LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

November 2009

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA November 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: java-1.6.0-openjdk on SL5.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Mon, 16 Nov 2009 15:28:52 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (108 lines)

Synopsis:	Important: java-1.6.0-openjdk security update
Issue date:	2009-11-16
CVE Names:	CVE-2009-2409 CVE-2009-3728 CVE-2009-3869
                    CVE-2009-3871 CVE-2009-3873 CVE-2009-3874
                    CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
                    CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
                    CVE-2009-3882 CVE-2009-3883 CVE-2009-3884

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)
CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack
vulnerabilities  (6863503)
CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service
(6864911) CVE-2009-3877
CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)
CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)
CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow  (6874643)
CVE-2009-3728 OpenJDK ICC_Profile file existence detection information
leak (6631533)
CVE-2009-3881 OpenJDK resurrected classloaders can still have children
(6636650)
CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable
variables (6657026,6657138)
CVE-2009-3880 OpenJDK UI logging information leakage(6664512)
CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)
CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)

An integer overflow flaw and buffer overflow flaws were found in the way
the JRE processed image files. An untrusted applet or application could
use these flaws to extend its privileges, allowing it to read and write
local files, as well as to execute local applications with the
privileges of the user running the applet or application.
(CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874)

An information leak was found in the JRE. An untrusted applet or
application could use this flaw to extend its privileges, allowing it to
read and write local files, as well as to execute local applications
with the privileges of the user running the applet or application.
(CVE-2009-3881)

It was discovered that the JRE still accepts certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by the JRE. With
this update, the JRE disables the use of the MD2 algorithm inside
signatures by default. (CVE-2009-2409)

A timing attack flaw was found in the way the JRE processed HMAC
digests. This flaw could aid an attacker using forged digital signatures
to bypass authentication checks. (CVE-2009-3875)

Two denial of service flaws were found in the JRE. These could be
exploited in server-side application scenarios that process DER-encoded
(Distinguished Encoding Rules) data. (CVE-2009-3876, CVE-2009-3877)

An information leak was found in the way the JRE handled color profiles.
An attacker could use this flaw to discover the existence of files
outside of the color profiles directory. (CVE-2009-3728)

A flaw in the JRE with passing arrays to the X11GraphicsDevice API was
found. An untrusted applet or application could use this flaw to access
and modify the list of supported graphics configurations. This flaw
could also lead to sensitive information being leaked to unprivileged
code. (CVE-2009-3879)

It was discovered that the JRE passed entire objects to the logging API.
This could lead to sensitive information being leaked to either
untrusted or lower-privileged code from an attacker-controlled applet
which has access to the logging API and is therefore able to manipulate
(read and/or call) the passed objects. (CVE-2009-3880)

Potential information leaks were found in various mutable static
variables. These could be exploited in application scenarios that
execute untrusted scripting code. (CVE-2009-3882, CVE-2009-3883)

An information leak was found in the way the TimeZone.getTimeZone method
was handled. This method could load time zone files that are outside of
the [JRE_HOME]/lib/zi/ directory, allowing a remote attacker to probe
the local file system. (CVE-2009-3884)

Note: The flaws concerning applets in this advisory, CVE-2009-3869,
CVE-2009-3871, CVE-2009-3873, CVE-2009-3874, CVE-2009-3879,
CVE-2009-3880, CVE-2009-3881 and CVE-2009-3884, can only be triggered in
java-1.6.0-openjdk by calling the "appletviewer" application.

All running instances of OpenJDK Java must be restarted for the update
to take effect.

SL 5.x

      SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.7.b09.el5.src.rpm
      i386:
java-1.6.0-openjdk-1.6.0.0-1.7.b09.el5.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.7.b09.el5.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.7.b09.el5.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.7.b09.el5.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.7.b09.el5.i386.rpm
      x86_64:
java-1.6.0-openjdk-1.6.0.0-1.7.b09.el5.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.7.b09.el5.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.7.b09.el5.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.7.b09.el5.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.7.b09.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV