Skip to navigation

Security Advisory Low: Red Hat Network Satellite Server IBM Java Runtime security update

Advisory: RHSA-2010:0471-1
Type: Security Advisory
Severity: Low
Issued on: 2010-06-14
Last updated on: 2010-06-14
Affected Products: Red Hat Network Satellite (v. 5.3 for RHEL 4)
Red Hat Network Satellite (v. 5.3 for RHEL 5)
CVEs (cve.mitre.org): CVE-2010-0084
CVE-2010-0085
CVE-2010-0087
CVE-2010-0088
CVE-2010-0089
CVE-2010-0090
CVE-2010-0091
CVE-2010-0092
CVE-2010-0094
CVE-2010-0095
CVE-2010-0837
CVE-2010-0838
CVE-2010-0839
CVE-2010-0840
CVE-2010-0841
CVE-2010-0842
CVE-2010-0843
CVE-2010-0844
CVE-2010-0846
CVE-2010-0847
CVE-2010-0848
CVE-2010-0849

Details

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Network Satellite Server 5.3.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite Server
5.3. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets.

Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089,
CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0094, CVE-2010-0095,
CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,
CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0846, CVE-2010-0848,
CVE-2010-0849)

Users of Red Hat Network Satellite Server 5.3 are advised to upgrade to
these updated java-1.6.0-ibm packages, which resolve these issues. For this
update to take effect, Red Hat Network Satellite Server must be restarted
("/usr/sbin/rhn-satellite restart"), as well as all running instances of
IBM Java.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Network Satellite (v. 5.3 for RHEL 4)
SRPMS:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.src.rpm     MD5: 0f51178184e15e4943dbfdd91eed782d
SHA-256: ba2d63777bce3d694819936c4022960e9c67672630a8185eb5f3e57a262a63a3
 
IA-32:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.i386.rpm     MD5: 732cd628950e79f6ef9dfc608e40bb23
SHA-256: 57cda5cf3d91c2ff3b7d444a65894dcbd3feb989d4009703eb13ffb3f70e1968
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.i386.rpm     MD5: ae1aab4ff418243d2a07675c112849dd
SHA-256: 628c5a84fceec00b4ed2528bccc8dab66514455e942cdab56fa351a80796baf6
 
s390:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.s390.rpm     MD5: b62cc2fa09ba2065cc651a95b349fae2
SHA-256: 617907e655209ae26ca74f5b29c881ef788e297d23f61f8a74870e97646006d2
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.s390.rpm     MD5: b30789567e7e3763dc9ef0edd3926b86
SHA-256: ba512a5e9a55f6273dafc6eac21b9c2924bdf52549dcbc533c66e0a8e668d931
 
s390x:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.s390x.rpm     MD5: f73dc522d63eea62e575642b53528107
SHA-256: 2cbebda5b2cd2f2a692e2c505185462339e27e3bb06881e2894619fb4b1dd12d
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.s390x.rpm     MD5: 62010ab2a616344027aeb70f47cbf982
SHA-256: 2e16983e8c3f80d663aecc74170a15f158658505d7d8f37e70a75ccd66a89196
 
x86_64:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el4.x86_64.rpm     MD5: 842c854274f5f6338fc2b6eb163db12e
SHA-256: 1fd12087a1a2fd696f181f6a2f9ee54ce5e1079cff762e9b0b73e23557c0106c
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el4.x86_64.rpm     MD5: 855cc09bb257a9cfcd0c7d98e9a830e8
SHA-256: 5c9d3d73aa6d62729366681fadcf47ce3a1d3b4f16fa2b39c3becd03dab839f1
 
Red Hat Network Satellite (v. 5.3 for RHEL 5)
SRPMS:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.src.rpm     MD5: 6ff222b7db5f54ffd8cef549f6e54bef
SHA-256: 18cbdf1e8eacac8222b6ac6defeab1c37d8cb6b5c5c71f4d7f41985e66b24db8
 
