CVE-2005-1080
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:17:08
NMCOPS    

[原文]Directory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2 and 1.5, and OpenJDK, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in filenames in a .jar file.


[CNNVD]Sun SDK Java Archive目录遍历漏洞(CNNVD-200505-197)

        J2SE SDK 1.4.2和1.5,及OpenJDK的Java Archive工具中存在目录遍历漏洞。远程攻击者可借助.jar文件名的“..”操作符创建或覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sun:sdk:1.4.2SDK 1.4.2
cpe:/a:sun:sdk:1.5Sun SDK 1.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1080
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-197
(官方数据源) CNNVD

- 其它链接及资源

http://advisories.mageia.org/MGASA-2015-0158.html
(UNKNOWN)  CONFIRM  http://advisories.mageia.org/MGASA-2015-0158.html
http://marc.info/?l=bugtraq&m=111331593310508&w=2
(UNKNOWN)  BUGTRAQ  20050412 7a69Adv#23 - Jar tool directory transversal vulnerability
http://marc.info/?l=oss-security&m=127602564508766&w=2
(UNKNOWN)  MLIST  [oss-security] 20100608 jar, fastjar directory traversal vulnerabilities
http://marc.info/?l=oss-security&m=127603032617644&w=2
(UNKNOWN)  MLIST  [oss-security] 20100608 Re: jar, fastjar directory traversal vulnerabilities
http://rhn.redhat.com/errata/RHSA-2015-0806.html
(UNKNOWN)  REDHAT  RHSA-2015:0806
http://rhn.redhat.com/errata/RHSA-2015-0807.html
(UNKNOWN)  REDHAT  RHSA-2015:0807
http://rhn.redhat.com/errata/RHSA-2015-0808.html
(UNKNOWN)  REDHAT  RHSA-2015:0808
http://rhn.redhat.com/errata/RHSA-2015-0809.html
(UNKNOWN)  REDHAT  RHSA-2015:0809
http://www.mandriva.com/security/advisories?name=MDVSA-2015:212
(UNKNOWN)  MANDRIVA  MDVSA-2015:212
http://www.securiteam.com/securitynews/5IP0C0AFGW.html
(VENDOR_ADVISORY)  MISC  http://www.securiteam.com/securitynews/5IP0C0AFGW.html
https://bugzilla.redhat.com/show_bug.cgi?id=594497
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=594497
https://bugzilla.redhat.com/show_bug.cgi?id=601823
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=601823

- 漏洞信息

Sun SDK Java Archive目录遍历漏洞
中危 路径遍历
2005-05-02 00:00:00 2009-04-03 00:00:00
远程  
        J2SE SDK 1.4.2和1.5,及OpenJDK的Java Archive工具中存在目录遍历漏洞。远程攻击者可借助.jar文件名的“..”操作符创建或覆盖任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://sunsolve.sun.com/security" target="_blank"

- 漏洞信息 (F131449)

Red Hat Security Advisory 2015-0808-01 (PacketStormID:F131449)
2015-04-16 00:00:00
Red Hat  
advisory,java,overflow,arbitrary
linux,redhat
CVE-2005-1080,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488
[点击下载]

Red Hat Security Advisory 2015-0808-01 - The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.6.0-openjdk security update
Advisory ID:       RHSA-2015:0808-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0808.html
Issue date:        2015-04-14
CVE Names:         CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 
=====================================================================

1. Summary:

Updated java-1.6.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)

A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2015-0477)

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el5_11.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el5_11.i386.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el5_11.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el5_11.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.i686.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.src.rpm

ppc64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm

s390x:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.s390x.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.s390x.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.s390x.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.ppc64.rpm

s390x:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.s390x.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.s390x.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.s390x.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.s390x.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVLqtjXlSAg2UNWIIRAoUrAKCcYz2nidoCl7sk0SbMNk++1Kga5gCcDndT
6u616AEvbdHjE16eCkpWMQ0=
=7vhz
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131448)

