Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2017:0061-01] Important: java-1.6.0-openjdk security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: java-1.6.0-openjdk security update

Advisory ID: RHSA-2017:0061-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0061.html

Issue date: 2017-01-12

CVE Names: CVE-2016-5542 CVE-2016-5554 CVE-2016-5573

CVE-2016-5582 CVE-2016-5597

=====================================================================

 

1. Summary:

 

An update for java-1.6.0-openjdk is now available for Red Hat Enterprise

Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7.

 

Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64

Red Hat Enterprise Linux Client (v. 7) - x86_64

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, x86_64

Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

 

3. Description:

 

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime

Environment and the OpenJDK 6 Java Software Development Kit.

 

Security Fix(es):

 

* It was discovered that the Hotspot component of OpenJDK did not properly

check arguments of the System.arraycopy() function in certain cases. An

untrusted Java application or applet could use this flaw to corrupt virtual

machine's memory and completely bypass Java sandbox restrictions.

(CVE-2016-5582)

 

* It was discovered that the Hotspot component of OpenJDK did not properly

check received Java Debug Wire Protocol (JDWP) packets. An attacker could

possibly use this flaw to send debugging commands to a Java program running

with debugging enabled if they could make victim's browser send HTTP

requests to the JDWP port of the debugged application. (CVE-2016-5573)

 

* It was discovered that the Libraries component of OpenJDK did not

restrict the set of algorithms used for Jar integrity verification. This

flaw could allow an attacker to modify content of the Jar file that used

weak signing key or hash algorithm. (CVE-2016-5542)

 

Note: After this update, MD2 hash algorithm and RSA keys with less than

1024 bits are no longer allowed to be used for Jar integrity verification

by default. MD5 hash algorithm is expected to be disabled by default in the

future updates. A newly introduced security property

jdk.jar.disabledAlgorithms can be used to control the set of disabled

algorithms.

 

* A flaw was found in the way the JMX component of OpenJDK handled

classloaders. An untrusted Java application or applet could use this flaw

to bypass certain Java sandbox restrictions. (CVE-2016-5554)

 

* A flaw was found in the way the Networking component of OpenJDK handled

HTTP proxy authentication. A Java application could possibly expose HTTPS

server authentication credentials via a plain text network connection to an

HTTP proxy if proxy asked for authentication. (CVE-2016-5597)

 

Note: After this update, Basic HTTP proxy authentication can no longer be

used when tunneling HTTPS connection through an HTTP proxy. Newly

introduced system properties jdk.http.auth.proxying.disabledSchemes and

jdk.http.auth.tunneling.disabledSchemes can be used to control which

authentication schemes can be requested by an HTTP proxy when proxying HTTP

and HTTPS connections respectively.

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

All running instances of OpenJDK Java must be restarted for this update to

take effect.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1385402 - CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591)

1385544 - CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519)

1385714 - CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739)

1385723 - CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)

1386103 - CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.src.rpm

 

i386:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el5_11.i386.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.src.rpm

 

i386:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el5_11.i386.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el5_11.i386.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el5_11.x86_64.rpm

 

Red Hat Enterprise Linux Desktop (v. 6):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.src.rpm

 

i386:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Desktop Optional (v. 6):

 

i386:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node (v. 6):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.src.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node Optional (v. 6):

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 6):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.src.rpm

 

i386:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

i386:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.src.rpm

 

i386:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 6):

 

i386:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.i686.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.i686.rpm

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el6_8.x86_64.rpm

 

Red Hat Enterprise Linux Client (v. 7):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.src.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux Client Optional (v. 7):

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode (v. 7):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.src.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 7):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.src.rpm

 

ppc64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

 

s390x:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 7):

 

ppc64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.ppc64.rpm

 

s390x:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.s390x.rpm

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 7):

 

Source:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.src.rpm

 

x86_64:

java-1.6.0-openjdk-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 7):

 

x86_64:

java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.el7_3.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-5542

https://access.redhat.com/security/cve/CVE-2016-5554

https://access.redhat.com/security/cve/CVE-2016-5573

https://access.redhat.com/security/cve/CVE-2016-5582

https://access.redhat.com/security/cve/CVE-2016-5597

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFYeIT0XlSAg2UNWIIRAgQPAKCai7h4Cc6597NSiWUwuXUJ+pWWvgCgkbvC

gQh8khAY9KtXVarZehdvrEU=

=KF5H

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×