Jump to content
Compatible Support Forums
Sign in to follow this  
news

[Security Announce] [ MDVSA-2009:137 ] java-1.6.0-openjdk

Recommended Posts

This is a multi-part message in MIME format...

 

------------=_1245433713-27111-5892

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2009:137

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : java-1.6.0-openjdk

Date : June 20, 2009

Affected: 2009.0, 2009.1

_______________________________________________________________________

 

Problem Description:

 

Multiple security vulnerabilities has been identified and fixed in

Little cms library embedded in OpenJDK:

 

A memory leak flaw allows remote attackers to cause a denial of service

(memory consumption and application crash) via a crafted image file

(CVE-2009-0581).

 

Multiple integer overflows allow remote attackers to execute arbitrary

code via a crafted image file that triggers a heap-based buffer

overflow (CVE-2009-0723).

 

Multiple stack-based buffer overflows allow remote attackers to

execute arbitrary code via a crafted image file associated with a large

integer value for the (1) input or (2) output channel (CVE-2009-0733).

 

A flaw in the transformations of monochrome profiles allows remote

attackers to cause denial of service triggered by a NULL pointer

dereference via a crafted image file (CVE-2009-0793).

 

Further security fixes in the JRE and in the Java API of OpenJDK:

 

A flaw in handling temporary font files by the Java Virtual

Machine (JVM) allows remote attackers to cause denial of service

(CVE-2006-2426).

 

An integer overflow flaw was found in Pulse-Java when handling Pulse

audio source data lines. An attacker could use this flaw to cause an

applet to crash, leading to a denial of service (CVE-2009-0794).

 

A flaw in Java Runtime Environment initialized LDAP connections

allows authenticated remote users to cause denial of service on the

LDAP service (CVE-2009-1093).

 

A flaw in the Java Runtime Environment LDAP client in handling server

LDAP responses allows remote attackers to execute arbitrary code on

the client side via malicious server response (CVE-2009-1094).

 

Buffer overflows in the the Java Runtime Environment unpack200 utility

allow remote attackers to execute arbitrary code via an crafted applet

(CVE-2009-1095, CVE-2009-1096).

 

A buffer overflow in the splash screen processing allows a attackers

to execute arbitrary code (CVE-2009-1097).

 

A buffer overflow in GIF images handling allows remote attackers to

execute arbitrary code via an crafted GIF image (CVE-2009-1098).

 

A flaw in the Java API for XML Web Services (JAX-WS) service endpoint

handling allows remote attackers to cause a denial of service on the

service endpoint's server side (CVE-2009-1101).

 

A flaw in the Java Runtime Environment Virtual Machine code generation

allows remote attackers to execute arbitrary code via a crafted applet

(CVE-2009-1102).

 

This update provides fixes for these issues.

 

Update:

 

java-1.6.0-openjdk requires rhino packages and these has been further

updated.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0794

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2009.0:

912bfaa5d15e09b410af7b20605e7a1f 2009.0/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

786629a41c5c892280577f14b097d118 2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

7a4ad719a41456847161a5da058916b1 2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

dd8e42f6419f0f0c564c2d10f66c1c51 2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

ecb3e34b02fe6366ea74d3b460913a18 2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

ec978b519cce142f0419fe9fcdfa49dd 2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm

0985ffc0a6bc78d7cea8f2fd9c9b060b 2009.0/i586/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm

7665b20e0252718afabd10529743522e 2009.0/i586/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm

4179b415f870de30ad9bb2227ef1fbc3 2009.0/i586/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm

72a6d30e3807a63e77aa2ebee32716b2 2009.0/i586/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm

9b760b15223e7cb0146790ec5f7a77f1 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm

8f2f2ce3c178cd87e526a0b8fe8918e7 2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.0/X86_64:

5cebb2bb47360800ceac229941689fad 2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

5405df1af7fae349beb431618fba7fd2 2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

03969d440901d4fd31106d792a395534 2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

0e727c5840611998aef5499fa241464e 2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

9d72b8a28b6a21dac221244ac51b2e1b 2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

8fcffa782992c1cc15858c2a0894ba00 2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm

e3f2ad3c55426cf9c4b336ab880f9ff7 2009.0/x86_64/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm

579005e8d20d5c559ee240c35095aeeb 2009.0/x86_64/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm

384403e6dae7eadefed13682b0b924f1 2009.0/x86_64/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm

fd8327ed0d455a9e116ff6fcfc96a849 2009.0/x86_64/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm

9b760b15223e7cb0146790ec5f7a77f1 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm

8f2f2ce3c178cd87e526a0b8fe8918e7 2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.1:

e3a6b131e6b24c5bdd1401bb09363cf7 2009.1/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

75555512a7eb8b122bb0b5d7d40168e9 2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

0f45f662d06b4e820c725358d39ee9d1 2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

86624b1b4142e1e97ea4e5195e7f92dd 2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

2eb9b7a15dc0d8f02e88ea0a567ccf10 2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

8ca13d69103a5d861abdb45e8cd45bae 2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm

b785c9c5d02abfd121bbe21d388e60c6 2009.1/i586/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm

0d7b54d508a807f40fb895f57fc4be14 2009.1/i586/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm

25fd10e12bca1b22f10bd66150c5cac2 2009.1/i586/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm

2687abe0ea6c72ae1a340646a102175f 2009.1/i586/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm

b943cbf0170778e2e5d5c924a937ab6c 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm

295300b3094f6486d13c0e29dd0aaa01 2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm

 

Mandriva Linux 2009.1/X86_64:

8b72108f53cf01197bc96713a4c5886b 2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

5c0ad9be1191b441ade9f9c27ebf2bfa 2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

47d6080378ac8288c945adb06906ee5d 2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

631685330646881f15f5fc3ce43e496c 2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

f5f89addbe29f886b8a9a956f1bccd0d 2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

8d35903fed1e52aa5bfeee82ba27ffa8 2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm

a13593fdfc42296a1661ff6512cedd23 2009.1/x86_64/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm

1d371aba339ae4061610412df205af53 2009.1/x86_64/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm

92cd2f41ceaf3f6941cfd48a464e4ecd 2009.1/x86_64/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm

c593be725e85426ced97ff0d23c215d9 2009.1/x86_64/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm

b943cbf0170778e2e5d5c924a937ab6c 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm

295300b3094f6486d13c0e29dd0aaa01 2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFKO6OnmqjQ0CJFipgRAkvnAJ97DF6nfZ4Gl3iBkhfczGXddU3RXACeP9bE

QuKPXc7lJk[censored]rCFo5wWRbA=

=/8An

-----END PGP SIGNATURE-----

 

 

------------=_1245433713-27111-5892

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1245433713-27111-5892--

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×