Red Hat Security Advisory 2015-0809-01 (PacketStormID:F131448)
2015-04-16 00:00:00
Red Hat  
advisory,java,overflow,arbitrary
linux,redhat
CVE-2005-1080,CVE-2015-0460,CVE-2015-0469,CVE-2015-0470,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488
[点击下载]

Red Hat Security Advisory 2015-0809-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.8.0-openjdk security update
Advisory ID:       RHSA-2015:0809-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0809.html
Issue date:        2015-04-14
CVE Names:         CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 
                   CVE-2015-0470 CVE-2015-0477 CVE-2015-0478 
                   CVE-2015-0480 CVE-2015-0488 
=====================================================================

1. Summary:

Updated java-1.8.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)

Multiple flaws were discovered in the Beans and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions. (CVE-2015-0477, CVE-2015-0470)

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211387 - CVE-2015-0470 OpenJDK: incorrect handling of default methods (Hotspot, 8065366)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-28.b13.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-28.b13.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-28.b13.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-28.b13.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-28.b13.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-28.b13.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.src.rpm

ppc64:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.ppc64.rpm

s390x:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.s390x.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.45-30.b13.ael7b_1.src.rpm

ppc64le:
java-1.8.0-openjdk-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.el7_1.noarch.rpm

ppc64:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.ppc64.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.ppc64.rpm

s390x:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.s390x.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.s390x.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.ael7b_1.noarch.rpm

ppc64le:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.45-30.b13.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.45-30.b13.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.45-30.b13.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0470
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVLqwcXlSAg2UNWIIRAoYsAJ4zmd6xNnpSBDrV0A+rXRbqq7jz8gCfd9cE
q2uTi/nCA58+RY+m2+oAAR0=
=tBP+
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131447)

Red Hat Security Advisory 2015-0807-01 (PacketStormID:F131447)
2015-04-16 00:00:00
Red Hat  
advisory,java,overflow,arbitrary
linux,redhat
CVE-2005-1080,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488
[点击下载]

Red Hat Security Advisory 2015-0807-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.7.0-openjdk security update
Advisory ID:       RHSA-2015:0807-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0807.html
Issue date:        2015-04-14
CVE Names:         CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)

A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2015-0477)

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.2.el5_11.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.2.el5_11.i386.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.2.el5_11.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.2.el5_11.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVLqrgXlSAg2UNWIIRAlE6AKCvJnwx1JrfAjTvL7XSKD0rFTVMCQCfblXO
0cwC0elfx8YHu+fYuXXZYDY=
=50o5
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131446)

Red Hat Security Advisory 2015-0806-01 (PacketStormID:F131446)
2015-04-16 00:00:00
Red Hat  
advisory,java,overflow,arbitrary
linux,redhat
CVE-2005-1080,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488
[点击下载]

Red Hat Security Advisory 2015-0806-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-openjdk security update
Advisory ID:       RHSA-2015:0806-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0806.html
Issue date:        2015-04-14
CVE Names:         CVE-2005-1080 CVE-2015-0460 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions. (CVE-2015-0469)

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions. (CVE-2015-0460)

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly. (CVE-2015-0488)

A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2015-0477)

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted. (CVE-2005-1080, CVE-2015-0480)

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures.
(CVE-2015-0478)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.src.rpm

ppc64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm

s390x:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.s390x.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.ael7b_1.src.rpm

ppc64le:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el7_1.noarch.rpm

ppc64:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.ppc64.rpm

s390x:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.s390x.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.s390x.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.ael7b_1.noarch.rpm

ppc64le:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVLqqTXlSAg2UNWIIRAsHgAKCTg6Gj8hBdbPz07pExS+KjKvKHYwCgqePX
iDpVdpzqV/qItN9MLds7TmQ=
=N9uU
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131491)

Red Hat Security Advisory 2015-0854-01 (PacketStormID:F131491)
2015-04-19 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0458,CVE-2015-0459,CVE-2015-0460,CVE-2015-0469,CVE-2015-0470,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0484,CVE-2015-0486,CVE-2015-0488,CVE-2015-0491,CVE-2015-0492
[点击下载]

