Java-1.6.0-Openjdk - Red Hat ENTERPRISE LINUX 5.5 - TECHNICAL NOTES Manual

Chapter 1. Package Updates

1.85. java-1.6.0-openjdk

1.85.1. RHSA-2009:1584: Important security update
Important
This update has already been released (prior to the GA of this release) as the security
RHSA-2009:1584
errata
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat
Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response
Team.
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software
Development Kit. The Java Runtime Environment (JRE) contains the software and tools that users
need to run applications written using the Java programming language.
An integer overflow flaw and buffer overflow flaws were found in the way the JRE processed image
files. An untrusted applet or application could use these flaws to extend its privileges, allowing it
to read and write local files, as well as to execute local applications with the privileges of the user
running the applet or application.
548
CVE-2009-3874
)
An information leak was found in the JRE. An untrusted applet or application could use this flaw to
extend its privileges, allowing it to read and write local files, as well as to execute local applications
with the privileges of the user running the applet or application.
It was discovered that the JRE still accepts certificates with MD2 hash signatures, even though MD2
is no longer considered a cryptographically strong algorithm. This could make it easier for an attacker
to create a malicious certificate that would be treated as trusted by the JRE. With this update, the JRE
disables the use of the MD2 algorithm inside signatures by default.
A timing attack flaw was found in the way the JRE processed HMAC digests. This flaw could aid an
attacker using forged digital signatures to bypass authentication checks.
Two denial of service flaws were found in the JRE. These could be exploited in server-side application
scenarios that process DER-encoded (Distinguished Encoding Rules) data.
553
CVE-2009-3877
)
An information leak was found in the way the JRE handled color profiles. An attacker could use this
flaw to discover the existence of files outside of the color profiles directory.
545
https://www.redhat.com/security/data/cve/CVE-2009-3869.html
546
https://www.redhat.com/security/data/cve/CVE-2009-3871.html
547
https://www.redhat.com/security/data/cve/CVE-2009-3873.html
548
https://www.redhat.com/security/data/cve/CVE-2009-3874.html
549
https://www.redhat.com/security/data/cve/CVE-2009-3881.html
550
https://www.redhat.com/security/data/cve/CVE-2009-2409.html
551
https://www.redhat.com/security/data/cve/CVE-2009-3875.html
552
https://www.redhat.com/security/data/cve/CVE-2009-3876.html
553
https://www.redhat.com/security/data/cve/CVE-2009-3877.html
554
https://www.redhat.com/security/data/cve/CVE-2009-3728.html
86
544
545
CVE-2009-3871
(CVE-2009-3869 ,
546
CVE-2009-3873
,
549
(CVE-2009-3881 )
550
(CVE-2009-2409
(CVE-2009-3875
(CVE-2009-3876
(CVE-2009-3728
547
,
)
551
)
552
,
554
)