Package name
java-1.6.0-openjdk
Date
2013-07-15
Advisory ID
MDVSA-2013:196
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the ImagingLib and the image
attribute, channel, layout and raster processing in the 2D
component. An untrusted Java application or applet could possibly
use these flaws to trigger Java Virtual Machine memory corruption
(CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,
CVE-2013-2463, CVE-2013-2465, CVE-2013-2469).

Integer overflow flaws were found in the way AWT processed certain
input. An attacker could use these flaws to execute arbitrary code
with the privileges of the user running an untrusted Java applet or
application (CVE-2013-2459).

Multiple improper permission check issues were discovered in the
Sound and JMX components in OpenJDK. An untrusted Java application
or applet could use these flaws to bypass Java sandbox restrictions
(CVE-2013-2448, CVE-2013-2457, CVE-2013-2453).

Multiple flaws in the Serialization, Networking, Libraries and CORBA
components can be exploited by an untrusted Java application or applet
to gain access to potentially sensitive information (CVE-2013-2456,
CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,
CVE-2013-2446).

It was discovered that the Hotspot component did not properly handle
out-of-memory errors. An untrusted Java application or applet could
possibly use these flaws to terminate the Java Virtual Machine
(CVE-2013-2445).

It was discovered that the AWT component did not properly manage
certain resources and that the ObjectStreamClass of the Serialization
component did not properly handle circular references. An untrusted
Java application or applet could possibly use these flaws to cause
a denial of service (CVE-2013-2444, CVE-2013-2450).

It was discovered that the Libraries component contained certain errors
related to XML security and the class loader. A remote attacker could
possibly exploit these flaws to bypass intended security mechanisms
or disclose potentially sensitive information and cause a denial of
service (CVE-2013-2407, CVE-2013-2461).

It was discovered that JConsole did not properly inform the user when
establishing an SSL connection failed. An attacker could exploit
this flaw to gain access to potentially sensitive information
(CVE-2013-2412).

It was found that documentation generated by Javadoc was vulnerable to
a frame injection attack. If such documentation was accessible over
a network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web content being
displayed next to the documentation. This could be used to perform a
phishing attack by providing frame content that spoofed a login form
on the site hosting the vulnerable documentation (CVE-2013-1571).

It was discovered that the 2D component created shared memory segments
with insecure permissions. A local attacker could use this flaw to
read or write to the shared memory segment (CVE-2013-1500).

It was discovered that the Networking component did not properly
enforce exclusive port binding. A local attacker could exploit this
flaw to bind to ports intended to be exclusively bound (CVE-2013-2451).

This updates IcedTea6 to version 1.11.12, which fixes these issues,
as well as several other bugs.

Additionally, this OpenJDK update causes icedtea-web, the Java browser
plugin, to crash, so icedtea-web has been patched to fix this.

Updated packages

MES5 i586

 3ae552d38d7cd10be746e4703279f789  mes5/i586/icedtea-web-1.3.2-0.4mdvmes5.2.i586.rpm
 cb106d5fa87dcb272347ccc6ff4c1c24  mes5/i586/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.i586.rpm
 2ae9cb967329a454731c3c5c50118fb5  mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 05afab461704f00714707dd22f4811be  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 dc372b36845109db264de4d33301d9e5  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 55cdf45405844e373f60c3bcac1c3fbc  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 48653ecc4f9b945fafbf43e972465a18  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm

MES5 x86_64

 6ffbc522ac4a2db8212ac963de525576  mes5/x86_64/icedtea-web-1.3.2-0.4mdvmes5.2.x86_64.rpm
 2bc2c2b9ce03a4785ef061ca66156aaa  mes5/x86_64/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.x86_64.rpm
 841d31717e695fd649290fd561400a4d  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 51bd267b7c1b2efe641e080deb68fe96  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 68fb561cd1b10758db8d9d6aa7d24487  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 775811371aca053a714df2d570c19720  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 7ce118640d8e59d659b020febe513427  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm

References