ID

VAR-201306-0258

CVE

CVE-2013-2444

TITLE

Oracle Java SE JRE Unknown security vulnerability

DESCRIPTION

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not "properly manage and restrict certain resources related to the processing of fonts," possibly involving temporary files. Oracle Java SE is prone to a remote vulnerability in Java Runtime Environment. The vulnerability can be exploited over multiple protocols. This issue affects the 'CORBA' sub-component. This vulnerability affects the following supported versions: 7 Update 21 , 6 Update 45 , 5.0 Update 45. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469). Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application (CVE-2013-2459). Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-2448, CVE-2013-2457, CVE-2013-2453). Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information (CVE-2013-2456, CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446). It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine (CVE-2013-2445). It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service (CVE-2013-2444, CVE-2013-2450). It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service (CVE-2013-2407, CVE-2013-2461). It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information (CVE-2013-2412). It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation (CVE-2013-1571). It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment (CVE-2013-1500). It was discovered that the Networking component did not properly enforce exclusive port binding. A local attacker could exploit this flaw to bind to ports intended to be exclusively bound (CVE-2013-2451). This updates IcedTea6 to version 1.11.12, which fixes these issues, as well as several other bugs. Additionally, this OpenJDK update causes icedtea-web, the Java browser plugin, to crash, so icedtea-web has been patched to fix this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451 https://rhn.redhat.com/errata/RHSA-2013-1014.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 3ae552d38d7cd10be746e4703279f789 mes5/i586/icedtea-web-1.3.2-0.4mdvmes5.2.i586.rpm cb106d5fa87dcb272347ccc6ff4c1c24 mes5/i586/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.i586.rpm 2ae9cb967329a454731c3c5c50118fb5 mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 05afab461704f00714707dd22f4811be mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm dc372b36845109db264de4d33301d9e5 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 55cdf45405844e373f60c3bcac1c3fbc mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 48653ecc4f9b945fafbf43e972465a18 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 6652ab0958ffe2b11b061f8281c3e5a7 mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm 977e2c2d131ba350b6dd15cfd1bbf14c mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 6ffbc522ac4a2db8212ac963de525576 mes5/x86_64/icedtea-web-1.3.2-0.4mdvmes5.2.x86_64.rpm 2bc2c2b9ce03a4785ef061ca66156aaa mes5/x86_64/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.x86_64.rpm 841d31717e695fd649290fd561400a4d mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 51bd267b7c1b2efe641e080deb68fe96 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 68fb561cd1b10758db8d9d6aa7d24487 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 775811371aca053a714df2d570c19720 mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 7ce118640d8e59d659b020febe513427 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 6652ab0958ffe2b11b061f8281c3e5a7 mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm 977e2c2d131ba350b6dd15cfd1bbf14c mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFR47+cmqjQ0CJFipgRAmnTAJ4lalit4V4VWsSE6KHeem9qtHb+9gCgmJ/U GUelRnMi6Rq7d9NhnTCwrlg= =rErU -----END PGP SIGNATURE----- . For the stable distribution (wheezy), these problems have been fixed in version 7u25-2.3.10-1~deb7u1. In addition icedtea-web needed to be updated to 1.4-3~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 7u25-2.3.10-1. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 is now available and addresses the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later Impact: Multiple vulnerabilities in Java 1.6.0_45 Description: 8011782 Multiple vulnerabilities existed in Java 1.6.0_45, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Further information is available via the Java website at ht tp://www.oracle.com/technetwork/java/javase/releasenotes-136954.html CVE-ID CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2437 CVE-2013-2442 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2459 CVE-2013-2461 CVE-2013-2463 CVE-2013-2464 CVE-2013-2465 CVE-2013-2466 CVE-2013-2468 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-3743 CVE_2013-2445 Java for OS X 2013-004 and Mac OS X v10.6 Update 16 may be obtained from the Software Update pane in System Preferences, Mac App Store, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.Update16.dmg Its SHA-1 digest is: a6b5a9caa3c0d9acf743da8e4c0e5cfe4e471b01 For OS X Lion and Mountain Lion systems The download file is named: JavaForOSX2013-004.dmg Its SHA-1 digest is: 153c3f74d5285d10008fce2004d904da8d2ffdff Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRwL5AAAoJEPefwLHPlZEwju0QALM1IST/ATt2xR1L0AQcaZRX eiM07MlvAlE9Jv45xqKLUezRU8XQT6+glN51/hBhpyCa8MJIzPiSnnOIAW+vbA5o RjXQTGPGT1IPSfEk7OWS++566riMLmTOvg45Qn0E/ibOqJHpfrR4wzQX5jpv7lzH EbdKxn+KWfHCF2y/2LCFifDHUBPCjUlbWTRznDCYVHsFbtDiP/vAZiSXsNJtLTXK UOD/eGbel2PEqWOOsUNIrzwvztRB+LsYT4xKQQnsEKJqoyMch/UgB1Uo2jgEPn0U YP3WZbjbDV+UcM+yMoCV/qDFhbJ+qBxTbuwYOHuSDpgqJ7vF8s0cdUUb6U7QLW4/ 3ykC7vOUS/JqYkiqwUxuKVpzSUYXrlez36sQuwCR9AOGCJ/0/MwM8QPavFAdGisP 36ZavJ4k2Dp2CfVmWjexpWY7XN9M36Lh57XChxQk9TcbjUJRrqNadlPyzaja3G9a 95Dq1N1dYfLuFm4MtyeDA0xQl8m8ljnSxH3TQoDcTwvvWGIGdG7EEVpdQqM/MTWY CY2EqMkY3Gouet+QvECYwxOz+g0hcaJd973kSM+5AJ7tVfod93NDW3P13k2cfdTC uo9IgGkhuNY40NuLpJLtTwlHcTCwBtKPt0BLwXugZdoDrgz1j8Q+fLuASSTkUQxl 3t9MUCG40o5ZQFyWqV1+ =zFXN -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-1907-1 July 16, 2013 openjdk-7 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.04 - Ubuntu 12.10 Summary: Several security issues were fixed in OpenJDK 7. (CVE-2013-1500, CVE-2013-2454, CVE-2013-2458) A vulnerability was discovered in the OpenJDK Javadoc related to data integrity. (CVE-2013-1571) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and availability. (CVE-2013-2412, CVE-2013-2443, CVE-2013-2446, CVE-2013-2447, CVE-2013-2449, CVE-2013-2452, CVE-2013-2456) Several vulnerabilities were discovered in the OpenJDK JRE related to availability. (CVE-2013-2448, CVE-2013-2451, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473) Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. (CVE-2013-2453, CVE-2013-2455, CVE-2013-2457) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.04: icedtea-7-jre-jamvm 7u25-2.3.10-1ubuntu0.13.04.2 openjdk-7-doc 7u25-2.3.10-1ubuntu0.13.04.2 openjdk-7-jre 7u25-2.3.10-1ubuntu0.13.04.2 openjdk-7-jre-headless 7u25-2.3.10-1ubuntu0.13.04.2 openjdk-7-jre-lib 7u25-2.3.10-1ubuntu0.13.04.2 openjdk-7-jre-zero 7u25-2.3.10-1ubuntu0.13.04.2 Ubuntu 12.10: icedtea-7-jre-cacao 7u25-2.3.10-1ubuntu0.12.10.2 icedtea-7-jre-jamvm 7u25-2.3.10-1ubuntu0.12.10.2 openjdk-7-doc 7u25-2.3.10-1ubuntu0.12.10.2 openjdk-7-jre 7u25-2.3.10-1ubuntu0.12.10.2 openjdk-7-jre-headless 7u25-2.3.10-1ubuntu0.12.10.2 openjdk-7-jre-lib 7u25-2.3.10-1ubuntu0.12.10.2 openjdk-7-jre-zero 7u25-2.3.10-1ubuntu0.12.10.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03874547 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03874547 Version: 1 HPSBUX02908 rev.1 - HP-UX Running Java6, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-31 Last Updated: 2013-07-31 Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.19 and earlier. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-1500 (AV:L/AC:L/Au:N/C:P/I:P/A:N) 3.6 CVE-2013-1571 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2407 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4 CVE-2013-2412 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2433 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2013-2437 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2442 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2013-2444 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-2445 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2013-2446 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2447 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2448 