Skip to navigation

Security Advisory Critical: java-1.6.0-openjdk security update

Advisory: RHSA-2013:0273-1
Type: Security Advisory
Severity: Critical
Issued on: 2013-02-20
Last updated on: 2013-02-20
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.3.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-0169
CVE-2013-1486

Details

Updated java-1.6.0-openjdk packages that fix two security issues are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

An improper permission check issue was discovered in the JMX component in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions. (CVE-2013-1486)

It was discovered that OpenJDK leaked timing information when decrypting
TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.
A remote attacker could possibly use this flaw to retrieve plain text from
the encrypted packets by using a TLS/SSL server as a padding oracle.
(CVE-2013-0169)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, CVE-2013-1486 could have been exploited without user interaction
if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea6 1.11.8. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.src.rpm
File outdated by:  RHSA-2014:0408
    MD5: 84100d6c489824c7c5da8587c4833132
SHA-256: bf3ef38754fcc1136d2b66a7a5a714c228e37551504d39f290208eee7517b3aa
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: d6aaf1d8f57258f475e1b6ebb0edaba2
SHA-256: c86996b974463cadc80bbdc92c46c8bd5410bb27cd80f841aa347db67aad3a2f
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 8cd02e107c12468d6504eb7640430445
SHA-256: 763fe8bd6f3bca69ef320871b01f3b829a20af81d78d7908bd4d4db9bfb5e245
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: e61777ad5b9314a501d23a27bde0da0e
SHA-256: cc07c9a50df39d4795fdf4e30a9902c485cd04d7c19e5ccb6f99e576cca17f5a
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: ec4a996d3537ea6a2b6c4adf2ae82abd
SHA-256: 99fd046ec582315dac12d88beee820f618282de50c6e9230a4b9b7e0d6a75245
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: f4c5f71fe13399a50bef464eb26868a1
SHA-256: 73454d80acd16786ac9a07696ac04f7fb3c750eb65d4281b7672c6fbcaa6eca6
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 83319825f3baff0e6358db109222f5e9
SHA-256: c5d2c35c3dea7f78fbb563c53d121fb219f08fbc95543ba1d5c7dc42fe7bf36b
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 5ece750c8d7eaa25886a48ea14c16ca7
SHA-256: 7811210c13c0505604d540413825500bdf378a600d3b5f774675444c5fa7ee4d
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: a54d2ed4e57f3f33ee5ac8249a587ce3
SHA-256: 905bfc05e795b8cfe9620d4c5a2b293a28e9a200c6756aa52fc3998d70193ade
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 36a2a515d059d5fa16d7cc6605a262ca
SHA-256: da32c71012c7a7e03eb6ba036a553c248c082ff1f0d3a52080233d20e7a6fc81
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: e16b6137be8adf109111072d41de29cd
SHA-256: ad34d2f8fc5e934a02a66ad716b739f6802da232906e3700358445d1edf78ec5
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 473075afc44b0c3174872fa3c75b611d
SHA-256: b85b9eb3f347c79aecfc625737618777ba485a4862a47256d8abd2064dd662dd
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: ecf6be2cc39d8f976bf2f55d801d4da9
SHA-256: f59402c52d11d19f5b8e791b820e961de038f7a1bd3cd915be37fcc3d47f5d04
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.src.rpm
