Multiple Vulnerabilities in OpenJDK

Apple Security Advisory 2013-04-16-2

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

APPLE-SA-2013-04-16-2 Java for OS X 2013-003 and
Mac OS X v10.6 Update 15

Java for OS X 2013-003 and Mac OS X v10.6 Update 15 are now available
and address the following:

Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_43
Description: Multiple vulnerabilities existed in Java 1.6.0_43, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues were addressed by updating to Java version 1.6.0_45.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1491
CVE-2013-1537
CVE-2013-1540
CVE-2013-1557
CVE-2013-1558
CVE-2013-1563
CVE-2013-1569
CVE-2013-2383
CVE-2013-2384
CVE-2013-2394
CVE-2013-2417
CVE-2013-2419
CVE-2013-2420
CVE-2013-2422
CVE-2013-2424
CVE-2013-2429
CVE-2013-2430
CVE-2013-2432
CVE-2013-2435
CVE-2013-2437
CVE-2013-2440

Java for OS X 2013-003 and Mac OS X v10.6 Update 15
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update15.dmg
Its SHA-1 digest is: 56a950f7a89f2a1c39de01b2b1998986f132be57

For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-003.dmg
Its SHA-1 digest is: 3393ff8642b6e29cacaf10fbb04f76e657cc313a

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

—–BEGIN PGP SIGNATURE—–
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools – http://gpgtools.org

iQIcBAEBAgAGBQJRbatSAAoJEPefwLHPlZEwsl4P/ixeRjTgN3MFTNK4VTobV93j
zbj99S53RY0R7vOd7lZe6QMnLjvAEC+wF5BEsWcLbI/+L1ewufE62TeC3K0v7QH6
GExzGa41GCfICF3cUSQNopXy3KvskLACpOmK3LKxUUtP2NL7+As3HpXyaU3pPvxk
EQE/Af9p4IzPECvZzBe8KfJuQWeUWYiQhN+nH6ei4E2FS6vXaUlTpOn6sUVyeDfR
JX3NFmbXuJB0RKQcKicGSx8x1lZTRFSVPbb6HPfcvHHnfUe2WqqA6SwUZavrtY6C
jiSqAB5Vog8oTP4XZhgrxPlqohZqnYJ7Fnimrk+LeiPrJ2Is3W6TM9kEhU6vfgCm
xIDC0GuZRToiWDzUQskeNitUDLGYz+32a/4ZyFLGtHZdiGhOgiuqGuYPnCdRvhGt
9kMgcOC5f/C1uBNAw8pCDfsqm00dmA6IV1QRHZLGKQhUsiu3PbhftB0EiUiEwlcX
la5Xvp+3AkupO8Gc0JOnAvVgYy7s6IupHUzwsMD3vDEzaF1lrQ6+z6tjhibhc+mb
y0VycheIUSUyNuLt6js06wyhK8VW5vkNFG+Ogj1xm/3Y2sSJQfxGsOMqRwrkBN7p
EEKV7Nck9G/qsuKBzEZJ3CFDkF6RJezoYN8v3QG+sZLEt4WFVkmtG86NgEVPu6gp
tyT4/+vnaqKDRbcwCKXy
=bvDt
—–END PGP SIGNATURE—–

Mandriva Linux Security Advisory 2013-145

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:145
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : java-1.6.0-openjdk
Date : April 19, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple security issues were identified and fixed in OpenJDK
(icedtea6):

Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly
use these flaws to trigger Java Virtual Machine memory corruption
(CVE-2013-1569, CVE-2013-2383, CVE-2013-2384).

Multiple improper permission check issues were discovered in the Beans,
Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions (CVE-2013-2422, CVE-2013-1518, CVE-2013-1557).

The previous default value of the java.rmi.server.useCodebaseOnly
property permitted the RMI implementation to automatically load
classes from remotely specified locations. An attacker able to
connect to an application using RMI could use this flaw to make
the application execute arbitrary code (CVE-2013-1537). Note: The
fix for CVE-2013-1537 changes the default value of the property to
true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.

The 2D component did not properly process certain images. An untrusted
Java application or applet could possibly use this flaw to trigger
Java Virtual Machine memory corruption (CVE-2013-2420).

It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform access
checks and MethodHandle lookups. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions
(CVE-2013-2431, CVE-2013-2421).

It was discovered that JPEGImageReader and JPEGImageWriter in the
ImageIO component did not protect against modification of their state
while performing certain native code operations. An untrusted Java
application or applet could possibly use these flaws to trigger Java
Virtual Machine memory corruption (CVE-2013-2429, CVE-2013-2430).

The JDBC driver manager could incorrectly call the toString() method
in JDBC drivers, and the ConcurrentHashMap class could incorrectly
call the defaultReadObject() method. An untrusted Java application
or applet could possibly use these flaws to bypass Java sandbox
restrictions (CVE-2013-1488, CVE-2013-2426).

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may
incorrectly invoke the system class loader. An untrusted Java
application or applet could possibly use this flaw to bypass certain
Java sandbox restrictions (CVE-2013-0401).

Flaws were discovered in the Network component's InetAddress
serialization, and the 2D component's font handling. An untrusted
Java application or applet could possibly use these flaws to crash
the Java Virtual Machine (CVE-2013-2417, CVE-2013-2419).

