw to bypass Java sandbox restrictions.
(CVE-2011-3571)

It was discovered that the use of TimeZone.setDefault() was not restricted
by the SecurityManager, allowing an untrusted Java application or applet to
set a new default time zone, and hence bypass Java sandbox restrictions.
(CVE-2012-0503)

The HttpServer class did not limit the number of headers read from HTTP
requests. A remote attacker could use this flaw to make an application
using HttpServer use an excessive amount of CPU time via a
specially-crafted request. This update introduces a header count limit
controlled using the sun.net.httpserver.maxReqHeaders property. The default
value is 200. (CVE-2011-5035)

The Java Sound component did not properly check buffer boundaries.
Malicious input, or an untrusted Java application or applet could use this
flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion
of its memory. (CVE-2011-3563)

A flaw was found in the AWT KeyboardFocusManager that could allow an
untrusted Java application or applet to acquire keyboard focus and possibly
steal sensitive information. (CVE-2012-0502)

It was discovered that the CORBA (Common Object Request Broker
Architecture) implementation in Java did not properly protect repository
identifiers on certain CORBA objects. This could have been used to modify
immutable object data. (CVE-2012-0506)

An off-by-one flaw, causing a stack overflow, was found in the unpacker for
ZIP files. A specially-crafted ZIP archive could cause the Java Virtual
Machine (JVM) to crash when opened. (CVE-2012-0501)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

SL6:
 i386
 java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 java-1.6.0-openjdk-debuginfo-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 java-1.6.0-openjdk-demo-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 java-1.6.0-openjdk-devel-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 java-1.6.0-openjdk-javadoc-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 java-1.6.0-openjdk-src-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm
 x86_64
 java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm
 java-1.6.0-openjdk-debuginfo-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm
 java-1.6.0-openjdk-demo-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm
 java-1.6.0-openjdk-devel-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm
 java-1.6.0-openjdk-javadoc-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm
 java-1.6.0-openjdk-src-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm

- Scientific Linux Development Team