Red Hat Security Advisory 2015-0854-01 - Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.8.0-oracle security update
Advisory ID:       RHSA-2015:0854-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0854.html
Issue date:        2015-04-17
CVE Names:         CVE-2005-1080 CVE-2015-0458 CVE-2015-0459 
                   CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0484 CVE-2015-0486 CVE-2015-0488 
                   CVE-2015-0491 CVE-2015-0492 
=====================================================================

1. Summary:

Updated java-1.8.0-oracle packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469,
CVE-2015-0470, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484,
CVE-2015-0486, CVE-2015-0488, CVE-2015-0491, CVE-2015-0492)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.8.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 8 Update 45 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211387 - CVE-2015-0470 OpenJDK: incorrect handling of default methods (Hotspot, 8065366)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211770 - CVE-2015-0492 Oracle JDK: unspecified vulnerability fixed in 7u79 and 8u45 (JavaFX)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1211773 - CVE-2015-0484 Oracle JDK: unspecified vulnerability fixed in 7u79 and 8u45 (JavaFX)
1211774 - CVE-2015-0486 Oracle JDK: unspecified vulnerability fixed in 8u45 (Deployment)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.45-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.45-1jpp.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0470
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0484
https://access.redhat.com/security/cve/CVE-2015-0486
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-0492
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVMOfcXlSAg2UNWIIRAigHAJ9iiCXsg8pjUmcblmGNTSBQXP/8IwCgpll7
lURJuLF7uIj99YBy+hL8W9g=
=1Xpi
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131525)

Red Hat Security Advisory 2015-0858-01 (PacketStormID:F131525)
2015-04-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0458,CVE-2015-0459,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491
[点击下载]

Red Hat Security Advisory 2015-0858-01 - Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.6.0-sun security update
Advisory ID:       RHSA-2015:0858-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0858.html
Issue date:        2015-04-20
CVE Names:         CVE-2005-1080 CVE-2015-0458 CVE-2015-0459 
                   CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 
                   CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 
                   CVE-2015-0491 
=====================================================================

1. Summary:

Updated java-1.6.0-sun packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Client 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469,
CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488, CVE-2015-0491)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 95 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Client 5:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 5:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el5_11.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.95-1jpp.3.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.95-1jpp.3.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/updates/classification/#important
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVNRC1XlSAg2UNWIIRAjECAJwMRNP9KubHK5tvIPOMZ3cvG0XjZACghu3T
d2/IGgPrh/0p5RO9vjqxIUg=
=hEPD
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131524)

Red Hat Security Advisory 2015-0857-01 (PacketStormID:F131524)
2015-04-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0458,CVE-2015-0459,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0484,CVE-2015-0488,CVE-2015-0491,CVE-2015-0492
[点击下载]

Red Hat Security Advisory 2015-0857-01 - Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-oracle security update
Advisory ID:       RHSA-2015:0857-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-0857.html
Issue date:        2015-04-20
CVE Names:         CVE-2005-1080 CVE-2015-0458 CVE-2015-0459 
                   CVE-2015-0460 CVE-2015-0469 CVE-2015-0477 
                   CVE-2015-0478 CVE-2015-0480 CVE-2015-0484 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-0492 
=====================================================================

1. Summary:

Updated java-1.7.0-oracle packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Client 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2005-1080, CVE-2015-0458, CVE-2015-0459, CVE-2015-0460, CVE-2015-0469,
CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0484, CVE-2015-0488,
CVE-2015-0491, CVE-2015-0492)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 79 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211285 - CVE-2015-0460 OpenJDK: incorrect handling of phantom references (Hotspot, 8071931)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211770 - CVE-2015-0492 Oracle JDK: unspecified vulnerability fixed in 7u79 and 8u45 (JavaFX)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1211773 - CVE-2015-0484 Oracle JDK: unspecified vulnerability fixed in 7u79 and 8u45 (JavaFX)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Client 5:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 5:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.79-1jpp.1.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.79-1jpp.1.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0460
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0484
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-0492
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVNRBQXlSAg2UNWIIRAmJVAJ9Axv54JyA+OKhw16Tvpp/+4yLysACgi/nH
Ih0/NpUncrhZv+WNl9lavNU=
=TeK0
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131660)

Mandriva Linux Security Advisory 2015-212 (PacketStormID:F131660)
2015-04-28 00:00:00
Mandriva  mandriva.com
advisory,java,overflow,arbitrary
linux,mandriva
CVE-2005-1080,CVE-2015-0460,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488
[点击下载]

Mandriva Linux Security Advisory 2015-212 - An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:
 
 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).
 