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6 CVE-2013-2450 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-2451 (AV:L/AC:H/Au:N/C:P/I:P/A:P) 3.7 CVE-2013-2452 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2453 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2013-2454 (AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8 CVE-2013-2455 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2456 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2013-2457 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2013-2459 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2461 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2013-2463 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2464 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2465 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2466 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2468 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2469 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2470 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2471 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2472 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2473 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-3743 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following Java version upgrade to resolve these vulnerabilities. The upgrade is available from the following location http://www.hp.com/java OS Version Release Version HP-UX B.11.11, B.11.23, B.11.31 JDK and JRE v6.0.20 or subsequent MANUAL ACTIONS: Yes - Update For Java v6.0 update to Java v6.0.20 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 =========== Jdk60.JDK60-COM Jdk60.JDK60-PA20 Jdk60.JDK60-PA20W Jre60.JRE60-COM Jre60.JRE60-COM-DOC Jre60.JRE60-PA20 Jre60.JRE60-PA20-HS Jre60.JRE60-PA20W Jre60.JRE60-PA20W-HS Jdk60.JDK60-IPF32 Jdk60.JDK60-IPF64 Jre60.JRE60-COM Jre60.JRE60-IPF32 Jre60.JRE60-IPF32-HS Jre60.JRE60-IPF64 Jre60.JRE60-IPF64-HS action: install revision 1.6.0.20.00 or subsequent HP-UX B.11.23 HP-UX B.11.31 =========== Jdk60.JDK60-COM Jdk60.JDK60-IPF32 Jdk60.JDK60-IPF64 Jre60.JRE60-IPF32 Jre60.JRE60-IPF32-HS Jre60.JRE60-IPF64 Jre60.JRE60-IPF64-HS Jre60.JRE60-COM Jre60.JRE60-IPF32 Jre60.JRE60-IPF32-HS Jre60.JRE60-IPF64 Jre60.JRE60-IPF64-HS action: install revision 1.6.0.20.00 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 31 July 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2013:1059-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1059.html Issue date: 2013-07-15 CVE Names: CVE-2013-1500 CVE-2013-1571 CVE-2013-2407 CVE-2013-2412 CVE-2013-2437 CVE-2013-2442 CVE-2013-2443 CVE-2013-2444 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2459 CVE-2013-2463 CVE-2013-2464 CVE-2013-2465 CVE-2013-2466 CVE-2013-2468 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-3743 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743) Red Hat would like to thank Tim Brown for reporting CVE-2013-1500, and US-CERT for reporting CVE-2013-1571. US-CERT acknowledges Oracle as the original reporter of CVE-2013-1571. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR14 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 973474 - CVE-2013-1571 OpenJDK: Frame injection in generated HTML (Javadoc, 8012375) 975099 - CVE-2013-2470 OpenJDK: ImagingLib byte lookup processing (2D, 8011243) 975102 - CVE-2013-2471 OpenJDK: Incorrect IntegerComponentRaster size checks (2D, 8011248) 975107 - CVE-2013-2472 OpenJDK: Incorrect ShortBandedRaster size checks (2D, 8011253) 975110 - CVE-2013-2473 OpenJDK: Incorrect ByteBandedRaster size checks (2D, 8011257) 975115 - CVE-2013-2463 OpenJDK: Incorrect image attribute verification (2D, 8012438) 975118 - CVE-2013-2465 OpenJDK: Incorrect image channel verification (2D, 8012597) 975120 - CVE-2013-2469 OpenJDK: Incorrect image layout verification (2D, 8012601) 975121 - CVE-2013-2459 OpenJDK: Various AWT integer overflow checks (AWT, 8009071) 975125 - CVE-2013-2448 OpenJDK: Better access restrictions (Sound, 8006328) 975127 - CVE-2013-2407 OpenJDK: Integrate Apache Santuario, rework class loader (Libraries, 6741606, 8008744) 975129 - CVE-2013-2454 OpenJDK: SerialJavaObject package restriction (JDBC, 8009554) 975131 - CVE-2013-2444 