CVE-2015-2808
CVSS4.3
发布时间 :2015-03-31 22:00:35
修订时间 :2018-01-18 13:18:01
NMCPS    

[原文]The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.


[CNNVD]RC4 加密问题漏洞(CNNVD-201503-654)

        

RC4是美国软件开发者罗纳德-李维斯特(Ron Rivest)所研发的一套密钥长度可变的流加密算法。该算法由伪随机数生成器和异或运算组成,且支持加解密使用相同的密钥。

TLS协议和SSL协议中使用的RC4算法中存在安全漏洞,该漏洞源于程序在初始化阶段没有正确组合状态数据和密钥数据。远程攻击者可通过嗅探特定的网络流量,然后实施暴力破解攻击利用该漏洞对数据流中的初始化字节实施plaintext-recovery攻击。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-310 [密码学安全问题]

- CPE (受影响的平台与产品)

cpe:/a:apple:safariApple Safari
cpe:/a:google:chrome:-
cpe:/a:ibm:websphere_application_serverIBM WebSphere Application Server
cpe:/a:jboss:jboss_enterprise_application_server
cpe:/a:microsoft:ieMicrosoft Internet Explorer
cpe:/a:microsoft:iis
cpe:/a:mozilla:firefoxMozilla Firefox
cpe:/a:opera:opera_browser:-
cpe:/a:oracle:glassfish
cpe:/a:sun:glassfish_enterprise_server