 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 could use this flaw to corrupt the Java Virtual Machine memory and,
 possibly, execute arbitrary code, bypassing Java sandbox restrictions
 (CVE-2015-0460).
 
 A flaw was found in the way the JSSE component in OpenJDK parsed X.509
 certificate options. A specially crafted certificate could cause JSSE
 to raise an exception, possibly causing an application using JSSE to
 exit unexpectedly (CVE-2015-0488).
 
 A flaw was discovered in the Beans component in OpenJDK. An untrusted
 Java application or applet could use this flaw to bypass certain Java
 sandbox restrictions (CVE-2015-0477).
 
 A directory traversal flaw was found in the way the jar tool extracted
 JAR archive files. A specially crafted JAR archive could cause jar
 to overwrite arbitrary files writable by the user running jar when
 the archive was extracted (CVE-2005-1080, CVE-2015-0480).
 
 It was found that the RSA implementation in the JCE component in
 OpenJDK did not follow recommended practices for implementing RSA
 signatures (CVE-2015-0478).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
 http://advisories.mageia.org/MGASA-2015-0158.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 65ed5762e704150c083edeb68138f17c  mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 db45d488531f88df789dd99fc91f08a3  mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 317fc70a3d0d14e0e4ecdc643619b1be  mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 e1af37f571aa22905b3203eb1f2575df  mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 2ff58c8c02ad00b6847e19bdceee610b  mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 26479b11ee458639fe6b9b1853d899a2  mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.5.1.mbs1.noarch.rpm
 80f9a48ed77c6b28cf18f1b25b3e8e74  mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 
 72b8836e9d3816d590296010e250f7a5  mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVPl29mqjQ0CJFipgRAvNjAKC9WYFSv2z9oowJwdg3VBR1+3mzKgCg1HL7
/Cjkp/gkYi1/GbAEfYCvIGE=
=TR1x
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F131896)

Red Hat Security Advisory 2015-1006-01 (PacketStormID:F131896)
2015-05-13 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1006-01 - IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.6.0-ibm security update
Advisory ID:       RHSA-2015:1006-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1006.html
Issue date:        2015-05-13
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR16-FP4 release. All running
instances of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm

ppc:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

ppc64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVU16HXlSAg2UNWIIRAv4ZAKCZFz3t93vvFLN3TKeIIkrCLCfJVgCgkgwf
4gqMoizth0uxHxklRYtWjSo=
=gCmI
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131895)

Red Hat Security Advisory 2015-1007-01 (PacketStormID:F131895)
2015-05-13 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1007-01 - IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-ibm security update
Advisory ID:       RHSA-2015:1007-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1007.html
Issue date:        2015-05-13
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.7.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64

3. Description:

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR9 release. All running instances
of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm

x86_64:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm

ppc:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.ppc64.rpm

s390x:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.s390x.rpm

x86_64:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVU17bXlSAg2UNWIIRAposAKCl1KKypq8jh2fZMiMQSgQebqOoUACgv6ub
8xby/2Wo5myeInqZfXjH5zs=
=ltGy
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131943)

Red Hat Security Advisory 2015-1020-01 (PacketStormID:F131943)
2015-05-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1020-01 - IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.1-ibm security update
Advisory ID:       RHSA-2015:1020-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1020.html
Issue date:        2015-05-20
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.7.1-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 6 and 7 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64

3. Description:

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment
and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

All users of java-1.7.1-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7R1 SR3 release. All running instances
of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

ppc64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm

s390x:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.s390.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.s390.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm

s390x:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.s390.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.s390.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64le:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVXOTGXlSAg2UNWIIRAvfJAJ9DovG7A8ayKhzQHDvfw5uZBYQYugCeKjis
QkKpSNCwvzHfJyVERdTh+TM=
=or85
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131942)

