Security Advisory Critical: java-1.5.0-sun security update

Advisory: RHSA-2009:1199-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-08-06
Last updated on: 2009-08-06
Affected Products: RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)
RHEL Supplementary EUS (v. 5.3.z server)
Red Hat Enterprise Linux Extras (v. 4)
Red Hat Enterprise Linux Extras (v. 4.8.z)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2009-2475
CVE-2009-2625
CVE-2009-2670
CVE-2009-2671
CVE-2009-2672
CVE-2009-2673
CVE-2009-2675
CVE-2009-2676
CVE-2009-2689
CVE-2009-2720
CVE-2009-2721
CVE-2009-2722
CVE-2009-2723
CVE-2009-2724

Details

Updated java-1.5.0-sun packages that correct several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

The Sun 1.5.0 Java release includes the Sun Java 5 Runtime Environment and
the Sun Java 5 Software Development Kit.

This update fixes several vulnerabilities in the Sun Java 5 Runtime
Environment and the Sun Java 5 Software Development Kit. These
vulnerabilities are summarized on the "Advance notification of Security
Updates for Java SE" page from Sun Microsystems, listed in the References
section. (CVE-2009-2475, CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)

Users of java-1.5.0-sun should upgrade to these updated packages, which
correct these issues. All running instances of Sun Java must be restarted
for the update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Supplementary (v. 5 client)
IA-32:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     a5ac0998217b44386a7b5c9fe13720c9
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     a032d063c397796bdd7e037468b933b8
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     8912adef68c194585cf13025bb09fd15
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     5943130b2e205e25c6dfc8556340a27a
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     103fce787c2eb79b4b057392ddda8503
 
x86_64:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     8bd672a4f3c56be313dd0451fbf3d3d8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     80686a4c3f43b836122ad0cede3198b9
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     c5400ee7923032675229729312cc0ca7
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     baf0cef4c25a6f39a98f97995f186be8
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     6e36c0c92b43782582d45ea092dd2914
 
RHEL Supplementary (v. 5 server)
IA-32:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     a5ac0998217b44386a7b5c9fe13720c9
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     a032d063c397796bdd7e037468b933b8
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     8912adef68c194585cf13025bb09fd15
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     5943130b2e205e25c6dfc8556340a27a
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     103fce787c2eb79b4b057392ddda8503
 
x86_64:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     8bd672a4f3c56be313dd0451fbf3d3d8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     80686a4c3f43b836122ad0cede3198b9
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     c5400ee7923032675229729312cc0ca7
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     baf0cef4c25a6f39a98f97995f186be8
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm
File outdated by:  RHSA-2009:1571		     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.x86_64.rpm
File outdated by:  RHSA-2009:1571		     6e36c0c92b43782582d45ea092dd2914
 
RHEL Supplementary EUS (v. 5.3.z server)
IA-32:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.i586.rpm     a5ac0998217b44386a7b5c9fe13720c9
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.i586.rpm     a032d063c397796bdd7e037468b933b8
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.i586.rpm     8912adef68c194585cf13025bb09fd15
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.i586.rpm     5943130b2e205e25c6dfc8556340a27a
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.i586.rpm     103fce787c2eb79b4b057392ddda8503
 
x86_64:
java-1.5.0-sun-1.5.0.20-1jpp.1.el5.x86_64.rpm     8bd672a4f3c56be313dd0451fbf3d3d8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el5.x86_64.rpm     80686a4c3f43b836122ad0cede3198b9
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el5.x86_64.rpm     c5400ee7923032675229729312cc0ca7
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el5.x86_64.rpm     baf0cef4c25a6f39a98f97995f186be8
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el5.i586.rpm     cf7096c2c920800307baba8c8182e4d7
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el5.x86_64.rpm     6e36c0c92b43782582d45ea092dd2914
 
Red Hat Enterprise Linux Extras (v. 4)
IA-32:
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
 
x86_64:
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
 
Red Hat Enterprise Linux Extras (v. 4.8.z)
IA-32:
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     cb595deb3f476733683dfbcb7a4a02ae
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     73b3fc6e6350dac24399e1d20d533df8
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     01e9adace5ca0ec0762379dc5f5fc1b7
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     3efc20b557bb570f8a332cc2d1c24e82
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-plugin-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     4a05d61ee0c53e8d7808e891273184d5
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.i586.rpm
File outdated by:  RHSA-2009:1571		     9b79ff768679e635c071b72dce421162
 
x86_64:
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     5906652b345afc471bd4671a66ab64eb
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-demo-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     a266df1e9d1d9765c65a25cb76f9f4b2
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-devel-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     fac6ee3a1509ec49a52cb520e0b44733
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-jdbc-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     ad6a64258da408a83ae5e3ffe4e05e26
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
java-1.5.0-sun-src-1.5.0.20-1jpp.1.el4.x86_64.rpm
File outdated by:  RHSA-2009:1571		     469797af0434fcb4a3e1268a3ad51070
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

512896 - CVE-2009-2670 OpenJDK Untrusted applet System properties access (6738524)
512907 - CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks (6801071)
512914 - CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections (6801497)
512920 - CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335)
512921 - CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service (6845701)
513215 - CVE-2009-2475 OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167)
513222 - CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges (6777448)
515890 - CVE-2009-2676 JRE applet launcher vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724
http://www.redhat.com/security/updates/classification/#critical
http://blogs.sun.com/security/entry/advance_notification_of_security_updates5
http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/