Skip to navigation

Security Advisory Critical: java-1.5.0-ibm security update

Advisory: RHSA-2007:0829-2
Type: Security Advisory
Severity: Critical
Issued on: 2007-08-07
Last updated on: 2007-08-07
Affected Products: RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)
Red Hat Enterprise Linux Extras (v. 4)
CVEs (cve.mitre.org): CVE-2007-2435
CVE-2007-2788
CVE-2007-2789
CVE-2007-3503
CVE-2007-3655
CVE-2007-3922
CVE-2007-4381

Details

Updated java-1.5.0-ibm packages that correct several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and
the IBM Java 2 Software Development Kit.

A security vulnerability in the Java Web Start component was discovered. An
untrusted application could elevate it's privileges, allowing it to read
and write local files that are accessible to the user running the Java Web
Start application. (CVE-2007-2435)

A buffer overflow in the Java Runtime Environment image handling code was
found. An untrusted applet or application could use this flaw to elevate
its privileges and potentially execute arbitrary code as the user running
the java virtual machine. (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004)

An unspecified vulnerability was discovered in the Java Runtime
Environment. An untrusted applet or application could cause the java
virtual machine to become unresponsive. (CVE-2007-3005)

The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)

The Java Web Start URL parsing component contains a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)

A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting
to services hosted on the machine that executed the applet. (CVE-2007-3922)

All users of java-ibm-1.5.0 should upgrade to these updated packages, which
contain IBM's 1.5.0 SR5a Java release that resolves these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

RHEL Desktop Supplementary (v. 5 client)

IA-32:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cdd0cbabd95ecc48e24240ddb991d286
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 5752527094c77e5d5e9bdedc6827ff8c
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 9106590bd9595ef15f7f0a64ceaf8e7d
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cd23a583b39f53bd2a3450ae3adae1c1
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 8f85f3c0f2752a686f297ca4f7da61d8
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0f4d9d82d394b0dc00655879c51f8732
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: bac96ce8cbf810f93e2af0bcc2cc4bad
 
x86_64:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cdd0cbabd95ecc48e24240ddb991d286
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0a4968e760ba7272597a0bf0c42b095f
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 5752527094c77e5d5e9bdedc6827ff8c
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 698b1eb5c9cc70be15f4ee9ccd072b21
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 9106590bd9595ef15f7f0a64ceaf8e7d
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 3a1b3589e3bf480bb3930df6202d771a
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cd23a583b39f53bd2a3450ae3adae1c1
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: cf3eff9be6cade6bf7a388f060540e83
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 8f85f3c0f2752a686f297ca4f7da61d8
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0f4d9d82d394b0dc00655879c51f8732
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: bac96ce8cbf810f93e2af0bcc2cc4bad
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: c3d7f811eb870d2ebe2b46148956a944
 
RHEL Supplementary (v. 5 server)

IA-32:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cdd0cbabd95ecc48e24240ddb991d286
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 5752527094c77e5d5e9bdedc6827ff8c
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 9106590bd9595ef15f7f0a64ceaf8e7d
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cd23a583b39f53bd2a3450ae3adae1c1
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 8f85f3c0f2752a686f297ca4f7da61d8
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0f4d9d82d394b0dc00655879c51f8732
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: bac96ce8cbf810f93e2af0bcc2cc4bad
 
PPC:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: c6cc6cf4f57c44d121ad93272de6dc5a
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: 30e5e1278aca42c926bc3e50bfb21368
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: b37db5b339256fcc55a1205beb2b5db7
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: ce4abb9ab6a81d4d42a5a5b7e36c3165
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: 420bad7eaeaa10e7889732694995e221
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: 51386ab2985df10400a16802216aa059
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.ppc.rpm
File outdated by:  RHSA-2014:0136
    MD5: 2aff0d96d2f6133efba5139ac0ecbc4c
 
s390x:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.s390.rpm
File outdated by:  RHSA-2014:0136
    MD5: 4013abecb9cd69ce9c93cab4dafb60f5
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.s390x.rpm
File outdated by:  RHSA-2014:0136
    MD5: 2508d126568c77b569ce85685ddb28de
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.s390.rpm
File outdated by:  RHSA-2014:0136
    MD5: 974fa192b305764ddd4ea0bd0c343a35
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.s390x.rpm
File outdated by:  RHSA-2014:0136
    MD5: 606b47fa3eb5a0ad82ab4d95997b0884
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.s390.rpm
File outdated by:  RHSA-2014:0136
    MD5: 2b6dab693b4b38348de47abbd971e595
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.s390x.rpm
File outdated by:  RHSA-2014:0136
    MD5: 8922fc932b1a8bd2c0cbc5886bec1427
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.s390.rpm
File outdated by:  RHSA-2014:0136
    MD5: ab68a26dd60e2e6756319230f59e8b66
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.s390.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0741e98e9500e66113503bc5229bb139
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.s390x.rpm
File outdated by:  RHSA-2014:0136
    MD5: a069f10f50098a6de2251ac99006f030
 
