Security Advisory Moderate: java-1.4.2-ibm-sap security update

Advisory: RHSA-2010:0986-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-12-15
Last updated on: 2010-12-15
Affected Products: Red Hat Enterprise Linux for SAP
CVEs ( CVE-2009-3555


Updated java-1.4.2-ibm-sap packages that fix several security issues are
now available for Red Hat Enterprise Linux 4, 5 and 6 for SAP.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The IBM 1.4.2 SR13-FP6 Java release includes the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit.

This update fixes several vulnerabilities in the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM "Security alerts" page,
listed in the References section. (CVE-2009-3555, CVE-2010-3541,
CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3556,
CVE-2010-3557, CVE-2010-3562, CVE-2010-3565, CVE-2010-3568, CVE-2010-3569,
CVE-2010-3571, CVE-2010-3572)

Note: The java-1.4.2-ibm packages were renamed to java-1.4.2-ibm-sap to
correct a naming overlap; however, java-1.4.2-ibm-sap does not
automatically obsolete the previous java-1.4.2-ibm packages for Red Hat
Enterprise Linux 4 and 5 for SAP. Refer to the RHBA-2010:0491 and
RHBA-2010:0530 advisories, listed in the References, for further

All users of java-1.4.2-ibm-sap for Red Hat Enterprise Linux 4, 5 and 6 for
SAP are advised to upgrade to these updated packages, which contain the IBM
1.4.2 SR13-FP6 Java release. All running instances of IBM Java must be
restarted for this update to take effect.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat Enterprise Linux for SAP

File outdated by:  RHSA-2012:0343
    MD5: 1f555ed7b5a7ce94441fd3a95dd11441
SHA-256: e1e45fbc75bac80283085ace9b08218ef43033e42d59005154168212b5e9c652
File outdated by:  RHSA-2012:1577
    MD5: f767c462f9bc497825fa241fedbebf7a
SHA-256: 260f62c2b250cefc19a70708cd0a60edbf6f810a65fafa564732248198ccbd3b
File outdated by:  RHSA-2012:1577
    MD5: af0906786eb8032784d1c43a3d12289a
SHA-256: 834725f8fff7ea866036e2dc918117b2a01c08b660407556ae3bcde0d2d57a60
File outdated by:  RHSA-2012:0343
    MD5: 1f8d41cfdecbcaf55a90018462825cbd
SHA-256: 81f57f3d642672b1bfe986198d8eabc333db99fc13beed8cb9f48088bac2084e
File outdated by:  RHSA-2012:1577
    MD5: 77c40fa04de48250ad1d49cc6dc3856d
SHA-256: 0d5ebb3729bb30df62d72922ba5c8fb06774cbf28e07586264ae677745069ebb
File outdated by:  RHSA-2012:0343
    MD5: 5ce481d5f165022fc0f8acbf6973f7a8
SHA-256: 0de36155bcb3daa9277b76401c9bf1d112c2634b996dd747ab91d3b63d51bd80
File outdated by:  RHSA-2012:1577
    MD5: 476faf7203f63d6afcdcac656c35ca85
SHA-256: 923996b7aa9baefaf7b61cdfcb70a598fd5cf71cc698541ad237b992fc2c6ca2
File outdated by:  RHSA-2012:1577
    MD5: 2d9a94e85dbfb957f823d5b262d74501
SHA-256: 2b8896c95c06551b03743afd2282832551017ac7a655727a20141b966b1e5762
File outdated by:  RHSA-2012:0343
    MD5: 0aea99d1722fc665a23cde18afce57e2
SHA-256: f2a3768efd26d1f0c26c88809a9d8a445b59019cdea0b2ebecee570a0bd97ac5
File outdated by:  RHSA-2012:1577
    MD5: 58dc4c8fef3912248d13bbcaf43f4034
SHA-256: 781b69cd41a60b89d868903c8f7d77c066970186ea17f7ceb488747dc7b54d49
File outdated by:  RHSA-2012:0343
    MD5: 2d111fdb69540683ec42d19ce1fbd126
SHA-256: c39202e0d662d4dbd3e1b171b43912ca57995466ccce73314994fa169d08ef67
File outdated by:  RHSA-2012:1577
    MD5: 0b1d73d8ab80f5c832bfcee0c6b367ff
SHA-256: db4d4e437d90b9f2f91596428f5b38147cd2ccf0e8386c36df3c242ceffb19c6
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775)
639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710)
639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813)
639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564)
639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023)
639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692)
642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002)
642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017)
642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603)
642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004)
642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component
642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component
642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at