Skip to navigation

Security Advisory Moderate: java-1.6.0-openjdk security update

Advisory: RHSA-2011:0176-1
Type: Security Advisory
Severity: Moderate
Issued on: 2011-01-25
Last updated on: 2011-01-25
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.6.z server)
Red Hat Enterprise Linux Long Life (v. 5.6 server)
CVEs (cve.mitre.org): CVE-2010-3860
CVE-2010-4351

Details

Updated java-1.6.0-openjdk packages that fix two security issues are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit. The javaws command can be used to
launch Java Web Start applications.

A public static field declaration allowed untrusted JNLP (Java Network
Launching Protocol) applications to read privileged data. A remote attacker
could directly or indirectly read the values of restricted system
properties, such as "user.name", "user.home", and "java.home", which
untrusted applications should not be allowed to read. (CVE-2010-3860)

It was found that JNLPSecurityManager could silently return without
throwing an exception when permission was denied. If the javaws command was
used to launch a Java Web Start application that relies on this exception
being thrown, it could result in that application being run with elevated
privileges, allowing it to bypass security manager restrictions and gain
access to privileged functionality. (CVE-2010-4351)

Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws by
mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, this
update removes javaws.

Red Hat would like to thank the TippingPoint Zero Day Initiative project
for reporting CVE-2010-4351. The original issue reporter wishes to stay
anonymous.

This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux (v. 5 server)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm
File outdated by:  RHSA-2011:0857
    MD5: cca3aa11d52d6e5241f888fbc53ca418
SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e4fc73f2d49bd81f52fb24cef15bad03
SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e756c59660f9244b2addbda0f4542a87
SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: c458cb307b11e63522da3a3d4e868db3
SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: 8bb30c531b6a5c59821fef9d3ea0f943
SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e3e404eff3477db796a09a3de42edbb2
SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: b358c55e000147708bc5b29d34067d75
SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 69acab869fd71b0b92156a603935188a
SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: faf597082d8104318749ca9f4d706eca
SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 16e0b1257783c022265ba436053f2567
SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 02042af32148a1f2d47a78e0af71491e
SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm
File outdated by:  RHSA-2011:0857
    MD5: cca3aa11d52d6e5241f888fbc53ca418
SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e4fc73f2d49bd81f52fb24cef15bad03
SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e756c59660f9244b2addbda0f4542a87
SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: c458cb307b11e63522da3a3d4e868db3
SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: 8bb30c531b6a5c59821fef9d3ea0f943
SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2014:0408
    MD5: e3e404eff3477db796a09a3de42edbb2
SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: b358c55e000147708bc5b29d34067d75
SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 69acab869fd71b0b92156a603935188a
SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: faf597082d8104318749ca9f4d706eca
SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 16e0b1257783c022265ba436053f2567
SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2014:0408
    MD5: 02042af32148a1f2d47a78e0af71491e
SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
 
Red Hat Enterprise Linux EUS (v. 5.6.z server)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm
File outdated by:  RHSA-2011:0857
    MD5: cca3aa11d52d6e5241f888fbc53ca418
SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e4fc73f2d49bd81f52fb24cef15bad03
SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e756c59660f9244b2addbda0f4542a87
SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: c458cb307b11e63522da3a3d4e868db3
SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: 8bb30c531b6a5c59821fef9d3ea0f943
SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e3e404eff3477db796a09a3de42edbb2
SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: b358c55e000147708bc5b29d34067d75
SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 69acab869fd71b0b92156a603935188a
SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: faf597082d8104318749ca9f4d706eca
SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 16e0b1257783c022265ba436053f2567
SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 02042af32148a1f2d47a78e0af71491e
SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
 
Red Hat Enterprise Linux Long Life (v. 5.6 server)

SRPMS:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm
File outdated by:  RHSA-2011:0857
    MD5: cca3aa11d52d6e5241f888fbc53ca418
SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
 
IA-32:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e4fc73f2d49bd81f52fb24cef15bad03
SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e756c59660f9244b2addbda0f4542a87
SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: c458cb307b11e63522da3a3d4e868db3
SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: 8bb30c531b6a5c59821fef9d3ea0f943
SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm
File outdated by:  RHSA-2011:0857
    MD5: e3e404eff3477db796a09a3de42edbb2
SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a
 
x86_64:
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: b358c55e000147708bc5b29d34067d75
SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 69acab869fd71b0b92156a603935188a
SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: faf597082d8104318749ca9f4d706eca
SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 16e0b1257783c022265ba436053f2567
SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm
File outdated by:  RHSA-2011:0857
    MD5: 02042af32148a1f2d47a78e0af71491e
SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

645843 - CVE-2010-3860 IcedTea System property information leak via public static
663680 - CVE-2010-4351 IcedTea jnlp security manager bypass


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/