Paketname
java-1.6.0-openjdk
Datum
2009-08-21
Advisory ID
MDVSA-2009:209
Betroffene Versionen
2009.0 x86_64 , MES5 i586 , 2009.1 i586 , 2009.0 i586 , 2009.1 x86_64 , MES5 x86_64

Problembeschreibung

Multiple Java OpenJDK security vulnerabilities has been identified
and fixed:

The design of the W3C XML Signature Syntax and Processing (XMLDsig)
recommendation specifies an HMAC truncation length (HMACOutputLength)
but does not require a minimum for its length, which allows attackers
to spoof HMAC-based signatures and bypass authentication by specifying
a truncation length with a small number of bits (CVE-2009-0217).

The Java Web Start framework does not properly check all application
jar files trust and this allows context-dependent attackers to
execute arbitrary code via a crafted application, related to NetX
(CVE-2009-1896).

Some variables and data structures without the final
keyword definition allows context-depend attackers to
obtain sensitive information. The target variables and
data structures are stated as follow: (1) LayoutQueue, (2)
Cursor.predefined, (3) AccessibleResourceBundle.getContents,
(4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5)
ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7)
DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types,
(9) AbstractSaslImpl.logger, (10)
Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector
class and a cache of BeanInfo, and (12) JAX-WS (CVE-2009-2475).

The Java Management Extensions (JMX) implementation does not
properly enforce OpenType checks, which allows context-dependent
attackers to bypass intended access restrictions by leveraging
finalizer resurrection to obtain a reference to a privileged object
(CVE-2009-2476).

A flaw in the Xerces2 as used in OpenJDK allows remote attackers to
cause denial of service via a malformed XML input (CVE-2009-2625).

The audio system does not prevent access to java.lang.System properties
either by untrusted applets and Java Web Start applications, which
allows context-dependent attackers to obtain sensitive information
by reading these properties (CVE-2009-2670).

A flaw in the SOCKS proxy implementation allows remote attackers
to discover the user name of the account that invoked either an
untrusted applet or Java Web Start application via unspecified vectors
(CVE-2009-2671).

A flaw in the proxy mechanism implementation allows remote attackers
to bypass intended access restrictions and connect to arbitrary
sites via unspecified vectors, related to a declaration that lacks
the final keyword (CVE-2009-2673).

An integer overflow in the JPEG images parsing allows context-dependent
attackers to gain privileges via an untrusted Java Web Start
application that grants permissions to itself (CVE-2009-2674).

An integer overflow in the unpack200 utility decompression allows
context-dependent attackers to gain privileges via vectors involving
either an untrusted applet or Java Web Start application that grants
permissions to itself (CVE-2009-2675).

A flaw in the JDK13Services.getProviders grants full privileges to
instances of unspecified object types, which allows context-dependent
attackers to bypass intended access restrictions either via an
untrusted applet or application (CVE-2009-2689).

A flaw in the OpenJDK's encoder, grants read access to private
variables with unspecified names, which allows context-dependent
attackers to obtain sensitive information either via an untrusted
applet or application (CVE-2009-2690).

Aktualisierte Pakete

2009.0 x86_64

 6b697112ece62ac9cf1f994b240fb278  2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm
 0682b7e9e75e726eba897288f6ecd278  2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm
 5615ddd7056f9133c10c853e066e55bc  2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm
 a72d479cf90373b0b7446213cfce11c0  2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm
 612ebb19f2e36989ea1b5debc6fa19ca  2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm
 55d3317105923930371840378bf42f78  2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.3mdv2009.0.x86_64.rpm 
 f3c509722d763889e079f82f18e491e4  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.0.src.rpm

MES5 i586

 3497d47548dbd3454a279aac4db9c7b6  mes5/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm
 18a373731a0c5f3fdbe3a93daee5035e  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm
 27e1b2439b57251bf74cfbfa1f6997a4  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm
 0bfac50d5dccbe0711fa8001c590d590  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm
 0d08cfa86e0c64e2e69a602cbed74df3  mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm
 ca6f1c72e5496de3b10e53199e919eb6  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.4mdvmes5.i586.rpm 
 71d5af78951336166547e7b64032129b  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.4mdvmes5.src.rpm

2009.1 i586

 b0dd424f32658c808e286d8343c872a3  2009.1/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm
 d97e14da57e25e04e51b096f8b8adbf4  2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm
 9b6e10ea26b0b55d5f1e013dcbce4d5e  2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm
 43b3c534406bee662dd11d6ad8a82237  2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm
 531ec3ddf0c11d4d0ce2bcd98eda8baf  2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm
 a343fcd5501b9410592b5dca3be6cd88  2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.3mdv2009.1.i586.rpm 
 2e440b16b876e878d4a31952197ae029  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.1.src.rpm

2009.0 i586

 77de7249327462d2313b7c76856b3c37  2009.0/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm
 97c93c2f9cd96904517292329b89dd0f  2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm
 c574934c0bbc37e6b66f06e7b323fb9e  2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm
 ab2a2301fdae49ad083f8dbc6f498892  2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm
 9fa31c0977e8608102535be086ce3e2a  2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm
 a0975132274fe9ac1da38277d5bc0798  2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.3mdv2009.0.i586.rpm 
 f3c509722d763889e079f82f18e491e4  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.0.src.rpm

2009.1 x86_64

 3e4eb0ab34a70f32e1a913479aab6c9a  2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm
 424a7d53b660998d8140cf18c1a4d873  2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm
 f7273fda0f52db4267ce099445f63c55  2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm
 e5fc23eb05ec1e5688251c763ecb78b9  2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm
 87c693dec4b12cdcf8602b2e6ff1b8ea  2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm
 5b792616f3223fa1bf903f95732d815b  2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.3mdv2009.1.x86_64.rpm 
 2e440b16b876e878d4a31952197ae029  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.3mdv2009.1.src.rpm

MES5 x86_64

 1d66d60b27fe05a8d5bebdf717b49534  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm
 8aa7f447a6140fa89882ebfce346c4fd  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm
 1c7c231f79686af720355061e16fcac6  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm
 ba115b547bb1aeff52b234d7531d04a3  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm
 77b3fe99a9b32339d38cc8e14e079274  mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm
 fa6d0a89d137f8c9ee886802c501f959  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.4mdvmes5.x86_64.rpm 
 71d5af78951336166547e7b64032129b  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.4mdvmes5.src.rpm

Referenzen