Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 528
Alerts This Week
Warning Icon 1 528

SciLinux: Important Update for java-1.6.0-openjdk SL5.x i386/x86_64

Scientific Large Esm H446
Important: java-1.6.0-openjdk security update
Date: Tue, 28 Feb 2012 10:33:32 -0600
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: This email address is being protected from spambots. You need JavaScript enabled to view it.
Subject: Security ERRATA Important: java-1.6.0-openjdk on SL5.x i386/x86_64
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Important: java-1.6.0-openjdk security update
Issue Date: 2012-02-21
CVE Numbers: CVE-2011-5035
 CVE-2012-0501
 CVE-2012-0503
 CVE-2011-3571
 CVE-2011-3563
 CVE-2012-0502
 CVE-2012-0505
 CVE-2012-0506
 CVE-2012-0497

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

It was discovered that Java2D did not properly check graphics rendering
objects before passing them to the native renderer. Malicious input, or an
untrusted Java application or applet could use this flaw to crash the Java
Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497)

It was discovered that the exception thrown on deserialization failure did
not always contain a proper identification of the cause of the failure. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2012-0505)

The AtomicReferenceArray class implementation did not properly check if
the array was of the expected Object[] type. A malicious Java application
or applet could use this flaw to bypass Java sandbox restrictions.
(CVE-2011-3571)

It was discovered that the use of TimeZone.setDefault() was not restricted
by the SecurityManager, allowing an untrusted Java application or applet to
set a new default time zone, and hence bypass Java sandbox restrictions.
(CVE-2012-0503)

The HttpServer class did not limit the number of headers read from HTTP
requests. A remote attacker could use this flaw to make an application
using HttpServer use an excessive amount of CPU time via a
specially-crafted request. This update introduces a header count limit
controlled using the sun.net.httpserver.maxReqHeaders property. The default
value is 200. (CVE-2011-5035)

The Java Sound component did not properly check buffer boundaries.
Malicious input, or an untrusted Java application or applet could use this
flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion
of its memory. (CVE-2011-3563)

A flaw was found in the AWT KeyboardFocusManager that could allow an
untrusted Java application or applet to acquire keyboard focus and possibly
steal sensitive information. (CVE-2012-0502)

It was discovered that the CORBA (Common Object Request Broker
Architecture) implementation in Java did not properly protect repository
identifiers on certain CORBA objects. This could have been used to modify
immutable object data. (CVE-2012-0506)

An off-by-one flaw, causing a stack overflow, was found in the unpacker for
ZIP files. A specially-crafted ZIP archive could cause the Java Virtual
Machine (JVM) to crash when opened. (CVE-2012-0501)

This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

SL5:
 i386
 java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.i386.rpm
 x86_64
 java-1.6.0-openjdk-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
 java-1.6.0-openjdk-debuginfo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
 java-1.6.0-openjdk-demo-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
 java-1.6.0-openjdk-devel-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
 java-1.6.0-openjdk-javadoc-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm
 java-1.6.0-openjdk-src-1.6.0.0-1.25.1.10.6.el5_8.x86_64.rpm

- Scientific Linux Development Team