SCIENTIFIC-LINUX-ERRATA Archives

November 2009

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Critical: java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Mon, 16 Nov 2009 15:29:16 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (78 lines) 
Synopsis:	Critical: java (jdk 1.6.0) security update
Issue date:	2009-11-09
CVE Names:	CVE-2009-2409 CVE-2009-3728 CVE-2009-3729
                   CVE-2009-3865 CVE-2009-3866 CVE-2009-3867
                   CVE-2009-3868 CVE-2009-3869 CVE-2009-3871
                   CVE-2009-3872 CVE-2009-3873 CVE-2009-3874
                   CVE-2009-3875 CVE-2009-3876 CVE-2009-3877
                   CVE-2009-3879 CVE-2009-3880 CVE-2009-3881
                   CVE-2009-3882 CVE-2009-3883 CVE-2009-3884
                   CVE-2009-3886

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)
CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack 
vulnerabilities  (6863503)
CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service 
(6864911) CVE-2009-3877
CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)
CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)
CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow  (6874643)
CVE-2009-3728 OpenJDK ICC_Profile file existence detection information 
leak (6631533)
CVE-2009-3881 OpenJDK resurrected classloaders can still have children 
(6636650)
CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable 
variables (6657026,6657138)
CVE-2009-3880 OpenJDK UI logging information leakage(6664512)
CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)
CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)
CVE-2009-3729 JRE TrueType font parsing crash (6815780)
CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969)
CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets 
with signed Jar files (6870531)
CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752)
CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start 
Installer  (6872824)
CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer 
overflow via a long file: URL argument (6854303)
CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via 
crafted image file due improper color profiles parsing (6862970)

This update fixes several vulnerabilities in the Sun Java 6 Runtime
Environment and the Sun Java 6 Software Development Kit. These
vulnerabilities are summarized on the "Advance notification of Security
Updates for Java SE" page from Sun Microsystems, listed in the 
References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729, 
CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, 
CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, 
CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, 
CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,
CVE-2009-3883, CVE-2009-3884, CVE-2009-3886)

All running instances of Sun Java must be restarted for the update to 
take effect.

SL 4.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.i586.rpm
jdk-1.6.0_17-fcs.i586.rpm
      x86_64:
java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp.i586.rpm
jdk-1.6.0_17-fcs.i586.rpm

SL 5.x

      SRPMS:
java-1.6.0-sun-compat-1.6.0.17-3.sl5.jpp.src.rpm
      i386:
java-1.6.0-sun-compat-1.6.0.17-3.sl5.jpp.i586.rpm
jdk-1.6.0_17-fcs.i586.rpm
      x86_64:

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2