IA-32:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.i386.rpm     MD5: 56a3c6623ff13c9ec25bf8805e1bc2fe
SHA-256: e2e34d977ac4fab0c986ad6ab3ae6cc89bf023f60f2c5df1c5397b34fbb09d71
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.i386.rpm     MD5: 659e0775cd4e8de84b18b4f03202340e
SHA-256: abc6a801d0d7c3de82974100de22d11fd41283f3e45d428769709c28a1bbdd0e
 
s390x:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.s390x.rpm     MD5: bcbd9d425f998826c630968ca83dfa9d
SHA-256: eebfe173435bf961e871fc9930f47aa2e731a8002f97025bdc95db736dc3f993
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.s390x.rpm     MD5: 80f4060460455a47c43060ff13adc436
SHA-256: 61beb4a7fa0a2e61fb9f7814ee4fc994191599a03421df13fbe2613f9ccbb7c7
 
x86_64:
java-1.6.0-ibm-1.6.0.8-1jpp.1.el5.x86_64.rpm     MD5: 6bbbad4ec7ac2cd333c4e61b215741fb
SHA-256: 2604b45a197683cbdec75b7a67e35435168369f0d29d07550d4da9d4c798f69e
java-1.6.0-ibm-devel-1.6.0.8-1jpp.1.el5.x86_64.rpm     MD5: 04d45454bd11c02ebebd2db37a1b853c
SHA-256: 3ffa3edd8150c54a37ed41dd79764e7ab93112b764fcf2a9aba95c96a83263dd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

575740 - CVE-2010-0084 OpenJDK Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
575747 - CVE-2010-0085 OpenJDK File TOCTOU deserialization vulnerability (6736390)
575755 - CVE-2010-0088 OpenJDK Inflater/Deflater clone issues (6745393)
575756 - CVE-2010-0091 OpenJDK Unsigned applet can retrieve the dragged information before drop action occurs(6887703)
575760 - CVE-2010-0092 OpenJDK AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
575769 - CVE-2010-0094 OpenJDK Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
575772 - CVE-2010-0095 OpenJDK Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
575808 - CVE-2010-0838 OpenJDK CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
575818 - CVE-2010-0837 OpenJDK JAR "unpack200" must verify input parameters (6902299)
575846 - CVE-2010-0840 OpenJDK Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
575854 - CVE-2010-0841 OpenJDK JPEGImageReader stepX Integer Overflow Vulnerability (6909597)
575865 - CVE-2010-0848 OpenJDK AWT Library Invalid Index Vulnerability (6914823)
578430 - CVE-2010-0846 JDK unspecified vulnerability in ImageIO component
578432 - CVE-2010-0849 JDK unspecified vulnerability in Java2D component
578433 - CVE-2010-0087 JDK unspecified vulnerability in JWS/Plugin component
578436 - CVE-2010-0839 CVE-2010-0842 CVE-2010-0843 CVE-2010-0844 JDK multiple unspecified vulnerabilities
578437 - CVE-2010-0090 JDK unspecified vulnerability in JavaWS/Plugin component
578440 - CVE-2010-0089 JDK unspecified vulnerability in JavaWS/Plugin component


References

https://www.redhat.com/security/data/cve/CVE-2010-0084.html
https://www.redhat.com/security/data/cve/CVE-2010-0085.html
https://www.redhat.com/security/data/cve/CVE-2010-0087.html
https://www.redhat.com/security/data/cve/CVE-2010-0088.html
https://www.redhat.com/security/data/cve/CVE-2010-0089.html
https://www.redhat.com/security/data/cve/CVE-2010-0090.html
https://www.redhat.com/security/data/cve/CVE-2010-0091.html
https://www.redhat.com/security/data/cve/CVE-2010-0092.html
https://www.redhat.com/security/data/cve/CVE-2010-0094.html
https://www.redhat.com/security/data/cve/CVE-2010-0095.html
https://www.redhat.com/security/data/cve/CVE-2010-0837.html
https://www.redhat.com/security/data/cve/CVE-2010-0838.html
https://www.redhat.com/security/data/cve/CVE-2010-0839.html
https://www.redhat.com/security/data/cve/CVE-2010-0840.html
https://www.redhat.com/security/data/cve/CVE-2010-0841.html
https://www.redhat.com/security/data/cve/CVE-2010-0842.html
https://www.redhat.com/security/data/cve/CVE-2010-0843.html
https://www.redhat.com/security/data/cve/CVE-2010-0844.html
https://www.redhat.com/security/data/cve/CVE-2010-0846.html
https://www.redhat.com/security/data/cve/CVE-2010-0847.html
https://www.redhat.com/security/data/cve/CVE-2010-0848.html
https://www.redhat.com/security/data/cve/CVE-2010-0849.html
http://www.redhat.com/security/updates/classification/#low

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/