Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -1 articles for you...
98
security advisorymoderatesecurity issueRed Hat Enterprise Linux 8: RHSA-2020-4305-01 Java 11 OpenJDK Security Fix
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: java-11-openjdk security and bug fix update Advisory ID: RHSA-2020:4305-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4305 Issue date: 2020-10-22 CVE Names: CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14803 ==================================================================== 1. Summary: An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es): * OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) (CVE-2020-14781) * OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995) (CVE-2020-14782) * OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) (CVE-2020-14792) * OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685) (CVE-2020-14797) * OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) (CVE-2020-14803) *OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862) (CVE-2020-14779) * OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) (CVE-2020-14796) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * "java-11-openjdk-headless" scriptlet failed during RHEL7 > RHEL8 upgrade transaction (BZ#1871709) * java-11-openjdk property java.vendor is "N/A" (BZ#1873390) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of OpenJDK Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1871709 - "java-11-openjdk-headless" scriptlet failed during RHEL7 > RHEL8 upgrade transaction [rhel-8.2.0.z] 1873390 - java-11-openjdk property java.vendor is "N/A" [rhel-8.2.0.z] 1889271 - CVE-2020-14779 OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862) 1889274 - CVE-2020-14781 OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990) 1889280 - CVE-2020-14792 OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114) 1889290 - CVE-2020-14782 OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995) 1889697 - CVE-2020-14796 OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680) 1889717 - CVE-2020-14797 OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685) 1889895 - CVE-2020-14803 OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136) 6. Package List: Red Hat Enterprise Linux AppStream (v.8): Source: java-11-openjdk-11.0.9.11-0.el8_2.src.rpm aarch64: java-11-openjdk-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-debuginfo-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-debugsource-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-demo-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-devel-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-devel-debuginfo-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-headless-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-headless-debuginfo-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-javadoc-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-jmods-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-src-11.0.9.11-0.el8_2.aarch64.rpm java-11-openjdk-static-libs-11.0.9.11-0.el8_2.aarch64.rpm ppc64le: java-11-openjdk-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-debuginfo-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-debugsource-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-demo-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-devel-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-devel-debuginfo-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-headless-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-headless-debuginfo-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-javadoc-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-jmods-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-src-11.0.9.11-0.el8_2.ppc64le.rpm java-11-openjdk-static-libs-11.0.9.11-0.el8_2.ppc64le.rpm s390x: java-11-openjdk-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-debuginfo-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-debugsource-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-demo-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-devel-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-devel-debuginfo-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-headless-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-headless-debuginfo-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-javadoc-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-jmods-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-src-11.0.9.11-0.el8_2.s390x.rpm java-11-openjdk-static-libs-11.0.9.11-0.el8_2.s390x.rpm x86_64: java-11-openjdk-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-debuginfo-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-debugsource-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-demo-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-devel-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-devel-debuginfo-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-headless-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-headless-debuginfo-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-javadoc-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-javadoc-zip-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-jmods-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-src-11.0.9.11-0.el8_2.x86_64.rpm java-11-openjdk-static-libs-11.0.9.11-0.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2020-14779 https://access.redhat.com/security/cve/CVE-2020-14781 https://access.redhat.com/security/cve/CVE-2020-14782 https://access.redhat.com/security/cve/CVE-2020-14792 https://access.redhat.com/security/cve/CVE-2020-14796 https://access.redhat.com/security/cve/CVE-2020-14797 https://access.redhat.com/security/cve/CVE-2020-14803 https://access.redhat.com/security/updates/classification#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBX5FoI9zjgjWX9erEAQj1aw/+JUj/X9++UewTtEm/PVpHkG/EVMRoG0v/ gx0aB5HU2Ek5zzQLet7528gqa4mG+KoU9lAutKKx5DIj9AXag14rNbfiPHv2wJ0J fAJVC95BJLzBVhjbJ/45aPaL5OBilfsJFchjizegoQr+oixB/7/3T6ySYRjNeKhs BsObyfW8vbwvbmv+dSMG9B7o8/7MTZrUYapKgowX3PQ20LywCtG4Ns8iGCZTY2he oD7rlglsSN9vay9s5pmcRZfT3K7D4QgQIj6k0gFdfOyWCg2Sv/LIuOuqkfezWchS TiO7Wi+xR0xK2bvUjKrzMlhaz6u35g1JaMYraXLanasVY2zHlxnevdlVWiG/mHw9 dfVP/atYEiYMDo2KAUefOKDKShldPTBnxbto73KyuLhaRXl27HHeKdmQ+rihe83Z Hn4AN3LLLXu/pAxxX/U4KSJov8hGnaAGJeSMOMwGntoUxClCimhzbKz1GqHHZQLx UjpyJg8vkGp7N+zesXG+YOdpEatZIQda7WSY7tkLGnNfb+O9yRxDCbnuZME5AXuE Pey/P8HE0PftluoJbaoRnX5dsaYAj7Jpy73poi2BF+VEglGoc4nf6ok8FQnHXOhh VCXYZMoPHorJ1kFkmIDjd8gxB4c6VaUG33gon9swGuLibfhNxIyxcuLbzxqsbeVZ +PH7houUHqU=GakF -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Oct 22, 2020
Red Hat
100
security advisorydenial of serviceupdate instructionsUpdate SUSE-SU-2020:1572-1 for java-11-openjdk in SUSE Linux 12-SP5
An update that fixes 13 vulnerabilities is now available. . SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:1572-1 Rating: moderate References: #1167462 #1169511 Cross-References: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 CVE-2020-2830 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: Java was updated to jdk-11.0.7+10 (April 2020 CPU, bsc#1169511). Security issues fixed: - CVE-2020-2754: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2755: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2756: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). - CVE-2020-2757: Fixed an object deserialization issue that could have resulted in denial of service via crafted serialized input (bsc#1169511). - CVE-2020-2767: Fixed an incorrect handling of certificate messages during TLS handshakes (bsc#1169511). - CVE-2020-2773: Fixed the incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() (bsc#1169511). - CVE-2020-2778: Fixed the incorrect handling of SSLParameters in setAlgorithmConstraints(), which could have been abused to override the defined systems security policy and lead to the use of weak crypto algorithms(bsc#1169511). - CVE-2020-2781: Fixed the incorrect re-use of single null TLS sessions (bsc#1169511). - CVE-2020-2800: Fixed an HTTP header injection issue caused by mishandling of CR/LF in header values (bsc#1169511). - CVE-2020-2803: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2805: Fixed a boundary check and type check issue that could have led to a sandbox bypass (bsc#1169511). - CVE-2020-2816: Fixed an incorrect handling of application data packets during TLS handshakes (bsc#1169511). - CVE-2020-2830: Fixed an incorrect handling of regular expressions that could have resulted in denial of service (bsc#1169511). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-1572=1 Package List: - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.7.0-3.9.2 java-11-openjdk-debuginfo-11.0.7.0-3.9.2 java-11-openjdk-debugsource-11.0.7.0-3.9.2 java-11-openjdk-demo-11.0.7.0-3.9.2 java-11-openjdk-devel-11.0.7.0-3.9.2 java-11-openjdk-headless-11.0.7.0-3.9.2 References: https://www.suse.com/security/cve/CVE-2020-2754.html https://www.suse.com/security/cve/CVE-2020-2755.html https://www.suse.com/security/cve/CVE-2020-2756.html https://www.suse.com/security/cve/CVE-2020-2757.html https://www.suse.com/security/cve/CVE-2020-2767.html https://www.suse.com/security/cve/CVE-2020-2773.html https://www.suse.com/security/cve/CVE-2020-2778.html https://www.suse.com/security/cve/CVE-2020-2781.html https://www.suse.com/security/cve/CVE-2020-2800.html https://www.suse.com/security/cve/CVE-2020-2803.html https://www.suse.com/security/cve/CVE-2020-2805.html https://www.suse.com/security/cve/CVE-2020-2816.html https://www.suse.com/security/cve/CVE-2020-2830.html https://bugzilla.suse.com/1167462 https://bugzilla.suse.com/1169511 _______________________________________________ sle-security-updates mailing list
