[RHSA-2008:0133-01] Moderate: IBMJava2 security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: IBMJava2 security update

Advisory ID: RHSA-2008:0133-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2008-0133.html

Issue date: 2008-06-24

Keywords: Security

CVE Names: CVE-2007-3922 CVE-2007-3004 CVE-2007-3005

=====================================================================

 

1. Summary:

 

IBMJava2-JRE and IBMJava2-SDK packages that correct several security issues

are available for Red Hat Enterprise Linux 2.1.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386

Red Hat Enterprise Linux ES version 2.1 - i386

Red Hat Enterprise Linux WS version 2.1 - i386

 

3. Description:

 

IBM's 1.3.1 Java release includes the IBM Java 2 Runtime Environment and

the IBM Java 2 Software Development Kit.

 

A buffer overflow was found in the Java Runtime Environment image-handling

code. An untrusted applet or application could use this flaw to elevate its

privileges and potentially execute arbitrary code as the user running the

java virtual machine. (CVE-2007-3004)

 

An unspecified vulnerability was discovered in the Java Runtime

Environment. An untrusted applet or application could cause the java

virtual machine to become unresponsive. (CVE-2007-3005)

 

A flaw was found in the applet class loader. An untrusted applet could use

this flaw to circumvent network access restrictions, possibly connecting to

services hosted on the machine that executed the applet. (CVE-2007-3922)

 

These updated packages also add the following enhancements:

 

* Time zone information has been updated to the latest available

information, 2007h.

 

* Accessibility support in AWT can now be disabled through a system

property, java.assistive. To support this change, permission to read this

property must be added to /opt/IBMJava2-131/jre/lib/security/java.policy.

Users of IBMJava2 who have modified this file should add this following

line to the grant section:

 

permission java.util.PropertyPermission "java.assistive", "read";

 

All users of IBMJava2 should upgrade to these updated packages, which

contain IBM's 1.3.1 SR11 Java release, which resolves these issues.

 

4. Solution:

 

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

 

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/FAQ_58_10188

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

242595 - CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser

249533 - CVE-2007-3922 Vulnerability in the Java Runtime Environment May Allow an Untrusted Applet to Circumvent Network Access Restrictions

250733 - CVE-2007-3005 Unspecified vulnerability in Sun JRE

 

6. Package List:

 

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 :

 

Source:

ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/IBMJava2-JRE-1.3.1-17.src.rpm

ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/IBMJava2-SDK-1.3.1-17.src.rpm

 

i386:

IBMJava2-JRE-1.3.1-17.i386.rpm

IBMJava2-SDK-1.3.1-17.i386.rpm

 

Red Hat Enterprise Linux ES version 2.1:

 

Source:

ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/IBMJava2-JRE-1.3.1-17.src.rpm

ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/IBMJava2-SDK-1.3.1-17.src.rpm

 

i386:

IBMJava2-JRE-1.3.1-17.i386.rpm

IBMJava2-SDK-1.3.1-17.i386.rpm

 

Red Hat Enterprise Linux WS version 2.1:

 

Source:

ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/IBMJava2-JRE-1.3.1-17.src.rpm

ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/IBMJava2-SDK-1.3.1-17.src.rpm

 

i386:

IBMJava2-JRE-1.3.1-17.i386.rpm

IBMJava2-SDK-1.3.1-17.i386.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

 

7. References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3922

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3004

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3005

http://www-128.ibm.com/developerworks/java/jdk/alerts/

http://www.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

 

Copyright 2008 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFIYL6QXlSAg2UNWIIRAovnAJ47f+QTI8f7PsXYhZsPiafV6AMgugCdHKaS

MRglY1fkJuOKmXEmrH2BhlU=

=rgQz

-----END PGP SIGNATURE-----

 

 

--