x86_64:
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cdd0cbabd95ecc48e24240ddb991d286
java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0a4968e760ba7272597a0bf0c42b095f
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 5752527094c77e5d5e9bdedc6827ff8c
java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 698b1eb5c9cc70be15f4ee9ccd072b21
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 9106590bd9595ef15f7f0a64ceaf8e7d
java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: 3a1b3589e3bf480bb3930df6202d771a
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: cd23a583b39f53bd2a3450ae3adae1c1
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: cf3eff9be6cade6bf7a388f060540e83
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 8f85f3c0f2752a686f297ca4f7da61d8
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: 0f4d9d82d394b0dc00655879c51f8732
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
File outdated by:  RHSA-2014:0136
    MD5: bac96ce8cbf810f93e2af0bcc2cc4bad
java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
File outdated by:  RHSA-2014:0136
    MD5: c3d7f811eb870d2ebe2b46148956a944
 
Red Hat Enterprise Linux Extras (v. 4)

IA-32:
java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: f03a0b949023f7af674cb6123d8c0b91
java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: 514ba2cdf984fe905023ef3137f8c694
java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: abf1d7c47b0269002233598509526f4f
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: cc42fb902725004893ef74afb34ad2ed
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: 48e501d6ee684fda5dc086edbf7f39d0
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: 7422f1586b4aa396ae356d975c7b4d07
java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.i386.rpm
File outdated by:  RHSA-2011:1478
    MD5: f103cbcb03961bd51227162d9b43add0
 
PPC:
java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: 80d25e87c9d725749ecc7c6468567f26
java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: eaa0a132e164dc2917eee3fb1de4fde7
java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: 46df229ed548b1ea96e47ea74096dff0
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: b927c7b01a7f274fba7d8ad1947d1734
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: 84524729176d121a79d61c900df08c6f
java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: f89c2e4ca7de93506091a4bfe33d925e
java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.ppc.rpm
File outdated by:  RHSA-2011:1478
    MD5: 052566c7a7b1e5d30a143ba5330d99e2
 
s390:
java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.s390.rpm
File outdated by:  RHSA-2011:1478
    MD5: e3a7c49d0eef762fe0b51629b58cff5d
java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.s390.rpm
File outdated by:  RHSA-2011:1478
    MD5: 0ee5a83ddc19a4b2875050754fed2e7c
java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.s390.rpm
File outdated by:  RHSA-2011:1478
    MD5: 90d581f8efd18918b85604424b4e808d
java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.s390.rpm
File outdated by:  RHSA-2011:1478
    MD5: 26d463ee95fc4348bf2fc84542249981
java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.s390.rpm
File outdated by:  RHSA-2011:1478
    MD5: a1f3607d5410dcd740aa7c52e96864f3
 
s390x:
java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.s390x.rpm
File outdated by:  RHSA-2011:1478
    MD5: 3825bc7bbadd3e373a7b9976e7f459f2
java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.s390x.rpm
File outdated by:  RHSA-2011:1478
    MD5: 36531b05b1bf8535e9670fd2bb21c9e5
java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.s390x.rpm
File outdated by:  RHSA-2011:1478
    MD5: 0838e5b3621892896eddeb409cdf4164
java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.s390x.rpm
File outdated by:  RHSA-2011:1478
    MD5: 8e72d1ce7aecb19e65ed4cd1fd3eb6e7
 
x86_64:
java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.x86_64.rpm
File outdated by:  RHSA-2011:1478
    MD5: ad554406f3343e89a702612300fe3b91
java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.x86_64.rpm
File outdated by:  RHSA-2011:1478
    MD5: ea0d3cce9cb1b4e58e61f8838bef44af
java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.x86_64.rpm
File outdated by:  RHSA-2011:1478
    MD5: 571af0ab215861528cd04c43f2277a80
java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.x86_64.rpm
File outdated by:  RHSA-2011:1478
    MD5: c27c5adbbbcf66b718868bae7dfa71c2
java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.x86_64.rpm
File outdated by:  RHSA-2011:1478
    MD5: f41a2d5ce9916b8d9c34eb13b6ed799e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

239660 - CVE-2007-2435 javaws vulnerabilities
242595 - CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
246765 - CVE-2007-3503 HTML files generated with Javadoc are vulnerable to a XSS
248864 - CVE-2007-3655 A buffer overflow vulnerability in Java Web Start URL parsing code
249533 - CVE-2007-3922 Vulnerability in the Java Runtime Environment May Allow an Untrusted Applet to Circumvent Network Access Restrictions
250725 - CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit
250729 - CVE-2007-2789 BMP image parser vulnerability
250733 - CVE-2007-3005 Unspecified vulnerability in Sun JRE


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/