Explore top 10 tips to secure your open-source projects now. Read More
×
Date: Wed, 15 Feb 2012 08:20:51 -0600 Reply-To: Pat RieheckySender: Security Errata for Scientific Linux From: Pat Riehecky Organization: Fermilab Subject: Informative Announcement for SL4.x Less Than 2 weeks End Of Life Notice MIME-Version: 1.0 In accordance with our Upstream Vendor's Errata Support Policy, the regular life-cycle of Scientific Linux 4 will end in February 2012. After this date, The Upstream Vendor will discontinue the regular update services. We must follow them in this matter. Therefore, new bug fix, enhancement, and security errata updates will no longer be available for Scientific Linux 4 after the End of Life date. They will not be providing updates and so we cannot provide them. Anyone still running production workloads on Scientific Linux 4 are advised to begin upgrading to Scientific Linux 5 or 6. Upstream recommends a reinstall and not an upgrade. Please be advised that we also believe that a clean reinstall is the preferred method for moving from Scientific Linux 4 to a newer version. We will continue to provide updates as they become available to us for Scientific Linux 4 for the remaining few weeks. Again, this is a reminder of the coming end of life for Scientific Linux 4 at the end of February 2012. - Scientific Linux Development Team Date: Wed, 15 Feb 2012 09:16:46 -0600 Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it. Sender: Security Errata for Scientific LinuxFrom: This email address is being protected from spambots. You need JavaScript enabled to view it. Subject: Security ERRATA Critical: java-1.6.0-openjdk on SL6.x i386/x86_64 Comments: To:This email address is being protected from spambots. You need JavaScript enabled to view it. Synopsis: Critical: java-1.6.0-openjdk security update Issue Date: 2012-02-14 CVE Numbers: CVE-2011-5035 CVE-2012-0501 CVE-2012-0503 CVE-2011-3571 CVE-2011-3563 CVE-2012-0502 CVE-2012-0505 CVE-2012-0506 CVE-2012-0497 These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. SL6: i386 java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.43.1.10.6.el6_2.i686.rpm x86_64 java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.43.1.10.6.el6_2.x86_64.rpm - Scientific Linux Development Team