Red Hat Security Advisory 2015-1021-01 (PacketStormID:F131942)
2015-05-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1021-01 - IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.5.0-ibm security update
Advisory ID:       RHSA-2015:1021-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1021.html
Issue date:        2015-05-20
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 
                   CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 
                   CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.5.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,
CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

IBM Java SDK and JRE 5.0 will not receive software updates after September
2015. This date is referred to as the End of Service (EOS) date. Customers
are advised to migrate to current versions of IBM Java at this time. IBM
Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise
Linux 5 and 6 Supplementary content sets and will continue to receive
updates based on IBM's lifecycle policy, linked to in the References
section.

Customers can also consider OpenJDK, an open source implementation of
the Java SE specification. OpenJDK is available by default on supported
hardware architectures.

All users of java-1.5.0-ibm are advised to upgrade to these updated
packages, containing the IBM J2SE 5.0 SR16-FP10 release. All running
instances of IBM Java must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm

ppc:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

ppc64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#important
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4
https://www.ibm.com/developerworks/java/jdk/lifecycle/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVXOXmXlSAg2UNWIIRAv6RAJ0Wli4mxD2sHeRcN+jUh3Sd0yaBQgCdEdn+
v8Nap371hJaGfnf1nw5/Yz8=
=rSqP
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132261)

Red Hat Security Advisory 2015-1091-01 (PacketStormID:F132261)
2015-06-11 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1091-01 - IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat Satellite IBM Java Runtime security update
Advisory ID:       RHSA-2015:1091-01
Product:           Red Hat Satellite
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1091.html
Issue date:        2015-06-11
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Satellite 5.6 and 5.7.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Satellite 5.6 (RHEL v.5) - s390x, x86_64
Red Hat Satellite 5.6 (RHEL v.6) - s390x, x86_64
Red Hat Satellite 5.7 (RHEL v.6) - s390x, x86_64

3. Description:

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Satellite 5. In a typical
operating environment, these are of low security risk as the runtime is not
used on untrusted applets. Further information about these flaws can be
found on the IBM Java Security alerts page, listed in the References
section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192, CVE-2015-0458,
CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,
CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

Users of Red Hat Satellite 5.6 and 5.7 are advised to upgrade to these
updated packages, which contain the IBM Java SE 6 SR16-FP4 release. For
this update to take effect, Red Hat Satellite must be restarted
("/usr/sbin/rhn-satellite restart"), as well as all running instances of
IBM Java.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Satellite 5.6 (RHEL v.5):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Satellite 5.6 (RHEL v.6):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Satellite 5.7 (RHEL v.6):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#low
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVedP0XlSAg2UNWIIRAg5vAJ4nwysR3mdqiINAkBuO7RTvoMLb+wCgrSa/
7hMnap3QFFVLXgF/jDPGSDE=
=PnnG
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息

15435
Sun JDK / SDK Jar Handling Traversal Arbitrary File Overwrite
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

The Jar utility provided with Java's JDK/SDK allows the extraction of files with names that traverse the directory structure of host system. This could be used to create a malicious Jar that will overwrite arbitrary files on the host system when it is extracted.

- 时间线

2005-04-11 2005-04-09
2005-04-11 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Sun J2SE Software Development Kit Java Archive Tool Directory Traversal Vulnerability
Input Validation Error 13083
Yes No
2005-04-09 12:00:00 2009-07-12 12:56:00
Discovery is credited to Pluf <pluf@7a69ezine.org>.

- 受影响的程序版本

Sun SDK (Linux Production Release) 1.5
Sun Java 2 Standard Edition SDK 1.4.2

- 漏洞讨论

The Java Archive Tool is reported vulnerable to a directory traversal vulnerability.

An attacker can supply a malicious archive containing files named with '../' directory traversal sequences, which can potentially overwrite existing data during extraction.

Sun Java 2 Standard Edition versions 1.5.0 and 1.4.2 for both Linux and Microsoft Windows platforms are reported vulnerable. Other vendors using the technology may be affected as well.

- 漏洞利用

An exploit is not required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站