LISTSERV - SCIENTIFIC-LINUX-ERRATA Archives

SCIENTIFIC-LINUX-ERRATA Archives

July 2017

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-ERRATA Home
	SCIENTIFIC-LINUX-ERRATA July 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Security ERRATA Critical: java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64
From:	Pat Riehecky <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 20 Jul 2017 20:01:56 -0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (147 lines)
Synopsis:          Critical: java-1.8.0-openjdk security update

Advisory ID:       SLSA-2017:1789-1

Issue Date:        2017-07-20

CVE Numbers:       CVE-2017-10107

                   CVE-2017-10089

                   CVE-2017-10090

                   CVE-2017-10087

                   CVE-2017-10110

                   CVE-2017-10111

                   CVE-2017-10101

                   CVE-2017-10096

                   CVE-2017-10074

                   CVE-2017-10067

                   CVE-2017-10109

                   CVE-2017-10081

                   CVE-2017-10193

                   CVE-2017-10116

                   CVE-2017-10115

                   CVE-2017-10135

                   CVE-2017-10108

                   CVE-2017-10053

                   CVE-2017-10078

                   CVE-2017-10198

                   CVE-2017-10102

--



Security Fix(es):



* It was discovered that the DCG implementation in the RMI component of

OpenJDK failed to correctly handle references. A remote attacker could

possibly use this flaw to execute arbitrary code with the privileges of

RMI registry or a Java RMI application. (CVE-2017-10102)



* Multiple flaws were discovered in the RMI, JAXP, ImageIO, Libraries,

AWT, Hotspot, and Security components in OpenJDK. An untrusted Java

application or applet could use these flaws to completely bypass Java

sandbox restrictions. (CVE-2017-10107, CVE-2017-10096, CVE-2017-10101,

CVE-2017-10089, CVE-2017-10090, CVE-2017-10087, CVE-2017-10111,

CVE-2017-10110, CVE-2017-10074, CVE-2017-10067)



* It was discovered that the LDAPCertStore class in the Security component

of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted

LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP

servers. (CVE-2017-10116)



* It was discovered that the Nashorn JavaScript engine in the Scripting

component of OpenJDK could allow scripts to access Java APIs even when

access to Java APIs was disabled. An untrusted JavaScript executed by

Nashorn could use this flaw to bypass intended restrictions.

(CVE-2017-10078)



* It was discovered that the Security component of OpenJDK could fail to

properly enforce restrictions defined for processing of X.509 certificate

chains. A remote attacker could possibly use this flaw to make Java accept

certificate using one of the disabled algorithms. (CVE-2017-10198)



* A covert timing channel flaw was found in the DSA implementation in the

JCE component of OpenJDK. A remote attacker able to make a Java

application generate DSA signatures on demand could possibly use this flaw

to extract certain information about the used key via a timing side

channel. (CVE-2017-10115)



* A covert timing channel flaw was found in the PKCS#8 implementation in

the JCE component of OpenJDK. A remote attacker able to make a Java

application repeatedly compare PKCS#8 key against an attacker controlled

value could possibly use this flaw to determine the key via a timing side

channel. (CVE-2017-10135)



* It was discovered that the BasicAttribute and CodeSource classes in

OpenJDK did not limit the amount of memory allocated when creating object

instances from a serialized form. A specially crafted serialized input

stream could cause Java to consume an excessive amount of memory.

(CVE-2017-10108, CVE-2017-10109)



* Multiple flaws were found in the Hotspot and Security components in

OpenJDK. An untrusted Java application or applet could use these flaws to

bypass certain Java sandbox restrictions. (CVE-2017-10081, CVE-2017-10193)



* It was discovered that the JPEGImageReader implementation in the 2D

component of OpenJDK would, in certain cases, read all image data even if

it was not used later. A specially crafted image could cause a Java

application to temporarily use an excessive amount of CPU and memory.

(CVE-2017-10053)



Note: If the web browser plug-in provided by the icedtea-web package was

installed, the issues exposed via Java applets could have been exploited

without user interaction if a user visited a malicious website.

--



SL6

  x86_64

    java-1.8.0-openjdk-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-debuginfo-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-headless-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-demo-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-demo-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-devel-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-devel-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-headless-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-src-1.8.0.141-2.b16.el6_9.x86_64.rpm

    java-1.8.0-openjdk-src-debug-1.8.0.141-2.b16.el6_9.x86_64.rpm

  i386

    java-1.8.0-openjdk-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-debuginfo-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-headless-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-debug-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-demo-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-demo-debug-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-devel-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-devel-debug-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-headless-debug-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-src-1.8.0.141-2.b16.el6_9.i686.rpm

    java-1.8.0-openjdk-src-debug-1.8.0.141-2.b16.el6_9.i686.rpm

  noarch

    java-1.8.0-openjdk-javadoc-1.8.0.141-2.b16.el6_9.noarch.rpm

    java-1.8.0-openjdk-javadoc-debug-1.8.0.141-2.b16.el6_9.noarch.rpm

SL7

  x86_64

    java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-headless-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-headless-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-accessibility-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-accessibility-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-debug-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-demo-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-demo-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-devel-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-devel-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-devel-debug-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-devel-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-headless-debug-1.8.0.141-1.b16.el7_3.i686.rpm

    java-1.8.0-openjdk-headless-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-src-1.8.0.141-1.b16.el7_3.x86_64.rpm

    java-1.8.0-openjdk-src-debug-1.8.0.141-1.b16.el7_3.x86_64.rpm

  noarch

    java-1.8.0-openjdk-javadoc-1.8.0.141-1.b16.el7_3.noarch.rpm

    java-1.8.0-openjdk-javadoc-debug-1.8.0.141-1.b16.el7_3.noarch.rpm

    java-1.8.0-openjdk-javadoc-zip-1.8.0.141-1.b16.el7_3.noarch.rpm

    java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.141-1.b16.el7_3.noarch.rpm



- Scientific Linux Development Team
ATOM RSS1 RSS2
LISTSERV.FNAL.GOV