The MBeanInstantiator class implementation in the OpenJDK JMX component
did not properly check class access before creating new instances. An
untrusted Java application or applet could use this flaw to create
instances of non-public classes (CVE-2013-2424).

It was discovered that JAX-WS could possibly create temporary files
with insecure permissions. A local attacker could use this flaw
to access temporary files created by an application using JAX-WS
(CVE-2013-2415).

The updated packages provides icedtea6-1.11.10 which is not vulnerable
to these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/02…
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-19…
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124
https://bugzilla.redhat.com/show_bug.cgi?id=952387
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
28320f10570a50ac08575480ee249aed mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.5mdvmes5.2.i586.rpm
5a6bf000d48cb35a304f9ec7d4f83d6c mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.5mdvmes5.2.i586.rpm
966a2d2681441d30ec9d86f3d93c5a32 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.5mdvmes5.2.i586.rpm
280aee290b6d68ab5e994f8a25a50ad9 mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.5mdvmes5.2.i586.rpm
6893259a988e94df07274bf728cc7675 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.5mdvmes5.2.i586.rpm
f3d20af548c84815b6c1636273293273 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.5mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
0b253fd82c86e16848eff6d5f9591ce6 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.5mdvmes5.2.x86_64.rpm
08d1a5099ab26a89b1dae8008e0d98e6 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.5mdvmes5.2.x86_64.rpm
c0433e439964af42aa82371901aa07bc mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.5mdvmes5.2.x86_64.rpm
5e77c039c2d64220d1cf3fce44c86f24 mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.5mdvmes5.2.x86_64.rpm
4dd6c3dbabf6d29cf3ce751bda74f483 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.5mdvmes5.2.x86_64.rpm
f3d20af548c84815b6c1636273293273 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.5mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRcSLkmqjQ0CJFipgRAsEgAJ4gHSUUcP7uDS3JIxzQZxnCLwXe1QCfTQXq
o4NG1rmFdAUfR4q/O/aHdtM=
=EXuM
—–END PGP SIGNATURE—–

Mandriva Linux Security Advisory 2013-161

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:161
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : java-1.7.0-openjdk
Date : May 6, 2013
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly
use these flaws to trigger Java Virtual Machine memory corruption
(CVE-2013-1569, CVE-2013-2383, CVE-2013-2384).

Multiple improper permission check issues were discovered in the
Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted
Java application or applet could use these flaws to bypass Java
sandbox restrictions (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436,
CVE-2013-1518, CVE-2013-1557).

The previous default value of the java.rmi.server.useCodebaseOnly
property permitted the RMI implementation to automatically load
classes from remotely specified locations. An attacker able to
connect to an application using RMI could use this flaw to make
the application execute arbitrary code (CVE-2013-1537). Note: The
fix for CVE-2013-1537 changes the default value of the property to
true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.

The 2D component did not properly process certain images. An untrusted
Java application or applet could possibly use this flaw to trigger
Java Virtual Machine memory corruption (CVE-2013-2420).

It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform access checks
and MethodHandle lookups. An untrusted Java application or applet could
use these flaws to bypass Java sandbox restrictions (CVE-2013-2431,
CVE-2013-2421, CVE-2013-2423).

It was discovered that JPEGImageReader and JPEGImageWriter in the
ImageIO component did not protect against modification of their state
while performing certain native code operations. An untrusted Java
application or applet could possibly use these flaws to trigger Java
Virtual Machine memory corruption (CVE-2013-2429, CVE-2013-2430).

The JDBC driver manager could incorrectly call the toString() method
in JDBC drivers, and the ConcurrentHashMap class could incorrectly
call the defaultReadObject() method. An untrusted Java application
or applet could possibly use these flaws to bypass Java sandbox
restrictions (CVE-2013-1488, CVE-2013-2426).

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may
incorrectly invoke the system class loader. An untrusted Java
application or applet could possibly use this flaw to bypass certain
Java sandbox restrictions (CVE-2013-0401).

Flaws were discovered in the Network component's InetAddress
serialization, and the 2D component's font handling. An untrusted
Java application or applet could possibly use these flaws to crash
the Java Virtual Machine (CVE-2013-2417, CVE-2013-2419).

The MBeanInstantiator class implementation in the OpenJDK JMX component
did not properly check class access before creating new instances. An
untrusted Java application or applet could use this flaw to create
instances of non-public classes (CVE-2013-2424).

It was discovered that JAX-WS could possibly create temporary files
with insecure permissions. A local attacker could use this flaw
to access temporary files created by an application using JAX-WS
(CVE-2013-2415).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2436
https://rhn.redhat.com/errata/RHSA-2013-0751.html
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-…
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-19…
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
6d2559024b3f128a1e249352b4708eec mbs1/x86_64/java-1.7.0-openjdk-1.7.0.6-2.3.9.1.mbs1.x86_64.rpm
408ae2314f82ec9f19ccf13c8f36cf2c mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.6-2.3.9.1.mbs1.x86_64.rpm
95b5a72d4ac49e4964ec5c885cb9f427 mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.6-2.3.9.1.mbs1.x86_64.rpm
0c54ac1a98c05b45f4073ccd2f273de1 mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.9.1.mbs1.noarch.rpm
7f30c4a0622d114fb767cff8d95d5281 mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.6-2.3.9.1.mbs1.x86_64.rpm
43d39710e5383647bbcf7e4e49336184 mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.6-2.3.9.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRh65bmqjQ0CJFipgRAqwjAJwJ3EJeMQD/k2+PhJKSlr4iSF87LACgkgaV
khdurS1ieNR2RbbbTeL+aP8=
=qNFz
—–END PGP SIGNATURE—–

Red Hat Security Advisory 2013-0751-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: java-1.7.0-openjdk security update
Advisory ID: RHSA-2013:0751-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0751.html
Issue date: 2013-04-17
CVE Names: CVE-2013-0401 CVE-2013-1488 CVE-2013-1518
CVE-2013-1537 CVE-2013-1557 CVE-2013-1558
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384
CVE-2013-2415 CVE-2013-2417 CVE-2013-2419
CVE-2013-2420 CVE-2013-2421 CVE-2013-2422
CVE-2013-2423 CVE-2013-2424 CVE-2013-2426
CVE-2013-2429 CVE-2013-2430 CVE-2013-2431
CVE-2013-2436
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix various security issues are
now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) – i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) – i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) – x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) – noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) – i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) – i386, noarch, x86_64
Red Hat Enterprise Linux Workstation (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) – i386, noarch, x86_64

3. Description:

These packages provide the OpenJDK 7 Java Runtime Environment and the
OpenJDK 7 Software Development Kit.

Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly use these
flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,
CVE-2013-2383, CVE-2013-2384)

Multiple improper permission check issues were discovered in the Beans,
Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436, CVE-2013-1518,
CVE-2013-1557)

The previous default value of the java.rmi.server.useCodebaseOnly property
permitted the RMI implementation to automatically load classes from
remotely specified locations. An attacker able to connect to an application
using RMI could use this flaw to make the application execute arbitrary
code. (CVE-2013-1537)

Note: The fix for CVE-2013-1537 changes the default value of the property
to true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.

The 2D component did not properly process certain images. An untrusted Java
application or applet could possibly use this flaw to trigger Java Virtual
Machine memory corruption. (CVE-2013-2420)

It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform access checks and
MethodHandle lookups. An untrusted Java application or applet could
use these flaws to bypass Java sandbox restrictions. (CVE-2013-2431,
CVE-2013-2421, CVE-2013-2423)

It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO
component did not protect against modification of their state while
performing certain native code operations. An untrusted Java application or
applet could possibly use these flaws to trigger Java Virtual Machine
memory corruption. (CVE-2013-2429, CVE-2013-2430)

The JDBC driver manager could incorrectly call the toString() method in
JDBC drivers, and the ConcurrentHashMap class could incorrectly call the
defaultReadObject() method. An untrusted Java application or applet could
possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1488, CVE-2013-2426)

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly
invoke the system class loader. An untrusted Java application or applet
could possibly use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-0401)

Flaws were discovered in the Network component's InetAddress serialization,
and the 2D component's font handling. An untrusted Java application or
applet could possibly use these flaws to crash the Java Virtual Machine.
(CVE-2013-2417, CVE-2013-2419)

The MBeanInstantiator class implementation in the OpenJDK JMX component did
not properly check class access before creating new instances. An untrusted
Java application or applet could use this flaw to create instances of
non-public classes. (CVE-2013-2424)

It was discovered that JAX-WS could possibly create temporary files with
insecure permissions. A local attacker could use this flaw to access
temporary files created by an application using JAX-WS. (CVE-2013-2415)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.9. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

920245 – CVE-2013-0401 OpenJDK: unspecified sandbox bypass (CanSecWest 2013, AWT)
920247 – CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest 2013, Libraries)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952389 – CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952550 – CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952645 – CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
952646 – CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952649 – CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error (Hotspot, 8009699)
952653 – CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
952656 – CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986)
952709 – CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987)
952711 – CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el6_4.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el6_4.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el6_4.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el6_4.src.rpm

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.i686.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el6_4.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el6_4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1488.html
https://www.redhat.com/security/data/cve/CVE-2013-1518.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2415.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2421.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2423.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2426.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2431.html
https://www.redhat.com/security/data/cve/CVE-2013-2436.html
https://access.redhat.com/security/updates/classification/#critical
http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2…

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRbvIqXlSAg2UNWIIRAlJMAKCVluLVfsLBqDgkr0bQ5726zrS77gCfSYDg
pRdwVdpsYUlytlzUe+jFDfI=
=1mI7
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0752-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.7.0-openjdk security update
Advisory ID: RHSA-2013:0752-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0752.html
Issue date: 2013-04-17
CVE Names: CVE-2013-0401 CVE-2013-1488 CVE-2013-1518
CVE-2013-1537 CVE-2013-1557 CVE-2013-1558
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384
CVE-2013-2415 CVE-2013-2417 CVE-2013-2419
CVE-2013-2420 CVE-2013-2421 CVE-2013-2422
CVE-2013-2423 CVE-2013-2424 CVE-2013-2426
CVE-2013-2429 CVE-2013-2430 CVE-2013-2431
CVE-2013-2436
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix various security issues are
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) – i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) – i386, x86_64

3. Description:

These packages provide the OpenJDK 7 Java Runtime Environment and the
OpenJDK 7 Software Development Kit.

Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly use these
flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,
CVE-2013-2383, CVE-2013-2384)

Multiple improper permission check issues were discovered in the Beans,
Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436, CVE-2013-1518,
CVE-2013-1557)

The previous default value of the java.rmi.server.useCodebaseOnly property
permitted the RMI implementation to automatically load classes from
remotely specified locations. An attacker able to connect to an application
using RMI could use this flaw to make the application execute arbitrary
code. (CVE-2013-1537)

Note: The fix for CVE-2013-1537 changes the default value of the property
to true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.

The 2D component did not properly process certain images. An untrusted Java
application or applet could possibly use this flaw to trigger Java Virtual
Machine memory corruption. (CVE-2013-2420)

It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform access checks and
MethodHandle lookups. An untrusted Java application or applet could
use these flaws to bypass Java sandbox restrictions. (CVE-2013-2431,
CVE-2013-2421, CVE-2013-2423)

It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO
component did not protect against modification of their state while
performing certain native code operations. An untrusted Java application or
applet could possibly use these flaws to trigger Java Virtual Machine
memory corruption. (CVE-2013-2429, CVE-2013-2430)

The JDBC driver manager could incorrectly call the toString() method in
JDBC drivers, and the ConcurrentHashMap class could incorrectly call the
defaultReadObject() method. An untrusted Java application or applet could
possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1488, CVE-2013-2426)

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly
invoke the system class loader. An untrusted Java application or applet
could possibly use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-0401)

Flaws were discovered in the Network component's InetAddress serialization,
and the 2D component's font handling. An untrusted Java application or
applet could possibly use these flaws to crash the Java Virtual Machine.
(CVE-2013-2417, CVE-2013-2419)

The MBeanInstantiator class implementation in the OpenJDK JMX component did
not properly check class access before creating new instances. An untrusted
Java application or applet could use this flaw to create instances of
non-public classes. (CVE-2013-2424)

It was discovered that JAX-WS could possibly create temporary files with
insecure permissions. A local attacker could use this flaw to access
temporary files created by an application using JAX-WS. (CVE-2013-2415)

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.9. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

920245 – CVE-2013-0401 OpenJDK: unspecified sandbox bypass (CanSecWest 2013, AWT)
920247 – CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest 2013, Libraries)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952389 – CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952550 – CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952645 – CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
952646 – CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952649 – CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error (Hotspot, 8009699)
952653 – CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
952656 – CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986)
952709 – CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987)
952711 – CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el5_9.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el5_9.i386.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el5_9.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.el5_9.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1488.html
https://www.redhat.com/security/data/cve/CVE-2013-1518.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2415.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2421.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2423.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2426.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2431.html
https://www.redhat.com/security/data/cve/CVE-2013-2436.html
https://access.redhat.com/security/updates/classification/#important
http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2…

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRbvJKXlSAg2UNWIIRAqUrAJ9Z/4p4Hfhem2IW/HyrENsM6alnkACeJrNj
u7V5CaCh5MYZ84AllqEIm+E=
=pvGZ
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0757-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: java-1.7.0-oracle security update
Advisory ID: RHSA-2013:0757-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0757.html
Issue date: 2013-04-18
CVE Names: CVE-2013-0401 CVE-2013-0402 CVE-2013-1488
CVE-2013-1491 CVE-2013-1518 CVE-2013-1537
CVE-2013-1540 CVE-2013-1557 CVE-2013-1558
CVE-2013-1561 CVE-2013-1563 CVE-2013-1564
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384
CVE-2013-2394 CVE-2013-2414 CVE-2013-2415
CVE-2013-2416 CVE-2013-2417 CVE-2013-2418
CVE-2013-2419 CVE-2013-2420 CVE-2013-2421
CVE-2013-2422 CVE-2013-2423 CVE-2013-2424
CVE-2013-2425 CVE-2013-2426 CVE-2013-2427
CVE-2013-2428 CVE-2013-2429 CVE-2013-2430
CVE-2013-2431 CVE-2013-2432 CVE-2013-2433
CVE-2013-2434 CVE-2013-2435 CVE-2013-2436
CVE-2013-2438 CVE-2013-2439 CVE-2013-2440
=====================================================================

1. Summary:

Updated java-1.7.0-oracle packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) – x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) – i386, x86_64

3. Description:

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518,
CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561,
CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417,
CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,
CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427,
CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432,
CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438,
CVE-2013-2439, CVE-2013-2440)

All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 21 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, 8009305, AWT)
920246 – CVE-2013-0402 Oracle JDK: unspecified JavaFX buffer overflow leading to JVM compromise (CanSecWest 2013, JavaFX)
920247 – CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest 2013, Libraries)
920248 – CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952389 – CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952550 – CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952645 – CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
952646 – CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952649 – CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error (Hotspot, 8009699)
952653 – CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
952656 – CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986)
952709 – CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987)
952711 – CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994)
953135 – Oracle JDK: multiple unspecified JavaFX vulnerabilities fixed in 7u21 (JavaFX)
953166 – CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953172 – CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953265 – CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953266 – CVE-2013-2416 Oracle JDK: unspecified vulnerability fixed in 7u21 (Deployment)
953267 – CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953268 – CVE-2013-2425 Oracle JDK: unspecified vulnerability fixed in 7u21 (Install)
953269 – CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953270 – CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953272 – CVE-2013-2434 Oracle JDK: unspecified vulnerability fixed in 7u21 (2D)
953273 – CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953274 – CVE-2013-2439 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953275 – CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el5.i386.rpm

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el5.i386.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el5.i386.rpm

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el5.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.i686.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.21-1jpp.1.el6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.21-1jpp.1.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-0402.html
https://www.redhat.com/security/data/cve/CVE-2013-1488.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1518.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1540.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1561.html
https://www.redhat.com/security/data/cve/CVE-2013-1563.html
https://www.redhat.com/security/data/cve/CVE-2013-1564.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2414.html
https://www.redhat.com/security/data/cve/CVE-2013-2415.html
https://www.redhat.com/security/data/cve/CVE-2013-2416.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2418.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2421.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2423.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2425.html
https://www.redhat.com/security/data/cve/CVE-2013-2426.html
https://www.redhat.com/security/data/cve/CVE-2013-2427.html
https://www.redhat.com/security/data/cve/CVE-2013-2428.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2431.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://www.redhat.com/security/data/cve/CVE-2013-2433.html
https://www.redhat.com/security/data/cve/CVE-2013-2434.html
https://www.redhat.com/security/data/cve/CVE-2013-2435.html
https://www.redhat.com/security/data/cve/CVE-2013-2436.html
https://www.redhat.com/security/data/cve/CVE-2013-2438.html
https://www.redhat.com/security/data/cve/CVE-2013-2439.html
https://www.redhat.com/security/data/cve/CVE-2013-2440.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-19…

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRcDsoXlSAg2UNWIIRAnQRAJkBOGnz8TW8LPB1Ur1msZYNqpYTowCfaOUs
Up+dHVsSUEZZ+ySDcLQZIyU=
=yeWV
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0758-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: java-1.6.0-sun security update
Advisory ID: RHSA-2013:0758-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0758.html
Issue date: 2013-04-18
CVE Names: CVE-2013-0401 CVE-2013-1491 CVE-2013-1518
CVE-2013-1537 CVE-2013-1540 CVE-2013-1557
CVE-2013-1558 CVE-2013-1563 CVE-2013-1569
CVE-2013-2383 CVE-2013-2384 CVE-2013-2394
CVE-2013-2417 CVE-2013-2418 CVE-2013-2419
CVE-2013-2420 CVE-2013-2422 CVE-2013-2424
CVE-2013-2429 CVE-2013-2430 CVE-2013-2432
CVE-2013-2433 CVE-2013-2435 CVE-2013-2439
CVE-2013-2440
=====================================================================

1. Summary:

Updated java-1.6.0-sun packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) – x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) – i386, x86_64

3. Description:

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2013-0401, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540,
CVE-2013-1557, CVE-2013-1558, CVE-2013-1563, CVE-2013-1569, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2394, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,
CVE-2013-2420, CVE-2013-2422, CVE-2013-2424, CVE-2013-2429, CVE-2013-2430,
CVE-2013-2432, CVE-2013-2433, CVE-2013-2435, CVE-2013-2439, CVE-2013-2440)

All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 45. All running instances of
Oracle Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, 8009305, AWT)
920248 – CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952646 – CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952656 – CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986)
952709 – CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987)
952711 – CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994)
953166 – CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953172 – CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953265 – CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953267 – CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953269 – CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953270 – CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953273 – CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953274 – CVE-2013-2439 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953275 – CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.i686.rpm
java-1.6.0-sun-devel-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.45-1jpp.1.el6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.45-1jpp.1.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1518.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1540.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1563.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2418.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://www.redhat.com/security/data/cve/CVE-2013-2433.html
https://www.redhat.com/security/data/cve/CVE-2013-2435.html
https://www.redhat.com/security/data/cve/CVE-2013-2439.html
https://www.redhat.com/security/data/cve/CVE-2013-2440.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-19…

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRcDtYXlSAg2UNWIIRAi6SAKCE8fK+5ki0I8TyQ9lgQ7FZVO7EqACfekSb
IU1EEBegCPo3G1aTi2Aprl4=
=rLik
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0770-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.6.0-openjdk security update
Advisory ID: RHSA-2013:0770-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0770.html
Issue date: 2013-04-24
CVE Names: CVE-2013-0401 CVE-2013-1488 CVE-2013-1518
CVE-2013-1537 CVE-2013-1557 CVE-2013-1558
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384
CVE-2013-2415 CVE-2013-2417 CVE-2013-2419
CVE-2013-2420 CVE-2013-2421 CVE-2013-2422
CVE-2013-2424 CVE-2013-2426 CVE-2013-2429
CVE-2013-2430 CVE-2013-2431
=====================================================================

1. Summary:

Updated java-1.6.0-openjdk packages that fix various security issues are
now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) – i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) – i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) – i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) – x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) – x86_64
Red Hat Enterprise Linux Server (v. 6) – i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation (v. 6) – i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) – i386, x86_64

3. Description:

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

Multiple flaws were discovered in the font layout engine in the 2D
component. An untrusted Java application or applet could possibly use these
flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,
CVE-2013-2383, CVE-2013-2384)

Multiple improper permission check issues were discovered in the Beans,
Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-1518, CVE-2013-1557)

The previous default value of the java.rmi.server.useCodebaseOnly property
permitted the RMI implementation to automatically load classes from
remotely specified locations. An attacker able to connect to an application
using RMI could use this flaw to make the application execute arbitrary
code. (CVE-2013-1537)

Note: The fix for CVE-2013-1537 changes the default value of the property
to true, restricting class loading to the local CLASSPATH and locations
specified in the java.rmi.server.codebase property. Refer to Red Hat
Bugzilla bug 952387 for additional details.

The 2D component did not properly process certain images. An untrusted Java
application or applet could possibly use this flaw to trigger Java Virtual
Machine memory corruption. (CVE-2013-2420)

It was discovered that the Hotspot component did not properly handle
certain intrinsic frames, and did not correctly perform MethodHandle
lookups. An untrusted Java application or applet could use these flaws to
bypass Java sandbox restrictions. (CVE-2013-2431, CVE-2013-2421)

It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO
component did not protect against modification of their state while
performing certain native code operations. An untrusted Java application or
applet could possibly use these flaws to trigger Java Virtual Machine
memory corruption. (CVE-2013-2429, CVE-2013-2430)

The JDBC driver manager could incorrectly call the toString() method in
JDBC drivers, and the ConcurrentHashMap class could incorrectly call the
defaultReadObject() method. An untrusted Java application or applet could
possibly use these flaws to bypass Java sandbox restrictions.
(CVE-2013-1488, CVE-2013-2426)

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly
invoke the system class loader. An untrusted Java application or applet
could possibly use this flaw to bypass certain Java sandbox restrictions.
(CVE-2013-0401)

Flaws were discovered in the Network component's InetAddress serialization,
and the 2D component's font handling. An untrusted Java application or
applet could possibly use these flaws to crash the Java Virtual Machine.
(CVE-2013-2417, CVE-2013-2419)

The MBeanInstantiator class implementation in the OpenJDK JMX component did
not properly check class access before creating new instances. An untrusted
Java application or applet could use this flaw to create instances of
non-public classes. (CVE-2013-2424)

It was discovered that JAX-WS could possibly create temporary files with
insecure permissions. A local attacker could use this flaw to access
temporary files created by an application using JAX-WS. (CVE-2013-2415)

This erratum also upgrades the OpenJDK package to IcedTea6 1.11.10. Refer
to the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
920247 – CVE-2013-1488 OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952389 – CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952645 – CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336)
952646 – CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952649 – CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error (Hotspot, 8009699)
952653 – CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
952656 – CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986)
952709 – CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987)
952711 – CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.11.11.el5_9.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.40.1.11.11.el5_9.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.6.0-openjdk-1.6.0.0-1.61.1.11.11.el6_4.src.rpm

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.0-1.61.1.11.11.el6_4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1488.html
https://www.redhat.com/security/data/cve/CVE-2013-1518.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2415.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2421.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2426.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2431.html
https://access.redhat.com/security/updates/classification/#important
http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6…

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFReB4YXlSAg2UNWIIRApIkAJ9/Kk9e0UPaBMyunYAZ5ZL0yGNPZQCdFwLB
R1NB2qcpqvapX4RyyM2OH0E=
=rAdI
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0822-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: java-1.7.0-ibm security update
Advisory ID: RHSA-2013:0822-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0822.html
Issue date: 2013-05-14
CVE Names: CVE-2013-0169 CVE-2013-0401 CVE-2013-1488
CVE-2013-1491 CVE-2013-1537 CVE-2013-1540
CVE-2013-1557 CVE-2013-1558 CVE-2013-1563
CVE-2013-1569 CVE-2013-2383 CVE-2013-2384
CVE-2013-2394 CVE-2013-2415 CVE-2013-2416
CVE-2013-2417 CVE-2013-2418 CVE-2013-2419
CVE-2013-2420 CVE-2013-2422 CVE-2013-2423
CVE-2013-2424 CVE-2013-2426 CVE-2013-2429
CVE-2013-2430 CVE-2013-2432 CVE-2013-2433
CVE-2013-2434 CVE-2013-2435 CVE-2013-2436
CVE-2013-2438 CVE-2013-2440
=====================================================================

1. Summary:

Updated java-1.7.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) – x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) – i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) – i386, x86_64

3. Description:

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2013-0169, CVE-2013-0401,
CVE-2013-1488, CVE-2013-1491, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,
CVE-2013-1558, CVE-2013-1563, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2394, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418,
CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424,
CVE-2013-2426, CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433,
CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2440)

All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR4-FP2 release. All running
instances of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

907589 – CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
920247 – CVE-2013-1488 OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)
920248 – CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952389 – CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542)
952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952550 – CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952640 – CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952653 – CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063)
952656 – CVE-2013-2419 ICU: Layout Engine font processing errors (JDK 2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004986)
952709 – CVE-2013-2384 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004987)
952711 – CVE-2013-1569 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004994)
953135 – Oracle JDK: multiple unspecified JavaFX vulnerabilities fixed in 7u21 (JavaFX)
953166 – CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953172 – CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953265 – CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953266 – CVE-2013-2416 Oracle JDK: unspecified vulnerability fixed in 7u21 (Deployment)
953267 – CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953269 – CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953270 – CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953272 – CVE-2013-2434 Oracle JDK: unspecified vulnerability fixed in 7u21 (2D)
953273 – CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953275 – CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.i386.rpm

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.i386.rpm

ppc:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.ppc64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.ppc64.rpm

s390x:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.s390.rpm
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.s390.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.s390.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.s390.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.s390.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.s390x.rpm

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.i686.rpm

ppc64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.ppc64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.ppc64.rpm

s390x:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.s390x.rpm

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.7.0-ibm-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.2-1jpp.1.el6_4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1488.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1540.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1558.html
https://www.redhat.com/security/data/cve/CVE-2013-1563.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2415.html
https://www.redhat.com/security/data/cve/CVE-2013-2416.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2418.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2423.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2426.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://www.redhat.com/security/data/cve/CVE-2013-2433.html
https://www.redhat.com/security/data/cve/CVE-2013-2434.html
https://www.redhat.com/security/data/cve/CVE-2013-2435.html
https://www.redhat.com/security/data/cve/CVE-2013-2436.html
https://www.redhat.com/security/data/cve/CVE-2013-2438.html
https://www.redhat.com/security/data/cve/CVE-2013-2440.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRkprMXlSAg2UNWIIRAqgdAKCSdl42n6XyuwcAUxg7lyOyDurFbQCfbwGr
X3eGP6WGu+vsuYBC7HgXi6g=
=jTHe
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0823-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Critical: java-1.6.0-ibm security update
Advisory ID: RHSA-2013:0823-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0823.html
Issue date: 2013-05-14
CVE Names: CVE-2013-0169 CVE-2013-0401 CVE-2013-1491
CVE-2013-1537 CVE-2013-1540 CVE-2013-1557
CVE-2013-1563 CVE-2013-1569 CVE-2013-2383
CVE-2013-2384 CVE-2013-2394 CVE-2013-2417
CVE-2013-2418 CVE-2013-2419 CVE-2013-2420
CVE-2013-2422 CVE-2013-2424 CVE-2013-2429
CVE-2013-2430 CVE-2013-2432 CVE-2013-2433
CVE-2013-2435 CVE-2013-2440
=====================================================================

1. Summary:

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) – x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) – i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) – i386, x86_64

3. Description:

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2013-0169, CVE-2013-0401,
CVE-2013-1491, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1563,
CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2417,
CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,
CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,
CVE-2013-2440)

All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR13-FP2 release. All running
instances of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

907589 – CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
920248 – CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952642 – CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952656 – CVE-2013-2419 ICU: Layout Engine font processing errors (JDK 2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004986)
952709 – CVE-2013-2384 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004987)
952711 – CVE-2013-1569 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004994)
953166 – CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953172 – CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953265 – CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953267 – CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953269 – CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953270 – CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953273 – CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953275 – CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.i386.rpm

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.i386.rpm

ppc:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.ppc.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.s390.rpm
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.s390.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.s390.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.s390.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.s390.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.i686.rpm

ppc64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.s390.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.2-1jpp.1.el6_4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1540.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1563.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2418.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://www.redhat.com/security/data/cve/CVE-2013-2433.html
https://www.redhat.com/security/data/cve/CVE-2013-2435.html
https://www.redhat.com/security/data/cve/CVE-2013-2440.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRkpsAXlSAg2UNWIIRArHgAJ99lN3GBaglvj3QTq7laft1RtttvQCgglIn
I8ZMWd5AhLgB1TqY/4MQYM0=
=wmpI
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2013-0855-01

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Important: java-1.5.0-ibm security update
Advisory ID: RHSA-2013:0855-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0855.html
Issue date: 2013-05-22
CVE Names: CVE-2013-0169 CVE-2013-0401 CVE-2013-1491
CVE-2013-1537 CVE-2013-1557 CVE-2013-1569
CVE-2013-2383 CVE-2013-2384 CVE-2013-2394
CVE-2013-2417 CVE-2013-2419 CVE-2013-2420
CVE-2013-2424 CVE-2013-2429 CVE-2013-2430
CVE-2013-2432
=====================================================================

1. Summary:

Updated java-1.5.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) – i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) – i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) – x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) – i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) – i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) – i386, x86_64

3. Description:

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2013-0169, CVE-2013-0401,
CVE-2013-1491, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2394, CVE-2013-2417, CVE-2013-2419, CVE-2013-2420,
CVE-2013-2424, CVE-2013-2429, CVE-2013-2430, CVE-2013-2432)

All users of java-1.5.0-ibm are advised to upgrade to these updated
packages, containing the IBM J2SE 5.0 SR16-FP2 release. All running
instances of IBM Java must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

5. Bugs fixed (http://bugzilla.redhat.com/):

907589 – CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
920245 – CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
920248 – CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 – CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952509 – CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 – CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 – CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952638 – CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952648 – CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952656 – CVE-2013-2419 ICU: Layout Engine font processing errors (JDK 2D, 8001031)
952657 – CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 – CVE-2013-2383 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004986)
952709 – CVE-2013-2384 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004987)
952711 – CVE-2013-1569 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004994)
953265 – CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953269 – CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.i386.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.i386.rpm

ppc:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.ppc64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.s390.rpm
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.s390x.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.s390.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el5_9.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.i686.rpm

ppc64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.ppc64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el6_4.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el6_4.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el6_4.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.2-1jpp.1.el6_4.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package

7. References:

https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://access.redhat.com/security/updates/classification/#important
https://www.ibm.com/developerworks/java/jdk/alerts/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2013 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFRnRf4XlSAg2UNWIIRAkgXAKC3XOHpMMmH1iqHxKGhYqT7F0cSDACeKj2k
Hr051ACk3XscdPny5y5+vec=
=yQq5
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Ubuntu Security Notice USN-1806-1

==========================================================================
Ubuntu Security Notice USN-1806-1
April 23, 2013

openjdk-7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10

Summary:

Several security issues were fixed in OpenJDK 7.

Software Description:
- openjdk-7: Open Source Java implementation

Details:

Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)

James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569,
CVE-2013-2383, CVE-2013-2384, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,
CVE-2013-2426, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2436)

Two vulnerabilities were discovered in the OpenJDK JRE related to
confidentiality. An attacker could exploit these to expose sensitive data
over the network. (CVE-2013-2415, CVE-2013-2424)

Two vulnerabilities were discovered in the OpenJDK JRE related to
availability. An attacker could exploit these to cause a denial of service.
(CVE-2013-2417, CVE-2013-2419)

A vulnerability was discovered in the OpenJDK JRE related to data
integrity. (CVE-2013-2423)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
icedtea-7-jre-jamvm 7u21-2.3.9-0ubuntu0.12.10.1
openjdk-7-jre 7u21-2.3.9-0ubuntu0.12.10.1
openjdk-7-jre-headless 7u21-2.3.9-0ubuntu0.12.10.1
openjdk-7-jre-lib 7u21-2.3.9-0ubuntu0.12.10.1
openjdk-7-jre-zero 7u21-2.3.9-0ubuntu0.12.10.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1806-1
CVE-2013-0401, CVE-2013-1488, CVE-2013-1518, CVE-2013-1537,
CVE-2013-1557, CVE-2013-1558, CVE-2013-1569, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2415, CVE-2013-2417, CVE-2013-2419,
CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423,
CVE-2013-2424, CVE-2013-2426, CVE-2013-2429, CVE-2013-2430,
CVE-2013-2431, CVE-2013-2436

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-7/7u21-2.3.9-0ubuntu0….

Ubuntu Security Notice USN-1819-1

==========================================================================Ubuntu Security Notice USN-1819-1
May 07, 2013

openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in OpenJDK 6.

Software Description:
- openjdk-6: Open Source Java implementation

Details:

Ben Murphy discovered a vulnerability in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit this
to execute arbitrary code. (CVE-2013-0401)

James Forshaw discovered a vulnerability in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit this to execute arbitrary code. (CVE-2013-1488)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1558,
CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2420, CVE-2013-2421,
CVE-2013-2422, CVE-2013-2426, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,
CVE-2013-2436)

Two vulnerabilities were discovered in the OpenJDK JRE related to
confidentiality. An attacker could exploit these to expose sensitive data
over the network. (CVE-2013-2415, CVE-2013-2424)

Two vulnerabilities were discovered in the OpenJDK JRE related to
availability. An attacker could exploit these to cause a denial of service.
(CVE-2013-2417, CVE-2013-2419)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.5-0ubuntu0.12.04.1
icedtea-6-jre-jamvm 6b27-1.12.5-0ubuntu0.12.04.1
openjdk-6-jre 6b27-1.12.5-0ubuntu0.12.04.1
openjdk-6-jre-headless 6b27-1.12.5-0ubuntu0.12.04.1
openjdk-6-jre-lib 6b27-1.12.5-0ubuntu0.12.04.1
openjdk-6-jre-zero 6b27-1.12.5-0ubuntu0.12.04.1

Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.5-0ubuntu0.11.10.1
icedtea-6-jre-jamvm 6b27-1.12.5-0ubuntu0.11.10.1
openjdk-6-jre 6b27-1.12.5-0ubuntu0.11.10.1
openjdk-6-jre-headless 6b27-1.12.5-0ubuntu0.11.10.1
openjdk-6-jre-lib 6b27-1.12.5-0ubuntu0.11.10.1
openjdk-6-jre-zero 6b27-1.12.5-0ubuntu0.11.10.1

Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.5-0ubuntu0.10.04.1
openjdk-6-jre 6b27-1.12.5-0ubuntu0.10.04.1
openjdk-6-jre-headless 6b27-1.12.5-0ubuntu0.10.04.1
openjdk-6-jre-lib 6b27-1.12.5-0ubuntu0.10.04.1
openjdk-6-jre-zero 6b27-1.12.5-0ubuntu0.10.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1819-1
CVE-2013-0401, CVE-2013-1488, CVE-2013-1518, CVE-2013-1537,
CVE-2013-1557, CVE-2013-1558, CVE-2013-1569, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2415, CVE-2013-2417, CVE-2013-2419,
CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2424,
CVE-2013-2426, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431

Package Information:

https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.5-0ubuntu0…

https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.5-0ubuntu0…

https://launchpad.net/ubuntu/+source/openjdk-6/6b27-1.12.5-0ubuntu0…