Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <riehecky-13hema8v3vg <at> public.gmane.org>
Subject: Security ERRATA Critical: java-1.6.0-openjdk on SL6.x i386/x86_64
Newsgroups: gmane.linux.scientific.errata
Date: Wednesday 13th June 2012 17:07:19 UTC (over 4 years ago)
Synopsis:    Critical: java-1.6.0-openjdk security update
Issue Date:  2012-06-13
CVE Numbers: CVE-2012-1711
             CVE-2012-1717
             CVE-2012-1716
             CVE-2012-1713
             CVE-2012-1719
             CVE-2012-1718
             CVE-2012-1723
             CVE-2012-1724
             CVE-2012-1725


These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

Multiple flaws were discovered in the CORBA (Common Object Request Broker
Architecture) implementation in Java. A malicious Java application or
applet could use these flaws to bypass Java sandbox restrictions or modify
immutable object data. (CVE-2012-1711, CVE-2012-1719)

It was discovered that the SynthLookAndFeel class from Swing did not
properly prevent access to certain UI elements from outside the current
application context. A malicious Java application or applet could use this
flaw to crash the Java Virtual Machine, or bypass Java sandbox
restrictions. (CVE-2012-1716)

Multiple flaws were discovered in the font manager's layout lookup
implementation. A specially-crafted font file could cause the Java Virtual
Machine to crash or, possibly, execute arbitrary code with the privileges
of the user running the virtual machine. (CVE-2012-1713)

Multiple flaws were found in the way the Java HotSpot Virtual Machine
verified the bytecode of the class file to be executed. A specially-crafted
Java application or applet could use these flaws to crash the Java Virtual
Machine, or bypass Java sandbox restrictions. (CVE-2012-1723,
CVE-2012-1725)

It was discovered that the Java XML parser did not properly handle certain
XML documents. An attacker able to make a Java application parse a
specially-crafted XML file could use this flaw to make the XML parser enter
an infinite loop. (CVE-2012-1724)

It was discovered that the Java security classes did not properly handle
Certificate Revocation Lists (CRL). CRL containing entries with duplicate
certificate serial numbers could have been ignored. (CVE-2012-1718)

It was discovered that various classes of the Java Runtime library could
create temporary files with insecure permissions. A local attacker could
use this flaw to gain access to the content of such temporary files.
(CVE-2012-1717)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea6 1.11.3.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

SL6:
  i386
     java-1.6.0-openjdk-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
     java-1.6.0-openjdk-debuginfo-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
     java-1.6.0-openjdk-demo-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
     java-1.6.0-openjdk-devel-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
     java-1.6.0-openjdk-javadoc-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
     java-1.6.0-openjdk-src-1.6.0.0-1.48.1.11.3.el6_2.i686.rpm
  x86_64
     java-1.6.0-openjdk-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm
     java-1.6.0-openjdk-debuginfo-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm
     java-1.6.0-openjdk-demo-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm
     java-1.6.0-openjdk-devel-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm
     java-1.6.0-openjdk-javadoc-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm
     java-1.6.0-openjdk-src-1.6.0.0-1.48.1.11.3.el6_2.x86_64.rpm

- Scientific Linux Development Team
 
CD: 3ms