Jun 09, 2020
SuSE
98
security advisoryRed Hatsecurity impactRedHat Enterprise Linux 7 Security Advisory: RHSA-2020:0541-01 Important
An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: java-1.7.0-openjdk security update Advisory ID: RHSA-2020:0541-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:0541 Issue date: 2020-02-18 CVE Names: CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 ==================================================================== 1. Summary: An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es): * OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)(CVE-2020-2601) * OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) (CVE-2020-2604) * OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) (CVE-2020-2590) * OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548) (CVE-2020-2593) * OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) * OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909) (CVE-2020-2583) * OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795) (CVE-2020-2659) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of OpenJDK Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1790444 - CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909) 1790556 - CVE-2020-2590 OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) 1790570 - CVE-2020-2601 OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951) 1790884 - CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548) 1790944 - CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) 1791284 - CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit inDatagramChannelImpl (Networking, 8231795) 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux Server (v.7): Source: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm ppc64: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm ppc64le: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm s390x: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.s390x.rpm x86_64: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v.7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm ppc64: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.ppc64.rpm ppc64le: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.ppc64le.rpm s390x: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.s390x.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.s390x.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.src.rpm x86_64: java-1.7.0-openjdk-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-headless-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.el7_7.noarch.rpm x86_64: java-1.7.0-openjdk-accessibility-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.el7_7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7.References: https://access.redhat.com/security/cve/CVE-2020-2583 https://access.redhat.com/security/cve/CVE-2020-2590 https://access.redhat.com/security/cve/CVE-2020-2593 https://access.redhat.com/security/cve/CVE-2020-2601 https://access.redhat.com/security/cve/CVE-2020-2604 https://access.redhat.com/security/cve/CVE-2020-2654 https://access.redhat.com/security/cve/CVE-2020-2659 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXkwCw9zjgjWX9erEAQin0g//Zj5c0hBDEULA+dzivQQyj6OkwwfaJQ3L iVkX3tv3n8mW/UQCpCyyid7GOhpzZPvVj7u/OsLulPQkx+bILJKQgmKyj+/8weYz l57G1gOVtIA1LPa5T6RV4106v4QzqNMJZnJaNmN5uJyXb9Kewz5pNB8yyGZC7e7U QVhXOrvgvLoVrFtGAh2Kz1QahC8izOWrNlSJZl1gZX2MeN1TfBgZHIuQDmOO9WjT NUxjNZtV8sMUebSqzvktOvD9vuJS0djPszK9zdAgyRUOCF6Zt+DwwRIF9VbWXenA uu7rGKfyYywjMNkzTIjDscGZvrG94OD2qMXRzo4d55rAmLIE/+vcP1rCYd7ZarLw tjtIdf11fp9rLmz8PgCzI3dAu/biuqBhwrtfKYN0cfaNXlm8W3RlX7pfc9+6Gxkg iNAQeZMojYlwYLrZ7iT01LeCUcMX8CYluGrKNRsP8j0UxMDUP+/vPXDU9oJrBMfK kf8uWp8j6vYsWZ0R3HU+t6AsWoU8Q0kQ8KzlZo3mIz6Nbpk2XJ3Gp3I0vM3gGsop QiWuR9TsneO+XIqMRLrYCfiBZJR1ZUbx7E6xVIKu0XhRdiMR97TQDzm/GxEVHA0w YcwWDfG66T7IcL9sSpwdoWznS3CeonsYSMegTzM6TRlVGrqaMi09MlVPdoGWxIDo NG61Fnhf064=IM+K -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Feb 18, 2020
•Important
Red Hat
100
security advisoryDoSimportantSUSE: 2018:3064-1 Important: Java-1_8_0-Openjdk Network Access Issues
An update that fixes 5 vulnerabilities is now available. . SUSE Security Update: Security update for java-1_8_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:3064-1 Rating: important References: #1101644 #1101645 #1101651 #1101656 #1106812 Cross-References: CVE-2018-2938 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 CVE-2018-3639 Affected Products: SUSE OpenStack Cloud 7 SUSE Linux Enterprise Server for SAP 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2-LTSS SUSE Linux Enterprise Server 12-SP1-LTSS SUSE Linux Enterprise Desktop 12-SP3 SUSE Enterprise Storage 4 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0) release fixes the following issues: These security issues were fixed: - CVE-2018-2938: Difficult to exploit vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE (bsc#1101644). - CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable vulnerability allowed unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data (bsc#1101645) - CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to exploit vulnerability allowed unauthenticatedattacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit (bsc#1101651) - CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit vulnerability allowed unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data (bsc#1101656) These non-security issues were fixed: - Improve desktop file usage - Better Internet address support - speculative traps break when classes are redefined - sun/security/pkcs11/ec/ReadCertificates.java fails intermittently - Clean up code that saves the previous versions of redefined classes - Prevent SIGSEGV in ReceiverTypeData::clean_weak_klass_links - RedefineClasses() tests fail assert(((Metadata*)obj)-> is_valid()) failed: obj is valid - NMT is not enabled if NMT option is specified after class path specifiers - EndEntityChecker should not process custom extensions after PKIX validation - SupportedDSAParamGen.java failed with timeout - Montgomery multiply intrinsic should use correct name - When determining the ciphersuite lists, there is no debug output for disabled suites. - sun/security/mscapi/SignedObjectChain.java fails on Windows - On Windows Swing changes keyboard layout on a window activation - IfNode::range_check_trap_proj() should handler dying subgraph with single if proj - Even better Internet address support - Newlines in JAXB string values of SOAP-requests are escaped to " " - TestFlushableGZIPOutputStream failing with IndexOutOfBoundsException - Unable to use JDWP API in JDK 8 to debug JDK 9 VM - Hotspot crashon Cassandra 3.11.1 startup with libnuma 2.0.3 - Performance drop with Java JDK 1.8.0_162-b32 - Upgrade time-zone data to tzdata2018d - Fix potential crash in BufImg_SetupICM - JDK 8u181 l10n resource file update - Remove debug print statements from RMI fix - (tz) Upgrade time-zone data to tzdata2018e - ObjectInputStream filterCheck method throws NullPointerException - adjust reflective access checks Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud 7: zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2168=1 - SUSE Linux Enterprise Server for SAP 12-SP2: zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2168=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-2168=1 - SUSE Linux Enterprise Server 12-SP2-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2168=1 - SUSE Linux Enterprise Server 12-SP1-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-2168=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-2168=1 - SUSE Enterprise Storage 4: zypper in -t patch SUSE-Storage-4-2018-2168=1 Package List: - SUSE OpenStack Cloud 7 (s390x x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE LinuxEnterprise Desktop 12-SP3 (x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 - SUSE Enterprise Storage 4 (x86_64): java-1_8_0-openjdk-1.8.0.181-27.26.2 java-1_8_0-openjdk-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-debugsource-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-1.8.0.181-27.26.2 java-1_8_0-openjdk-demo-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-1.8.0.181-27.26.2 java-1_8_0-openjdk-devel-debuginfo-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-1.8.0.181-27.26.2 java-1_8_0-openjdk-headless-debuginfo-1.8.0.181-27.26.2 References: https://www.suse.com/security/cve/CVE-2018-2938.html https://www.suse.com/security/cve/CVE-2018-2940.html https://www.suse.com/security/cve/CVE-2018-2952.html https://www.suse.com/security/cve/CVE-2018-2973.html https://www.suse.com/security/cve/CVE-2018-3639.html https://bugzilla.suse.com/1101644 https://bugzilla.suse.com/1101645 https://bugzilla.suse.com/1101651 https://bugzilla.suse.com/1101656 https://bugzilla.suse.com/1106812 _______________________________________________ sle-security-updates mailing list