File outdated by:  RHSA-2014:0408
    MD5: 84100d6c489824c7c5da8587c4833132
SHA-256: bf3ef38754fcc1136d2b66a7a5a714c228e37551504d39f290208eee7517b3aa
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 5ece750c8d7eaa25886a48ea14c16ca7
SHA-256: 7811210c13c0505604d540413825500bdf378a600d3b5f774675444c5fa7ee4d
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: a54d2ed4e57f3f33ee5ac8249a587ce3
SHA-256: 905bfc05e795b8cfe9620d4c5a2b293a28e9a200c6756aa52fc3998d70193ade
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 36a2a515d059d5fa16d7cc6605a262ca
SHA-256: da32c71012c7a7e03eb6ba036a553c248c082ff1f0d3a52080233d20e7a6fc81
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: e16b6137be8adf109111072d41de29cd
SHA-256: ad34d2f8fc5e934a02a66ad716b739f6802da232906e3700358445d1edf78ec5
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 473075afc44b0c3174872fa3c75b611d
SHA-256: b85b9eb3f347c79aecfc625737618777ba485a4862a47256d8abd2064dd662dd
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: ecf6be2cc39d8f976bf2f55d801d4da9
SHA-256: f59402c52d11d19f5b8e791b820e961de038f7a1bd3cd915be37fcc3d47f5d04
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.src.rpm
File outdated by:  RHSA-2014:0408
    MD5: 84100d6c489824c7c5da8587c4833132
SHA-256: bf3ef38754fcc1136d2b66a7a5a714c228e37551504d39f290208eee7517b3aa
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: d6aaf1d8f57258f475e1b6ebb0edaba2
SHA-256: c86996b974463cadc80bbdc92c46c8bd5410bb27cd80f841aa347db67aad3a2f
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 8cd02e107c12468d6504eb7640430445
SHA-256: 763fe8bd6f3bca69ef320871b01f3b829a20af81d78d7908bd4d4db9bfb5e245
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: e61777ad5b9314a501d23a27bde0da0e
SHA-256: cc07c9a50df39d4795fdf4e30a9902c485cd04d7c19e5ccb6f99e576cca17f5a
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: ec4a996d3537ea6a2b6c4adf2ae82abd
SHA-256: 99fd046ec582315dac12d88beee820f618282de50c6e9230a4b9b7e0d6a75245
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: f4c5f71fe13399a50bef464eb26868a1
SHA-256: 73454d80acd16786ac9a07696ac04f7fb3c750eb65d4281b7672c6fbcaa6eca6
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 83319825f3baff0e6358db109222f5e9
SHA-256: c5d2c35c3dea7f78fbb563c53d121fb219f08fbc95543ba1d5c7dc42fe7bf36b
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 5ece750c8d7eaa25886a48ea14c16ca7
SHA-256: 7811210c13c0505604d540413825500bdf378a600d3b5f774675444c5fa7ee4d
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: a54d2ed4e57f3f33ee5ac8249a587ce3
SHA-256: 905bfc05e795b8cfe9620d4c5a2b293a28e9a200c6756aa52fc3998d70193ade
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 36a2a515d059d5fa16d7cc6605a262ca
SHA-256: da32c71012c7a7e03eb6ba036a553c248c082ff1f0d3a52080233d20e7a6fc81
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: e16b6137be8adf109111072d41de29cd
SHA-256: ad34d2f8fc5e934a02a66ad716b739f6802da232906e3700358445d1edf78ec5
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 473075afc44b0c3174872fa3c75b611d
SHA-256: b85b9eb3f347c79aecfc625737618777ba485a4862a47256d8abd2064dd662dd
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: ecf6be2cc39d8f976bf2f55d801d4da9
SHA-256: f59402c52d11d19f5b8e791b820e961de038f7a1bd3cd915be37fcc3d47f5d04
 
