Security Advisory Moderate: java-1.4.2-ibm-sap security update

Advisory: RHSA-2012:0343-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-02-29
Last updated on: 2012-02-29
Affected Products: Red Hat Enterprise Linux for SAP
CVEs ( CVE-2011-3389


Updated java-1.4.2-ibm-sap packages that fix several security issues are
now available for Red Hat Enterprise Linux 4, 5 and 6 for SAP.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The IBM 1.4.2 SR13-FP11 Java release includes the IBM Java 1.4.2 Runtime
Environment and the IBM Java 1.4.2 Software Development Kit.

This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime
Environment and the IBM Java 1.4.2 Software Development Kit. Detailed
vulnerability descriptions are linked from the IBM "Security alerts" page,
listed in the References section. (CVE-2011-3389, CVE-2011-3545,
CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556,
CVE-2011-3557, CVE-2011-3560)

All users of java-1.4.2-ibm-sap are advised to upgrade to these updated
packages, which contain the IBM 1.4.2 SR13-FP11 Java release. All running
instances of IBM Java must be restarted for this update to take effect.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat Enterprise Linux for SAP

x86_64:     MD5: b83093bf0db3624a6f2fbf787cf53d16
SHA-256: 558ac839fd47a0596f30deb0e64731ee5861e0c8e60883e9e251f52571a614dd
File outdated by:  RHSA-2012:1577
    MD5: 46733f9ce81e108d18fcbaf1c5f2a6ff
SHA-256: 43c817142a37813c450a8b67a8db39ecf44a4b9171a1e369b7c569e6f6ac85a8
File outdated by:  RHSA-2012:1577
    MD5: bf3ad6d17a9e0bf2bb3b0b0698ce22e4
SHA-256: 9010538053d6b7753b56afbf0e8977dbae9908925ac5ac1deaef6c38a64c2981     MD5: f03a76d47809cc232bb8c066ffa43c5f
SHA-256: aedbe95c19cb6d6ef7c57d8e48cc9df629ce264d328a9917503e734e6cafec24
File outdated by:  RHSA-2012:1577
    MD5: 1e392c07d2b0a6fc45d5974e4ee59b29
SHA-256: 9b152384a020e873884bb2d8a5914e18a0bd054579a73d5a4f9911d795f4d84c     MD5: 904f8bac7f26931ab31a17cf1e6f7bb4
SHA-256: d0a7f27dc20af25879390c207128b2093106238e763a5ede0c77943ac15b8734
File outdated by:  RHSA-2012:1577
    MD5: bebd41f2ccd77e9637b27c88ca2e8d31
SHA-256: c63e28bea490db40d9a685d1c7a5e6ba81e5b61eabe4bf35f5db112e06305e07
File outdated by:  RHSA-2012:1577
    MD5: 5ca65a3a407550ed46928c5cad490971
SHA-256: e2cdc885fa11244d30c2e4d182039b7629e2364ef6976a8f10af9e588e388a11     MD5: aea7067b4d0406407a64dd6cbac2da38
SHA-256: a3165841fa3c4b37c52146965dcfb893c918c7a4feb598a8b0a283d95a7096b9
File outdated by:  RHSA-2012:1577
    MD5: d92d9f943fbee90c2e98b7d84126a2cd
SHA-256: 1acbb5e5cac87c4820258db636f35005647b74ae3bb729166afeea31e6098248     MD5: 32f72dd9e9dfd776fc7a3ae3e512ab83
SHA-256: febd4bcc7ee5d702ed9546631036a449a043877f3ccb67bae72adf100bd444f7
File outdated by:  RHSA-2012:1577
    MD5: 972ac367ccf2e37d6b533ef0560d7ccd
SHA-256: 783cba3f7805f9096aa089a43fa8c26b4ea9f4c28800824b4de1d0c7ebf4d4ac
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936)
745387 - CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600)
745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417)
745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466)
745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012)
745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773)
747191 - CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound)
747198 - CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing)


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at