UNSUBSCRIBE



Den 2017-12-06 15:56 skrev "Pat Riehecky" <[log in to unmask]> följande:



    Synopsis:          Important: java-1.7.0-openjdk security and bug fix update

    Advisory ID:       SLSA-2017:3392-1

    Issue Date:        2017-12-06

    CVE Numbers:       CVE-2017-10193

                       CVE-2017-10198

                       CVE-2017-10285

                       CVE-2017-10346

                       CVE-2017-10388

                       CVE-2017-10274

                       CVE-2017-10349

                       CVE-2017-10357

                       CVE-2017-10348

                       CVE-2017-10347

                       CVE-2017-10350

                       CVE-2017-10281

                       CVE-2017-10295

                       CVE-2017-10345

                       CVE-2017-10355

                       CVE-2017-10356

    --

    

    Security Fix(es):

    

    * Multiple flaws were discovered in the RMI and Hotspot components in

    OpenJDK. An untrusted Java application or applet could use these flaws to

    completely bypass Java sandbox restrictions. (CVE-2017-10285,

    CVE-2017-10346)

    

    * It was discovered that the Kerberos client implementation in the

    Libraries component of OpenJDK used the sname field from the plain text

    part rather than encrypted part of the KDC reply message. A man-in-the-

    middle attacker could possibly use this flaw to impersonate Kerberos

    services to Java applications acting as Kerberos clients. (CVE-2017-10388)

    

    * It was discovered that the Security component of OpenJDK generated weak

    password-based encryption keys used to protect private keys stored in key

    stores. This made it easier to perform password guessing attacks to

    decrypt stored keys if an attacker could gain access to a key store.

    (CVE-2017-10356)

    

    * Multiple flaws were found in the Smart Card IO and Security components

    in OpenJDK. An untrusted Java application or applet could use these flaws

    to bypass certain Java sandbox restrictions. (CVE-2017-10274,

    CVE-2017-10193)

    

    * It was found that the FtpClient implementation in the Networking

    component of OpenJDK did not set connect and read timeouts by default. A

    malicious FTP server or a man-in-the-middle attacker could use this flaw

    to block execution of a Java application connecting to an FTP server.

    (CVE-2017-10355)

    

    * It was found that the HttpURLConnection and HttpsURLConnection classes

    in the Networking component of OpenJDK failed to check for newline

    characters embedded in URLs. An attacker able to make a Java application

    perform an HTTP request using an attacker provided URL could possibly

    inject additional headers into the request. (CVE-2017-10295)

    

    * It was discovered that the Security component of OpenJDK could fail to

    properly enforce restrictions defined for processing of X.509 certificate

    chains. A remote attacker could possibly use this flaw to make Java accept

    certificate using one of the disabled algorithms. (CVE-2017-10198)

    

    * It was discovered that multiple classes in the JAXP, Serialization,

    Libraries, and JAX-WS components of OpenJDK did not limit the amount of

    memory allocated when creating object instances from the serialized form.

    A specially-crafted input could cause a Java application to use an

    excessive amount of memory when deserialized. (CVE-2017-10349,

    CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345,

    CVE-2017-10348, CVE-2017-10350)

    

    Bug Fix(es):

    

    * Previously, OpenJDK could not handle situations when the kernel blocked

    on a read even when polling the socket indicated that a read is possible.

    As a consequence, OpenJDK could hang indefinitely. With this update,

    OpenJDK polls with a timeout and performs a non-blocking read on success,

    and it no longer hangs in these situations.

    --

    

    SL6

      x86_64

        java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el6_9.x86_64.rpm

        java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.el6_9.x86_64.rpm

        java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.el6_9.x86_64.rpm

        java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.el6_9.x86_64.rpm

        java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.el6_9.x86_64.rpm

      i386

        java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el6_9.i686.rpm

        java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.el6_9.i686.rpm

        java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.el6_9.i686.rpm

        java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.el6_9.i686.rpm

        java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.el6_9.i686.rpm

      noarch

        java-1.7.0-openjdk-javadoc-1.7.0.161-2.6.12.0.el6_9.noarch.rpm

    SL7

      x86_64

        java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-headless-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-accessibility-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.el7_4.x86_64.rpm

        java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el6_9.src.rpm

        java-1.7.0-openjdk-1.7.0.161-2.6.12.0.el7_4.src.rpm

      noarch

        java-1.7.0-openjdk-javadoc-1.7.0.161-2.6.12.0.el7_4.noarch.rpm

    

    - Scientific Linux Development Team