Oct 08, 2018
•Important
SuSE
199
security advisorysecurity issuesoftware updateCentOS 7: CESA-2018-1191 Important Update for Java OpenJDK Security
Upstream details at : https://access.redhat.com/errata/RHSA-2018:1191. CentOS Errata and Security Advisory 2018:1191 Critical Upstream details at : https://access.redhat.com/errata/RHSA-2018:1191 The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: dfd2bd4a32a3e9eec12dbac0f4e71ef141a8214a661b9de5e89a2215038d99c7 java-1.8.0-openjdk-1.8.0.171-7.b10.el7.i686.rpm 55c63f445b0ff6813b8a5e182eaba2262cfcb701d32a98aeb6689a7c937582f9 java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64.rpm 7820f62c0849fc2ce6d2430e9c6b7155ee442359dc3305566cb03204804479dd java-1.8.0-openjdk-accessibility-1.8.0.171-7.b10.el7.i686.rpm afeb49defc396722d7155fcbe3c80e5536ac117b9f68858e1bd091c9b44d08c0 java-1.8.0-openjdk-accessibility-1.8.0.171-7.b10.el7.x86_64.rpm 694751844f3ce958bb125c2ee63a6e0069d7aca4e0dd153ac42af11d46cbb711 java-1.8.0-openjdk-accessibility-debug-1.8.0.171-7.b10.el7.i686.rpm 986c5d994b4376c6eaab64abcdb6cb185c2cdbdf270d167988ab8469d55019b7 java-1.8.0-openjdk-accessibility-debug-1.8.0.171-7.b10.el7.x86_64.rpm 9f624a588799062b1412f2c7ace38628abb9d8ccb3e74048a777f44ee5fa52df java-1.8.0-openjdk-debug-1.8.0.171-7.b10.el7.i686.rpm d1e0531a54e6e1ad498291ca3d6daea34b1aeb5691673bc90257b2d1ae1d06af java-1.8.0-openjdk-debug-1.8.0.171-7.b10.el7.x86_64.rpm 3c81fc8d16f7973685645b64e62398abbc64755e70ac128aa82bc790ee01619e java-1.8.0-openjdk-demo-1.8.0.171-7.b10.el7.i686.rpm cfc9cf8344ea0fc1762468bc7b54cb1f570fc9c72b55d207a32ddae21a3d8010 java-1.8.0-openjdk-demo-1.8.0.171-7.b10.el7.x86_64.rpm fc698a2a4691987b239a5aadc6b5a31d7553e6e642a79360922fdb50395dc7c3 java-1.8.0-openjdk-demo-debug-1.8.0.171-7.b10.el7.i686.rpm 153d541826f270dbbdbd7d4bcd8bf10487991b43388ea7b2b6d60ca9e9402e27 java-1.8.0-openjdk-demo-debug-1.8.0.171-7.b10.el7.x86_64.rpm 41d2c23087091b8d84cd345f8e72d35dec214a0b779560fcd47e707c954ed77d java-1.8.0-openjdk-devel-1.8.0.171-7.b10.el7.i686.rpm 69dfc698849c2afec23550bc2a7f9114a6796954db78fdc2a94ad43cbc4df7c6 java-1.8.0-openjdk-devel-1.8.0.171-7.b10.el7.x86_64.rpm 5a2acd895afef67ed7988cce81d05294c41394e328f64e8ebde290a378f5627b java-1.8.0-openjdk-devel-debug-1.8.0.171-7.b10.el7.i686.rpm ff4c3f7c74f3efe821fd178ce2f94d341b4afcd1b219b5a6f2826166eeb23181 java-1.8.0-openjdk-devel-debug-1.8.0.171-7.b10.el7.x86_64.rpm 294b03ff9ca5d0fc89d240eea057cb938f6afe9d8af39dd3a95eb4dec068d165 java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.i686.rpm 1e87eae73a7148190d5cb273eede34cdd27a5780af6d1af515da1ac88ac01910 java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64.rpm 79d0686e965ef392a78030f64913d6a319c3414d26535b08ab3c1189b818e70f java-1.8.0-openjdk-headless-debug-1.8.0.171-7.b10.el7.i686.rpm b511ad01644154b8acc464e73705b0f791078fd4a07cb92f52b78f914ea3e8f9 java-1.8.0-openjdk-headless-debug-1.8.0.171-7.b10.el7.x86_64.rpm fb2502d1f803d9d2b70cb262473ec20f45ed92d10ce6fd157c125030ac43e812 java-1.8.0-openjdk-javadoc-1.8.0.171-7.b10.el7.noarch.rpm 361944f2bae4b2ee6e1ddc4c2f92e8f9097a9beb213a75efd944b31dea02172b java-1.8.0-openjdk-javadoc-debug-1.8.0.171-7.b10.el7.noarch.rpm 5227c47351a20c8d13cba69d033a3578478e98544aad07434af8531fafa7ec99 java-1.8.0-openjdk-javadoc-zip-1.8.0.171-7.b10.el7.noarch.rpm f2a2c172ab415ec382a97093028fde091ef0f1177d8c94ad24878d9d4ba236bc java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.171-7.b10.el7.noarch.rpm 10d0c674439f080e1a54fd547c9a888cf763f6b7d77fb3757ba9d0a6ae2f02f4 java-1.8.0-openjdk-src-1.8.0.171-7.b10.el7.i686.rpm 3c80a7fe31339e9340cac153001a102e1834e437b7ae39ae0729f1a68e1a5604 java-1.8.0-openjdk-src-1.8.0.171-7.b10.el7.x86_64.rpm 5d8e746c18dbf3a052b4918a55bd67fa418e686427b08c3c9953aa76b152b2b5 java-1.8.0-openjdk-src-debug-1.8.0.171-7.b10.el7.i686.rpm acef5dff1341b0bf347e76ab57f907eb9a6dbebd485d26be212f55624e984447 java-1.8.0-openjdk-src-debug-1.8.0.171-7.b10.el7.x86_64.rpm Source: eb9668248d4574ab95358829d859da65c3ddfccd16c1c4b1851adcfda86a2d24 java-1.8.0-openjdk-1.8.0.171-7.b10.el7.src.rpm -- Johnny Hughes CentOS Project { https://www.centos.org/ } irc: hughesjr,#
May 30, 2018
•Important
CentOS
98
security advisorycriticalsoftware patchRed Hat Enterprise Linux 6 RHSA-2013:0957-01 Critical: Java Update
Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-openjdk security update Advisory ID: RHSA-2013:0957-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2013:0957.html Issue date: 2013-06-19 CVE Names: CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2449 CVE-2013-2450 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2458 CVE-2013-2459 CVE-2013-2460 CVE-2013-2461 CVE-2013-2463 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 ==================================================================== 1. Summary: Updated java-1.7.0-openjdk packages that fix various security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red HatEnterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64 3. Description: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469) Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application. (CVE-2013-2459) Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460) Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information. (CVE-2013-2456, CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446) It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine. (CVE-2013-2445) It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possiblyuse these flaws to cause a denial of service. (CVE-2013-2444, CVE-2013-2450) It was discovered that the Libraries component contained certain errorsrelated to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service. (CVE-2013-2407, CVE-2013-2461) It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information. (CVE-2013-2412) It was discovered that GnomeFileTypeDetector did not check for read permissions when accessing files. An untrusted Java application or applet could possibly use this flaw to disclose potentially sensitive information. (CVE-2013-2449) It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation. (CVE-2013-1571) It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment. (CVE-2013-1500) Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the original reporter of CVE-2013-1571. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. After installing this update, users of icedtea-web must install RHBA-2013:0959 for icedtea-web to continue functioning. Thiserratum also upgrades the OpenJDK package to IcedTea7 2.3.10. Refer to the NEWS file, linked to in the References, for further information. 4. Solution: All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 973474 - CVE-2013-1571 OpenJDK: Frame injection in generated HTML (Javadoc, 8012375) 975099 - CVE-2013-2470 OpenJDK: ImagingLib byte lookup processing (2D, 8011243) 975102 - CVE-2013-2471 OpenJDK: Incorrect IntegerComponentRaster size checks (2D, 8011248) 975107 - CVE-2013-2472 OpenJDK: Incorrect ShortBandedRaster size checks (2D, 8011253) 975110 - CVE-2013-2473 OpenJDK: Incorrect ByteBandedRaster size checks (2D, 8011257) 975115 - CVE-2013-2463 OpenJDK: Incorrect image attribute verification (2D, 8012438) 975118 - CVE-2013-2465 OpenJDK: Incorrect image channel verification (2D, 8012597) 975120 - CVE-2013-2469 OpenJDK: Incorrect image layout verification (2D, 8012601) 975121 - CVE-2013-2459 OpenJDK: Various AWT integer overflow checks (AWT, 8009071) 975122 - CVE-2013-2460 OpenJDK: tracing insufficient access checks (Serviceability, 8010209) 975124 - CVE-2013-2445 OpenJDK: Better handling of memory allocation errors (Hotspot, 7158805) 975125 - CVE-2013-2448 OpenJDK: Better access restrictions (Sound, 8006328) 975126 - CVE-2013-2461 OpenJDK: Missing check for valid DOMCanonicalizationMethod canonicalization algorithm (Libraries, 8014281) 975127 - CVE-2013-2407 OpenJDK: Integrate Apache Santuario, rework class loader (Libraries, 6741606, 8008744) 975129 - CVE-2013-2454 OpenJDK: SerialJavaObject package restriction (JDBC, 8009554) 975130 -CVE-2013-2458 OpenJDK: Method handles (Libraries, 8009424) 975131 - CVE-2013-2444 OpenJDK: Resource denial of service (AWT, 8001038) 975132 - CVE-2013-2446 OpenJDK: output stream access restrictions (CORBA, 8000642) 975133 - CVE-2013-2457 OpenJDK: Proper class checking (JMX, 8008120) 975134 - CVE-2013-2453 OpenJDK: MBeanServer Introspector package access (JMX, 8008124) 975137 - CVE-2013-2443 OpenJDK: AccessControlContext check order issue (Libraries, 8001330) 975138 - CVE-2013-2452 OpenJDK: Unique VMIDs(Libraries, 8001033) 975139 - CVE-2013-2455 OpenJDK: getEnclosing* checks (Libraries, 8007812) 975140 - CVE-2013-2447 OpenJDK: Prevent revealing the local address (Networking, 8001318) 975141 - CVE-2013-2450 OpenJDK: ObjectStreamClass circular reference denial of service (Serialization, 8000638) 975142 - CVE-2013-2456 OpenJDK: ObjectOutputStream access checks (Serialization, 8008132) 975144 - CVE-2013-2412 OpenJDK: JConsole SSL support (Serviceability, 8003703) 975145 - CVE-2013-2449 OpenJDK: GnomeFileTypeDetector path access check(Libraries, 8004288) 975148 - CVE-2013-1500 OpenJDK: Insecure shared memory permissions (2D, 8001034) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: i386: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v.6): Source: i386: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: x86_64: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: noarch: java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: i386: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v.6): Source: i386: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: i386: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.i686.rpm x86_64: java-1.7.0-openjdk-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: i386: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.i686.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.i686.rpm noarch: java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.el6_4.noarch.rpm x86_64: java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7.References: https://access.redhat.com/security/cve/CVE-2013-1500 https://access.redhat.com/security/cve/CVE-2013-1571 https://access.redhat.com/security/cve/CVE-2013-2407 https://access.redhat.com/security/cve/CVE-2013-2412 https://access.redhat.com/security/cve/CVE-2013-2443 https://access.redhat.com/security/cve/CVE-2013-2444 https://access.redhat.com/security/cve/CVE-2013-2445 https://access.redhat.com/security/cve/CVE-2013-2446 https://access.redhat.com/security/cve/CVE-2013-2447 https://access.redhat.com/security/cve/CVE-2013-2448 https://access.redhat.com/security/cve/CVE-2013-2449 https://access.redhat.com/security/cve/CVE-2013-2450 https://access.redhat.com/security/cve/CVE-2013-2452 https://access.redhat.com/security/cve/CVE-2013-2453 https://access.redhat.com/security/cve/CVE-2013-2454 https://access.redhat.com/security/cve/CVE-2013-2455 https://access.redhat.com/security/cve/CVE-2013-2456 https://access.redhat.com/security/cve/CVE-2013-2457 https://access.redhat.com/security/cve/CVE-2013-2458 https://access.redhat.com/security/cve/CVE-2013-2459 https://access.redhat.com/security/cve/CVE-2013-2460 https://access.redhat.com/security/cve/CVE-2013-2461 https://access.redhat.com/security/cve/CVE-2013-2463 https://access.redhat.com/security/cve/CVE-2013-2465 https://access.redhat.com/security/cve/CVE-2013-2469 https://access.redhat.com/security/cve/CVE-2013-2470 https://access.redhat.com/security/cve/CVE-2013-2471 https://access.redhat.com/security/cve/CVE-2013-2472 https://access.redhat.com/security/cve/CVE-2013-2473 https://access.redhat.com/security/updates/classification#critical https://access.redhat.com/errata/RHBA-2013:0959.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRwkhZXlSAg2UNWIIRAq8SAJ9tsW9PY39Aa6lmSLhOhlUi8hrnugCePCKO NAdLLpJKlVulPXKONu/CudU=+H1U -----END PGP SIGNATURE----- -- Enterprise-watch-list mailinglist
Jun 20, 2013
•Critical
Red Hat
98
security advisorysoftware updatecode executionRed Hat Enterprise Linux 5 RHSA-2013-0604 Important: Java Memory Corruption
Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Important: java-1.6.0-openjdk security update Advisory ID: RHSA-2013:0604-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2013:0604.html Issue date: 2013-03-06 CVE Names: CVE-2013-0809 CVE-2013-1493 ==================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially-crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. (CVE-2013-0809) It was discovered that the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges. (CVE-2013-1493) This erratumalso upgrades the OpenJDK package to IcedTea6 1.11.9. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014) 917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: i386: java-1.6.0-openjdk-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: java-1.6.0-openjdk-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm java-1.6.0-openjdk-src-1.6.0.0-1.36.1.11.9.el5_9.i386.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.36.1.11.9.el5_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2013-0809 https://access.redhat.com/security/cve/CVE-2013-1493 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRN6JQXlSAg2UNWIIRAh1JAJ9jMbVbTHdTk7Ox8UAnI1ZFUg+HlwCeKNEn 4HS3k9OpFQuYKlK8UXlnuRI=uZF+ -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Mar 06, 2013
•Important
Red Hat
98
security advisorysecurity issuered hatRed Hat Enterprise Linux 6: RHSA-2013:0245-01 Critical Java OpenJDK Alert
