LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

March 2011

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA March 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Security ERRATA Important: java-1.6.0-openjdk on SL6.x i386/x86_64
From:	Troy Dawson <[log in to unmask]>
Reply To:	Troy Dawson <[log in to unmask]>
Date:	Thu, 3 Mar 2011 14:58:01 -0600
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

Synopsis:	Important: java-1.6.0-openjdk security update
Issue date:	2011-02-17
CVE Names:	CVE-2010-4448 CVE-2010-4450 CVE-2010-4465
                   CVE-2010-4469 CVE-2010-4470 CVE-2010-4472

A flaw was found in the Swing library. Forged TimerEvents could be used 
to bypass SecurityManager checks, allowing access to otherwise blocked 
files and directories. (CVE-2010-4465)

A flaw was found in the HotSpot component in OpenJDK. Certain bytecode
instructions confused the memory management within the Java Virtual 
Machine (JVM), which could lead to heap corruption. (CVE-2010-4469)

A flaw was found in the way JAXP (Java API for XML Processing) 
components were handled, allowing them to be manipulated by untrusted 
applets. This could be used to elevate privileges and bypass secure XML 
processing restrictions. (CVE-2010-4470)

It was found that untrusted applets could create and place cache entries 
in the name resolution cache. This could allow an attacker targeted 
manipulation over name resolution until the OpenJDK VM is restarted. 
(CVE-2010-4448)

It was found that the Java launcher provided by OpenJDK did not check 
the LD_LIBRARY_PATH environment variable for insecure empty path 
elements. A local attacker able to trick a user into running the Java 
launcher while working from an attacker-writable directory could use 
this flaw to load an untrusted library, subverting the Java security 
model. (CVE-2010-4450)

A flaw was found in the XML Digital Signature component in OpenJDK.
Untrusted code could use this flaw to replace the Java Runtime 
Environment (JRE) XML Digital Signature Transform or C14N algorithm 
implementations to intercept digital signature operations. (CVE-2010-4472)

Note: All of the above flaws can only be remotely triggered in OpenJDK 
by calling the "appletviewer" application.

This update also provides one defense in depth patch. (BZ#676019)

All running instances of OpenJDK Java must be restarted for the update 
to take effect.

SL 6.x

      SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.39.b17.el6_0.src.rpm
      i386:
java-1.6.0-openjdk-1.6.0.0-1.39.b17.el6_0.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.39.b17.el6_0.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.39.b17.el6_0.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.39.b17.el6_0.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.39.b17.el6_0.i686.rpm
      x86_64:
java-1.6.0-openjdk-1.6.0.0-1.39.b17.el6_0.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.39.b17.el6_0.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.39.b17.el6_0.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.39.b17.el6_0.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.39.b17.el6_0.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV