ID

VAR-201110-0395

CVE

CVE-2011-3548

TITLE

Oracle ‘ Java Runtime Environment ’ Component security vulnerability

DESCRIPTION

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. Oracle Java SE is prone to a remote vulnerability in Java Runtime Environment. The vulnerability can be exploited over multiple protocols. This issue affects the 'AWT' sub-component. This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27, 5.0 Update 31, 1.4.2_33. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Hitachi Cosminexus Products Java Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46694 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46694/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46694 RELEASE DATE: 2011-11-08 DISCUSS ADVISORY: http://secunia.com/advisories/46694/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46694/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46694 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged multiple vulnerabilities in Hitachi Cosminexus products, which can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. The vulnerabilities are caused due to vulnerabilities in the bundled version of Cosminexus Developer's Kit for Java. For more information: SA46512 Please see the vendor's advisory for a list of affected products. Please see the vendor's advisory for details. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-024/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2012:0034-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0034.html Issue date: 2012-01-18 CVE Names: CVE-2011-3389 CVE-2011-3516 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3550 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3560 CVE-2011-3561 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3561) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java 6 SR10 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) 745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) 745387 - CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) 745391 - CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640) 745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) 745399 - CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823) 745442 - CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902) 745447 - CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857) 745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) 745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) 745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) 745476 - CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794) 747191 - CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) 747198 - CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) 747200 - CVE-2011-3550 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (AWT) 747203 - CVE-2011-3516 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) 747205 - CVE-2011-3546 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) 747208 - CVE-2011-3561 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.i386.rpm ppc: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.ppc.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.ppc64.rpm s390: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.s390.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.s390.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.s390.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.s390.rpm s390x: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.s390x.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.s390x.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.s390x.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el4.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.i386.rpm ppc: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.s390.rpm java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.s390.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.s390.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.s390x.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.s390.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el5.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.ppc.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.ppc64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.s390x.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.s390x.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.s390.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.s390x.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.i686.rpm java-1.6.0-ibm-devel-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.10.0-1jpp.2.el6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.10.0-1jpp.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-3389.html https://www.redhat.com/security/data/cve/CVE-2011-3516.html https://www.redhat.com/security/data/cve/CVE-2011-3521.html https://www.redhat.com/security/data/cve/CVE-2011-3544.html https://www.redhat.com/security/data/cve/CVE-2011-3545.html https://www.redhat.com/security/data/cve/CVE-2011-3546.html https://www.redhat.com/security/data/cve/CVE-2011-3547.html https://www.redhat.com/security/data/cve/CVE-2011-3548.html https://www.redhat.com/security/data/cve/CVE-2011-3549.html https://www.redhat.com/security/data/cve/CVE-2011-3550.html https://www.redhat.com/security/data/cve/CVE-2011-3551.html https://www.redhat.com/security/data/cve/CVE-2011-3552.html https://www.redhat.com/security/data/cve/CVE-2011-3553.html https://www.redhat.com/security/data/cve/CVE-2011-3554.html https://www.redhat.com/security/data/cve/CVE-2011-3556.html https://www.redhat.com/security/data/cve/CVE-2011-3557.html https://www.redhat.com/security/data/cve/CVE-2011-3560.html https://www.redhat.com/security/data/cve/CVE-2011-3561.html https://access.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPFx2vXlSAg2UNWIIRAhTiAKC/De/npwAlSJPQ/Grh51Bmxq3M5ACgvw8T hoc/VGW50B8EPSdZ48jR034= =nw0v -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code. CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions. For the stable distribution (squeeze), this problem has been fixed in version 6b18-1.8.10-0+squeeze1. For the testing distribution (wheezy) and the unstable distribution (sid), this problem has been fixed in version 6b23~pre11-1. ========================================================================== Ubuntu Security Notice USN-1263-1 November 16, 2011 icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed. Software Description: - icedtea-web: A web browser plugin to execute Java applets - openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation Details: Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377) Juliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389) It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) It was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544) It was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547) It was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548) It was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551) It was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552) It was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553) It was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554) It was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557) It was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558) It was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-jre-cacao 6b23~pre11-0ubuntu1.11.10 icedtea-6-jre-jamvm 6b23~pre11-0ubuntu1.11.10 icedtea-netx 1.1.3-1ubuntu1.1 icedtea-plugin 1.1.3-1ubuntu1.1 openjdk-6-jre 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-headless 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-lib 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-zero 6b23~pre11-0ubuntu1.11.10 Ubuntu 11.04: icedtea-6-jre-cacao 6b22-1.10.4-0ubuntu1~11.04.1 icedtea-6-jre-jamvm 6b22-1.10.4-0ubuntu1~11.04.1 icedtea-netx 1.1.1-0ubuntu1~11.04.2 icedtea-plugin 1.1.1-0ubuntu1~11.04.2 openjdk-6-jre 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-headless 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-lib 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-zero 6b22-1.10.4-0ubuntu1~11.04.1 Ubuntu 10.10: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jdk 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.10.2 Ubuntu 10.04 LTS: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.04.2 icedtea6-plugin 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.04.2 After a standard system update you need to restart any Java applications or applets to make all the necessary changes. IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D (CVE-2011-3551). IcedTea6 prior to 1.10.4 allows remote attackers to affect integrity via unknown vectors related to Networking (CVE-2011-3552). IcedTea6 prior to 1.10.4 allows remote authenticated users to affect confidentiality, related to JAXWS (CVE-2011-3553). A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection (CVE-2011-3389). Note: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag -Djsse.enableCBCProtection=false to the java command. IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3556). IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3557). A malicious applet could use this flaw to bypass SOP protection and open connections to any sub-domain of the second-level domain of the applet&#039;s origin, as well as any sub-domain of the domain that is the suffix of the origin second-level domain. For example, IcedTea-Web plugin allowed applet from some.host.example.com to connect to other.host.example.com, www.example.com, and example.com, as well as www.ample.com or ample.com. (CVE-2011-3377). The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOvSWxmqjQ0CJFipgRAnk1AKDUddZYCqwkfhoUpLxEL0BT3mDf0ACfbuTI aaF2JGTyfceBABs92un/yVA= =yPsD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-11-08-1 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 are now available and address the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, Mac OS X v10.7.2, Mac OS X Server v10.7.2 Impact: Multiple vulnerabilities in Java 1.6.0_26 Description: Multiple vulnerabilities exist in Java 1.6.0_26, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. These issues are addressed by updating to Java version 1.6.0_29. Further information is available via the Java website at http://java.sun.com/javase/6/webnotes/ReleaseNotes.html CVE-ID CVE-2011-3389 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3558 CVE-2011-3560 CVE-2011-3561 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: be0ac75b8bac967f1d39a94ebf9482a61fb7d70b For Mac OS X v10.7 systems The download file is named: JavaForMacOSX10.7.dmg Its SHA-1 digest is: 7768e6aeb5adaa638c74d4c04150517ed99fed20 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOuZNKAAoJEGnF2JsdZQeece8H/1I98YQ1LF4iDD442zB+WjZP 2Vxd3euXYwySD6qDCYNLJ0hUKu90c/4nr5d5rRH3xYdBzAHuZG39m069lpN1UZIW t5ube+j9zjiejnXlPbAgq+vIAg22nu0EdxhOOZZeQOoEYqyoKhXNCt3fR+tzo3o4 mN/LWMO1NwrM0sGDPuUGs2TWdPZbC4QJJz4Z4S+FsTlujYh9MRd3dyxLBIg7BKCL wgnFdpFW8bPmVdiTj91pC0Gb3XtolQxexXGHsdI15KeFMbQ06nKV/AyvxMF8O5jS D089GEHE52NAQCZ0YJ6TJsisrGqTZZ77js55cPU259FogxEKKBuwfdFbn4qVeD8= =4KBF -----END PGP SIGNATURE-----

AFFECTED PRODUCTS