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-openjdk security update Advisory ID: RHSA-2013:0245-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2013:0245.html Issue date: 2013-02-08 CVE Names: CVE-2013-0424 CVE-2013-0425 CVE-2013-0426 CVE-2013-0427 CVE-2013-0428 CVE-2013-0429 CVE-2013-0432 CVE-2013-0433 CVE-2013-0434 CVE-2013-0435 CVE-2013-0440 CVE-2013-0441 CVE-2013-0442 CVE-2013-0443 CVE-2013-0445 CVE-2013-0450 CVE-2013-1475 CVE-2013-1476 CVE-2013-1478 CVE-2013-1480 ==================================================================== 1. Summary: Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java RuntimeEnvironment and the OpenJDK 6 Software Development Kit. Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475, CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428) Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges. (CVE-2013-1478, CVE-2013-1480) A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432) The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted. (CVE-2013-0435) Multiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2013-0427, CVE-2013-0433, CVE-2013-0434) It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424) It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restartingthe handshake. (CVE-2013-0440) It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack. (CVE-2013-0443) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393) 860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50) 906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318) 906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068) 906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972) 906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977) 906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057) 906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325) 906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537) 907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxyclasses (Libraries, 7197546, SE-2012-01 Issue 29) 907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952) 907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392) 907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509) 907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528) 907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235) 907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941) 907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071) 907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631) 907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066) 907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694) 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: i386: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node (v.6): Source: x86_64: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: i386: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation (v.6): Source: i386: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: i386: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm x86_64: java-1.6.0-openjdk-debuginfo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7.References: https://access.redhat.com/security/cve/CVE-2013-0424 https://access.redhat.com/security/cve/CVE-2013-0425 https://access.redhat.com/security/cve/CVE-2013-0426 https://access.redhat.com/security/cve/CVE-2013-0427 https://access.redhat.com/security/cve/CVE-2013-0428 https://access.redhat.com/security/cve/CVE-2013-0429 https://access.redhat.com/security/cve/CVE-2013-0432 https://access.redhat.com/security/cve/CVE-2013-0433 https://access.redhat.com/security/cve/CVE-2013-0434 https://access.redhat.com/security/cve/CVE-2013-0435 https://access.redhat.com/security/cve/CVE-2013-0440 https://access.redhat.com/security/cve/CVE-2013-0441 https://access.redhat.com/security/cve/CVE-2013-0442 https://access.redhat.com/security/cve/CVE-2013-0443 https://access.redhat.com/security/cve/CVE-2013-0445 https://access.redhat.com/security/cve/CVE-2013-0450 https://access.redhat.com/security/cve/CVE-2013-1475 https://access.redhat.com/security/cve/CVE-2013-1476 https://access.redhat.com/security/cve/CVE-2013-1478 https://access.redhat.com/security/cve/CVE-2013-1480 https://access.redhat.com/security/updates/classification#critical 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2013 Red Hat, Inc. . Urgent release for java-1.6.0-openjdk resolves critical vulnerabilities in Red Hat environments. Key update information available now.. Red Hat, OpenJDK, Critical Update, Java Security, Java Development. . Severity: Critical. LinuxSecurity.com Team
Feb 08, 2013
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!