Red Hat Enterprise Linux Server EUS (v. 6.3.z)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.src.rpm
File outdated by:  RHSA-2014:0408
    MD5: 84100d6c489824c7c5da8587c4833132
SHA-256: bf3ef38754fcc1136d2b66a7a5a714c228e37551504d39f290208eee7517b3aa
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: d6aaf1d8f57258f475e1b6ebb0edaba2
SHA-256: c86996b974463cadc80bbdc92c46c8bd5410bb27cd80f841aa347db67aad3a2f
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: 8cd02e107c12468d6504eb7640430445
SHA-256: 763fe8bd6f3bca69ef320871b01f3b829a20af81d78d7908bd4d4db9bfb5e245
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: e61777ad5b9314a501d23a27bde0da0e
SHA-256: cc07c9a50df39d4795fdf4e30a9902c485cd04d7c19e5ccb6f99e576cca17f5a
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: ec4a996d3537ea6a2b6c4adf2ae82abd
SHA-256: 99fd046ec582315dac12d88beee820f618282de50c6e9230a4b9b7e0d6a75245
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: f4c5f71fe13399a50bef464eb26868a1
SHA-256: 73454d80acd16786ac9a07696ac04f7fb3c750eb65d4281b7672c6fbcaa6eca6
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm     MD5: 83319825f3baff0e6358db109222f5e9
SHA-256: c5d2c35c3dea7f78fbb563c53d121fb219f08fbc95543ba1d5c7dc42fe7bf36b
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: 5ece750c8d7eaa25886a48ea14c16ca7
SHA-256: 7811210c13c0505604d540413825500bdf378a600d3b5f774675444c5fa7ee4d
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: a54d2ed4e57f3f33ee5ac8249a587ce3
SHA-256: 905bfc05e795b8cfe9620d4c5a2b293a28e9a200c6756aa52fc3998d70193ade
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: 36a2a515d059d5fa16d7cc6605a262ca
SHA-256: da32c71012c7a7e03eb6ba036a553c248c082ff1f0d3a52080233d20e7a6fc81
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: e16b6137be8adf109111072d41de29cd
SHA-256: ad34d2f8fc5e934a02a66ad716b739f6802da232906e3700358445d1edf78ec5
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: 473075afc44b0c3174872fa3c75b611d
SHA-256: b85b9eb3f347c79aecfc625737618777ba485a4862a47256d8abd2064dd662dd
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm     MD5: ecf6be2cc39d8f976bf2f55d801d4da9
SHA-256: f59402c52d11d19f5b8e791b820e961de038f7a1bd3cd915be37fcc3d47f5d04
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.src.rpm
File outdated by:  RHSA-2014:0408
    MD5: 84100d6c489824c7c5da8587c4833132
SHA-256: bf3ef38754fcc1136d2b66a7a5a714c228e37551504d39f290208eee7517b3aa
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: d6aaf1d8f57258f475e1b6ebb0edaba2
SHA-256: c86996b974463cadc80bbdc92c46c8bd5410bb27cd80f841aa347db67aad3a2f
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 8cd02e107c12468d6504eb7640430445
SHA-256: 763fe8bd6f3bca69ef320871b01f3b829a20af81d78d7908bd4d4db9bfb5e245
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: e61777ad5b9314a501d23a27bde0da0e
SHA-256: cc07c9a50df39d4795fdf4e30a9902c485cd04d7c19e5ccb6f99e576cca17f5a
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: ec4a996d3537ea6a2b6c4adf2ae82abd
SHA-256: 99fd046ec582315dac12d88beee820f618282de50c6e9230a4b9b7e0d6a75245
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: f4c5f71fe13399a50bef464eb26868a1
SHA-256: 73454d80acd16786ac9a07696ac04f7fb3c750eb65d4281b7672c6fbcaa6eca6
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.i686.rpm
File outdated by:  RHSA-2014:0408
    MD5: 83319825f3baff0e6358db109222f5e9
SHA-256: c5d2c35c3dea7f78fbb563c53d121fb219f08fbc95543ba1d5c7dc42fe7bf36b
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 5ece750c8d7eaa25886a48ea14c16ca7
SHA-256: 7811210c13c0505604d540413825500bdf378a600d3b5f774675444c5fa7ee4d
java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: a54d2ed4e57f3f33ee5ac8249a587ce3
SHA-256: 905bfc05e795b8cfe9620d4c5a2b293a28e9a200c6756aa52fc3998d70193ade
java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 36a2a515d059d5fa16d7cc6605a262ca
SHA-256: da32c71012c7a7e03eb6ba036a553c248c082ff1f0d3a52080233d20e7a6fc81
java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: e16b6137be8adf109111072d41de29cd
SHA-256: ad34d2f8fc5e934a02a66ad716b739f6802da232906e3700358445d1edf78ec5
java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 473075afc44b0c3174872fa3c75b611d
SHA-256: b85b9eb3f347c79aecfc625737618777ba485a4862a47256d8abd2064dd662dd
java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: ecf6be2cc39d8f976bf2f55d801d4da9
SHA-256: f59402c52d11d19f5b8e791b820e961de038f7a1bd3cd915be37fcc3d47f5d04
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/