Security Advisory Moderate: java-1.5.0-bea security update

Advisory: RHSA-2008:0244-2
Type: Security Advisory
Severity: Moderate
Issued on: 2008-04-28
Last updated on: 2008-04-28
Affected Products: RHEL Supplementary (v. 5 server)
RHEL Supplementary EUS (v. 5.1.z server)
Red Hat Enterprise Linux Extras (v. 4)
Red Hat Enterprise Linux Extras (v. 4.6.z)
OVAL: com.redhat.rhsa-20080244.xml
CVEs (cve.mitre.org): CVE-2008-1187
CVE-2008-1193
CVE-2008-1194

Details

Updated java-1.5.0-bea packages that correct several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit
Virtual Machine 1.5.0_14, and are certified for the Java 5 Platform,
Standard Edition, v1.5.0.

A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)

A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possibly execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)

A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)

The vulnerabilities concerning applets listed above can only be triggered
in java-1.5.0-bea, by calling the "appletviewer" application.

Users of java-1.5.0-bea are advised to upgrade to these updated packages,
which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Supplementary (v. 5 server)
IA-32:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.i686.rpm     2147029f3cdab312b76b15dbe114fd65
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.i686.rpm     635620483595feb16394e4866fb691dc
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.i686.rpm     985056838b036e8e5c41a42c47b397b7
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.i686.rpm     700f4873b6281ca3afa27287b400ab60
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.i686.rpm     7b62efb535a9fabf7cb2fd66551afd64
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.i686.rpm     7de8f6b477efef1570dad10696335293
 
IA-64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.ia64.rpm     780191c58a8ceed1029d5cbd844899a8
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.ia64.rpm     063681d7450c663d6c6195a6d624d3eb
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.ia64.rpm     bb2753110eb924476665db8614bf8385
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.ia64.rpm     a25ab228cbab600ec3a4d6708688eae4
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.ia64.rpm     c29260b7db53eb276129583c96780e00
 
x86_64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.x86_64.rpm     e5f7901f8d308038f5028e43aa4e08ef
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.x86_64.rpm     b61cb7e753cc6b27631e5ff0a21f0242
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.x86_64.rpm     74199f1b4068ea5d55b23beb73f73af0
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.x86_64.rpm     f208d08bd4d68f6049519709052a4c79
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.x86_64.rpm     ff928a801f44548b0d5301099782a2bd
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.x86_64.rpm     11bd52511fa9558206c59952b9103f93
 
RHEL Supplementary EUS (v. 5.1.z server)
IA-32:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.i686.rpm     2147029f3cdab312b76b15dbe114fd65
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.i686.rpm     635620483595feb16394e4866fb691dc
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.i686.rpm     985056838b036e8e5c41a42c47b397b7
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.i686.rpm     700f4873b6281ca3afa27287b400ab60
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.i686.rpm     7b62efb535a9fabf7cb2fd66551afd64
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.i686.rpm     7de8f6b477efef1570dad10696335293
 
IA-64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.ia64.rpm     780191c58a8ceed1029d5cbd844899a8
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.ia64.rpm     063681d7450c663d6c6195a6d624d3eb
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.ia64.rpm     bb2753110eb924476665db8614bf8385
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.ia64.rpm     a25ab228cbab600ec3a4d6708688eae4
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.ia64.rpm     c29260b7db53eb276129583c96780e00
 
x86_64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.x86_64.rpm     e5f7901f8d308038f5028e43aa4e08ef
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.x86_64.rpm     b61cb7e753cc6b27631e5ff0a21f0242
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.x86_64.rpm     74199f1b4068ea5d55b23beb73f73af0
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.x86_64.rpm     f208d08bd4d68f6049519709052a4c79
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.x86_64.rpm     ff928a801f44548b0d5301099782a2bd
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.x86_64.rpm     11bd52511fa9558206c59952b9103f93
 
Red Hat Enterprise Linux Extras (v. 4)
IA-32:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
 
IA-64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.ia64.rpm     a7289276628635123cd8637f82cfc535
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.ia64.rpm     a7289276628635123cd8637f82cfc535
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.ia64.rpm     a7289276628635123cd8637f82cfc535
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.ia64.rpm     c7f44eac8b6f716c3722d412c9e6d5b8
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.ia64.rpm     c7f44eac8b6f716c3722d412c9e6d5b8
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.ia64.rpm     c7f44eac8b6f716c3722d412c9e6d5b8
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.ia64.rpm     e7ba1ab7d454b4d548dcdf56b87a5c03
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.ia64.rpm     e7ba1ab7d454b4d548dcdf56b87a5c03
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.ia64.rpm     e7ba1ab7d454b4d548dcdf56b87a5c03
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.ia64.rpm     c74839ffa34d642e8b8d013e206a0d13
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.ia64.rpm     c74839ffa34d642e8b8d013e206a0d13
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.ia64.rpm     c74839ffa34d642e8b8d013e206a0d13
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.ia64.rpm     90ef5471d7db1f953d623033463127f9
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.ia64.rpm     90ef5471d7db1f953d623033463127f9
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.ia64.rpm     90ef5471d7db1f953d623033463127f9
 
x86_64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
 
Red Hat Enterprise Linux Extras (v. 4.6.z)
IA-32:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.i686.rpm     347c472951a5d3be2a605c6c0b4c2b2b
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.i686.rpm     5e51515bab8285e8fa9f5cfe4954ad6a
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.i686.rpm     3fa9c09c59fa5846f0e4237b7e45736e
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.i686.rpm     9459b3a215c7b2d40ee76ec2cbfb9660
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.i686.rpm     5e8579ef05899b781080194bd4f1286d
 
IA-64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.ia64.rpm     a7289276628635123cd8637f82cfc535
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.ia64.rpm     a7289276628635123cd8637f82cfc535
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.ia64.rpm     c7f44eac8b6f716c3722d412c9e6d5b8
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.ia64.rpm     c7f44eac8b6f716c3722d412c9e6d5b8
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.ia64.rpm     e7ba1ab7d454b4d548dcdf56b87a5c03
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.ia64.rpm     e7ba1ab7d454b4d548dcdf56b87a5c03
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.ia64.rpm     c74839ffa34d642e8b8d013e206a0d13
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.ia64.rpm     c74839ffa34d642e8b8d013e206a0d13
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.ia64.rpm     90ef5471d7db1f953d623033463127f9
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.ia64.rpm     90ef5471d7db1f953d623033463127f9
 
x86_64:
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-1.5.0.14-1jpp.2.el4.x86_64.rpm     ea9eeb767d15beee63c55eeb46fffbec
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el4.x86_64.rpm     36b8d74bbd2c7189589b1233ffc9daca
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el4.x86_64.rpm     d1e0751cc2ef80ae5d1e00a2569df23b
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el4.x86_64.rpm     88f8f1bd9b721ebfbea91114ff235202
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el4.x86_64.rpm     0bdd78b099807c6a8b50514f9b8e3eda
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation
436296 - CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194)


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1194
http://dev2dev.bea.com/pub/advisory/277
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/