OpenJDK: Resource denial of service (AWT, 8001038) 975132 - CVE-2013-2446 OpenJDK: output stream access restrictions (CORBA, 8000642) 975133 - CVE-2013-2457 OpenJDK: Proper class checking (JMX, 8008120) 975134 - CVE-2013-2453 OpenJDK: MBeanServer Introspector package access (JMX, 8008124) 975137 - CVE-2013-2443 OpenJDK: AccessControlContext check order issue (Libraries, 8001330) 975138 - CVE-2013-2452 OpenJDK: Unique VMIDs (Libraries, 8001033) 975139 - CVE-2013-2455 OpenJDK: getEnclosing* checks (Libraries, 8007812) 975140 - CVE-2013-2447 OpenJDK: Prevent revealing the local address (Networking, 8001318) 975141 - CVE-2013-2450 OpenJDK: ObjectStreamClass circular reference denial of service (Serialization, 8000638) 975142 - CVE-2013-2456 OpenJDK: ObjectOutputStream access checks (Serialization, 8008132) 975144 - CVE-2013-2412 OpenJDK: JConsole SSL support (Serviceability, 8003703) 975146 - CVE-2013-2451 OpenJDK: exclusive port binding (Networking, 7170730) 975148 - CVE-2013-1500 OpenJDK: Insecure shared memory permissions (2D, 8001034) 975757 - CVE-2013-2464 Oracle JDK: unspecified vulnerability fixed in 7u25 (2D) 975761 - CVE-2013-2468 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment) 975764 - CVE-2013-2466 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment) 975767 - CVE-2013-3743 Oracle JDK: unspecified vulnerability fixed in 6u51 and 5u51 (AWT) 975770 - CVE-2013-2442 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment) 975773 - CVE-2013-2437 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.i386.rpm ppc: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.ppc.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.s390.rpm java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.s390.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.s390.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.s390.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.i386.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.ppc.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.s390.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.i686.rpm java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm java-1.6.0-ibm-src-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-1500.html https://www.redhat.com/security/data/cve/CVE-2013-1571.html https://www.redhat.com/security/data/cve/CVE-2013-2407.html https://www.redhat.com/security/data/cve/CVE-2013-2412.html https://www.redhat.com/security/data/cve/CVE-2013-2437.html https://www.redhat.com/security/data/cve/CVE-2013-2442.html https://www.redhat.com/security/data/cve/CVE-2013-2443.html https://www.redhat.com/security/data/cve/CVE-2013-2444.html https://www.redhat.com/security/data/cve/CVE-2013-2446.html https://www.redhat.com/security/data/cve/CVE-2013-2447.html https://www.redhat.com/security/data/cve/CVE-2013-2448.html https://www.redhat.com/security/data/cve/CVE-2013-2450.html https://www.redhat.com/security/data/cve/CVE-2013-2451.html https://www.redhat.com/security/data/cve/CVE-2013-2452.html https://www.redhat.com/security/data/cve/CVE-2013-2453.html https://www.redhat.com/security/data/cve/CVE-2013-2454.html https://www.redhat.com/security/data/cve/CVE-2013-2455.html https://www.redhat.com/security/data/cve/CVE-2013-2456.html https://www.redhat.com/security/data/cve/CVE-2013-2457.html https://www.redhat.com/security/data/cve/CVE-2013-2459.html https://www.redhat.com/security/data/cve/CVE-2013-2463.html https://www.redhat.com/security/data/cve/CVE-2013-2464.html https://www.redhat.com/security/data/cve/CVE-2013-2465.html https://www.redhat.com/security/data/cve/CVE-2013-2466.html https://www.redhat.com/security/data/cve/CVE-2013-2468.html https://www.redhat.com/security/data/cve/CVE-2013-2469.html https://www.redhat.com/security/data/cve/CVE-2013-2470.html https://www.redhat.com/security/data/cve/CVE-2013-2471.html https://www.redhat.com/security/data/cve/CVE-2013-2472.html https://www.redhat.com/security/data/cve/CVE-2013-2473.html https://www.redhat.com/security/data/cve/CVE-2013-3743.html https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFR5F7SXlSAg2UNWIIRAoLZAJ0VjJsfypi7E/eTRM17TcAUxLApcgCeOawz KToQFuV/rQGbw/9j9N5it68= =y+B0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS