MDVSA-2010:084
- Package name
- java-1.6.0-openjdk
- Date
- 2010-04-28
- Advisory ID
- MDVSA-2010:084
- Affected versions
- 2009.0 x86_64 , MES5 i586 , 2010.0 x86_64 , 2010.0 i586 , 2009.1 i586 , 2009.0 i586 , 2009.1 x86_64 , MES5 x86_64
Problem description
Multiple Java OpenJDK security vulnerabilities has been identified
and fixed:
- TLS: MITM attacks via session renegotiation (CVE-2009-3555).
- Loader-constraint table allows arrays instead of only the b
ase-classes (CVE-2010-0082).
- Policy/PolicyFile leak dynamic ProtectionDomains. (CVE-2010-0084).
- File TOCTOU deserialization vulnerability (CVE-2010-0085).
- Inflater/Deflater clone issues (CVE-2010-0088).
- Unsigned applet can retrieve the dragged information before drop
action occurs (CVE-2010-0091).
- AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error
(CVE-2010-0092).
- System.arraycopy unable to reference elements beyond
Integer.MAX_VALUE bytes (CVE-2010-0093).
- Deserialization of RMIConnectionImpl objects should enforce stricter
checks (CVE-2010-0094).
- Subclasses of InetAddress may incorrectly interpret network addresses
(CVE-2010-0095).
- JAR unpack200 must verify input parameters (CVE-2010-0837).
- CMM readMabCurveData Buffer Overflow Vulnerability (CVE-2010-0838).
- Applet Trusted Methods Chaining Privilege Escalation Vulner ability
(CVE-2010-0840).
- No ClassCastException for HashAttributeSet constructors if run with
-Xcomp (CVE-2010-0845)
- ImagingLib arbitrary code execution vulnerability (CVE-2010-0847).
- AWT Library Invalid Index Vulnerability (CVE-2010-0848).
Additional security issues that was fixed with IcedTea6 1.6.2:
- deprecate MD2 in SSL cert validation (CVE-2009-2409).
- ICC_Profile file existence detection information leak
(CVE-2009-3728).
- JRE AWT setDifflCM stack overflow (CVE-2009-3869).
- JRE AWT setBytePixels heap overflow (CVE-2009-3871).
- JPEG Image Writer quantization problem (CVE-2009-3873).
- ImageI/O JPEG heap overflow (CVE-2009-3874).
- MessageDigest.isEqual introduces timing attack vulnerabilities
(CVE-2009-3875).
- OpenJDK ASN.1/DER input stream parser denial of service
(CVE-2009-3876, CVE-2009-3877)
- GraphicsConfiguration information leak (CVE-2009-3879).
- UI logging information leakage (CVE-2009-3880).
- resurrected classloaders can still have children (CVE-2009-3881).
- Numerous static security flaws in Swing (findbugs) (CVE-2009-3882).
- Mutable statics in Windows PL&F (findbugs) (CVE-2009-3883).
- zoneinfo file existence information leak (CVE-2009-3884).
- BMP parsing DoS with UNC ICC links (CVE-2009-3885).
Additionally Paulo Cesar Pereira de Andrade (pcpa) at Mandriva found
and fixed a bug in IcedTea6 1.8 that is also applied to the provided
packages:
* plugin/icedteanp/IcedTeaNPPlugin.cc
(plugin_filter_environment): Increment malloc size by one to
account for
NULL terminator. Bug# 474.
Packages for 2009.0 are provided due to the Extended Maintenance
Program.
Updated packages
2009.0 x86_64
630941e679a033285ddf5cb3e4c1d092 2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm 6330c6dda9cf7c59a90f529bceeee17b 2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm c7d708c5f14d710a6bdcc352bb18a55a 2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm edf4b1d8efeb157bb0f19b4c4cc55935 2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm ac9f8227297249940b1845f3ad95165f 2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm d1ed0ce1155c85c423d0cbe47eadfa5b 2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.0.x86_64.rpm 212262f34829af20e53fb2076fa78d25 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.src.rpm
MES5 i586
742a7a6dcc82962a132eadb91a2b1736 mes5/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm 3acd32ccd1fee71f07ccb4b038434ffd mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm c3358ac84dbc950752655fee46fd5e4b mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm a30ef6b33fd9ba1403ab46ef9643efdb mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm 534f95a18c4798ec80cdfe47bd1148a8 mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm e79e4bd9462096222f5b07d681b3d418 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdvmes5.1.i586.rpm 0bc580c8d4d6e57cbee939bf68743170 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.src.rpm
2010.0 x86_64
100203d38e76348f262d69d2cae8a7ba 2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm f155019a4a22d7bf7265c67024dcbc33 2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm 8eaf304d6eb93212d1045adc301de385 2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm 2e2082bd89db22cf5fa4be2ebaceb71c 2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm 3e7a1849db88a8b8ddcdf30441edfcb7 2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm fbc9da5e2080972f6f8c01f23e86890f 2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2010.0.x86_64.rpm b789ff663963ae8b60a0d189b870907c 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.src.rpm
2010.0 i586
f3c1bb7b091d5889a856edf93e066367 2010.0/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.i586.rpm 7f717091a34f98e9547c698bf08065f5 2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2010.0.i586.rpm 21b8532c934559100b0dbc498ba3c52e 2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2010.0.i586.rpm 8711fdef27cce9af73191903f85dbcd6 2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2010.0.i586.rpm 1905269f878bb1c6367dedc6797f6914 2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2010.0.i586.rpm c5f53d24770de6704f00fdf34c87a703 2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2010.0.i586.rpm b789ff663963ae8b60a0d189b870907c 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0.src.rpm
2009.1 i586
304bc2cab18b29781bfac69d4927ddce 2009.1/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 77f0d2e2b2c04288a5aae608a2f73f1a 2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 7ff7542b4328fd978725f8e0b02590d9 2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 3d1bf214209ea3aef86b58962e80901e 2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.1.i586.rpm f52cf5f8d3f85b98da246963d583f6bc 2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 87b2fd7ac9883e624e71faa993559e78 2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.1.i586.rpm 0ff2ca4dfc122a3538349ed2dab6ed81 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.src.rpm
2009.0 i586
37c14ebea4b3ceccbecba4ffea2630a6 2009.0/i586/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 3f7ba1d78aaf5f1ca56e86fcb48e7192 2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 12963efa8b4ea6691ba68f4e72e81e5d 2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 6387d4381c518c5658701c114c5fcb9d 2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.0.i586.rpm f90d2a22c10b6eb30aedef13207d346c 2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 01e62b54974a3d1b5232de0baa196e41 2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.0.i586.rpm 212262f34829af20e53fb2076fa78d25 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0.src.rpm
2009.1 x86_64
883105d4347bb0864c7c73e4f0865066 2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm ac44d41806625e0be7a55ff30bf1f0e7 2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 67db7247fbf1b5be5391f33603b9148c 2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 0b6e7a93df49306976453daf29a29d96 2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 67e679d7aa4545a968889dcbb1a3fa8e 2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 4042e3ae7e3b2dbdcba0e73aadd219d5 2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdv2009.1.x86_64.rpm 0ff2ca4dfc122a3538349ed2dab6ed81 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1.src.rpm
MES5 x86_64
180566f92a5564c747c716ecdf082c8f mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 5e05d90fe32dfce7b15db7d9e5604227 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 09506c689ed0265023861e006fbcb624 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm c9ff4a3a4695c56b13268d76c355cfbe mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 0a70a54c2eed68e723cbc65de63bfbff mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 166c980a8479cd915f3507070c25508e mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-2.b18.2mdvmes5.1.x86_64.rpm 0bc580c8d4d6e57cbee939bf68743170 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1.src.rpm
References
- http://blogs.sun.com/darcy/resource/OpenJDK_6/openjdk6-b18-changes-summary.html
- http://article.gmane.org/gmane.comp.java.openjdk.distro-packaging.devel/8938
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0848
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0847
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0845
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0838
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0837
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0095
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0094
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0093
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0092
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0091
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0088
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0085
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0084
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0082
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3885
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3884
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3883
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3882
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3881
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3880
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3879
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3877
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3876
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3875
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3874
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3871
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3873
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3728
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3869
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
- http://icedtea.classpath.org/hg/release/icedtea6-1.8/rev/a6a02193b073