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201503-654
(官方数据源) CNNVD

- 其它链接及资源

http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034
(UNKNOWN)  CONFIRM  http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
(UNKNOWN)  CONFIRM  http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
(UNKNOWN)  CONFIRM  http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1073
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1085
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1086
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1138
http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1161
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
(UNKNOWN)  SUSE  openSUSE-SU-2015:1288
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
(UNKNOWN)  SUSE  openSUSE-SU-2015:1289
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1319
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
(UNKNOWN)  SUSE  SUSE-SU-2015:1320
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html
(UNKNOWN)  SUSE  SUSE-SU-2015:2166
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html
(UNKNOWN)  SUSE  SUSE-SU-2015:2192
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html
(UNKNOWN)  SUSE  SUSE-SU-2016:0113
http://marc.info/?l=bugtraq&m=143456209711959&w=2
(UNKNOWN)  HP  HPSBGN03338
http://marc.info/?l=bugtraq&m=143629696317098&w=2
(UNKNOWN)  HP  HPSBGN03354
http://marc.info/?l=bugtraq&m=143741441012338&w=2
(UNKNOWN)  HP  SSRT102150
http://marc.info/?l=bugtraq&m=143817021313142&w=2
(UNKNOWN)  HP  SSRT102133
http://marc.info/?l=bugtraq&m=143817899717054&w=2
(UNKNOWN)  HP  SSRT102129
http://marc.info/?l=bugtraq&m=143818140118771&w=2
(UNKNOWN)  HP  SSRT102127
http://marc.info/?l=bugtraq&m=144043644216842&w=2
(UNKNOWN)  HP  HPSBMU03345
http://marc.info/?l=bugtraq&m=144059660127919&w=2
(UNKNOWN)  HP  HPSBGN03414
http://marc.info/?l=bugtraq&m=144059703728085&w=2
(UNKNOWN)  HP  HPSBGN03415
http://marc.info/?l=bugtraq&m=144060576831314&w=2
(UNKNOWN)  HP  HPSBGN03399
http://marc.info/?l=bugtraq&m=144060606031437&w=2
(UNKNOWN)  HP  HPSBGN03405
http://marc.info/?l=bugtraq&m=144069189622016&w=2
(UNKNOWN)  HP  HPSBGN03402
http://marc.info/?l=bugtraq&m=144102017024820&w=2
(UNKNOWN)  HP  HPSBGN03407
http://marc.info/?l=bugtraq&m=144104533800819&w=2
(UNKNOWN)  HP  HPSBMU03401
http://marc.info/?l=bugtraq&m=144104565600964&w=2
(UNKNOWN)  HP  HPSBGN03403
http://marc.info/?l=bugtraq&m=144493176821532&w=2
(UNKNOWN)  HP  SSRT102254
http://rhn.redhat.com/errata/RHSA-2015-1006.html
(UNKNOWN)  REDHAT  RHSA-2015:1006
http://rhn.redhat.com/errata/RHSA-2015-1007.html
(UNKNOWN)  REDHAT  RHSA-2015:1007
http://rhn.redhat.com/errata/RHSA-2015-1020.html
(UNKNOWN)  REDHAT  RHSA-2015:1020
http://rhn.redhat.com/errata/RHSA-2015-1021.html
(UNKNOWN)  REDHAT  RHSA-2015:1021
http://rhn.redhat.com/errata/RHSA-2015-1091.html
(UNKNOWN)  REDHAT  RHSA-2015:1091
http://rhn.redhat.com/errata/RHSA-2015-1228.html
(UNKNOWN)  REDHAT  RHSA-2015:1228
http://rhn.redhat.com/errata/RHSA-2015-1229.html
(UNKNOWN)  REDHAT  RHSA-2015:1229
http://rhn.redhat.com/errata/RHSA-2015-1230.html
(UNKNOWN)  REDHAT  RHSA-2015:1230
http://rhn.redhat.com/errata/RHSA-2015-1241.html
(UNKNOWN)  REDHAT  RHSA-2015:1241
http://rhn.redhat.com/errata/RHSA-2015-1242.html
(UNKNOWN)  REDHAT  RHSA-2015:1242
http://rhn.redhat.com/errata/RHSA-2015-1243.html
(UNKNOWN)  REDHAT  RHSA-2015:1243
http://rhn.redhat.com/errata/RHSA-2015-1526.html
(UNKNOWN)  REDHAT  RHSA-2015:1526
http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888
(UNKNOWN)  AIXAPAR  IV71888
http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892
(UNKNOWN)  AIXAPAR  IV71892
http://www-01.ibm.com/support/docview.wss?uid=swg21883640
(UNKNOWN)  CONFIRM  http://www-01.ibm.com/support/docview.wss?uid=swg21883640
http://www-304.ibm.com/support/docview.wss?uid=swg21903565
(UNKNOWN)  CONFIRM  http://www-304.ibm.com/support/docview.wss?uid=swg21903565
http://www-304.ibm.com/support/docview.wss?uid=swg21960015
(UNKNOWN)  CONFIRM  http://www-304.ibm.com/support/docview.wss?uid=swg21960015
http://www-304.ibm.com/support/docview.wss?uid=swg21960769
(UNKNOWN)  CONFIRM  http://www-304.ibm.com/support/docview.wss?uid=swg21960769
http://www.debian.org/security/2015/dsa-3316
(UNKNOWN)  DEBIAN  DSA-3316
http://www.debian.org/security/2015/dsa-3339
(UNKNOWN)  DEBIAN  DSA-3339
http://www.huawei.com/en/psirt/security-advisories/hw-454055
(UNKNOWN)  CONFIRM  http://www.huawei.com/en/psirt/security-advisories/hw-454055
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/73684
(UNKNOWN)  BID  73684
http://www.securityfocus.com/bid/91787
(UNKNOWN)  BID  91787
http://www.securitytracker.com/id/1032599
(UNKNOWN)  SECTRACK  1032599
http://www.securitytracker.com/id/1032600
(UNKNOWN)  SECTRACK  1032600
http://www.securitytracker.com/id/1032707
(UNKNOWN)  SECTRACK  1032707
http://www.securitytracker.com/id/1032708
(UNKNOWN)  SECTRACK  1032708
http://www.securitytracker.com/id/1032734
(UNKNOWN)  SECTRACK  1032734
http://www.securitytracker.com/id/1032788
(UNKNOWN)  SECTRACK  1032788
http://www.securitytracker.com/id/1032858
(UNKNOWN)  SECTRACK  1032858
http://www.securitytracker.com/id/1032868
(UNKNOWN)  SECTRACK  1032868
http://www.securitytracker.com/id/1032910
(UNKNOWN)  SECTRACK  1032910
http://www.securitytracker.com/id/1032990
(UNKNOWN)  SECTRACK  1032990
http://www.securitytracker.com/id/1033071
(UNKNOWN)  SECTRACK  1033071
http://www.securitytracker.com/id/1033072
(UNKNOWN)  SECTRACK  1033072
http://www.securitytracker.com/id/1033386
(UNKNOWN)  SECTRACK  1033386
http://www.securitytracker.com/id/1033415
(UNKNOWN)  SECTRACK  1033415
http://www.securitytracker.com/id/1033431
(UNKNOWN)  SECTRACK  1033431
http://www.securitytracker.com/id/1033432
(UNKNOWN)  SECTRACK  1033432
http://www.securitytracker.com/id/1033737
(UNKNOWN)  SECTRACK  1033737
http://www.securitytracker.com/id/1033769
(UNKNOWN)  SECTRACK  1033769
http://www.securitytracker.com/id/1036222
(UNKNOWN)  SECTRACK  1036222
http://www.ubuntu.com/usn/USN-2696-1
(UNKNOWN)  UBUNTU  USN-2696-1
http://www.ubuntu.com/usn/USN-2706-1
(UNKNOWN)  UBUNTU  USN-2706-1
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454055.htm
(UNKNOWN)  CONFIRM  http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454055.htm
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04687922
(UNKNOWN)  HP  SSRT102073
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773256
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773256
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789
(UNKNOWN)  CONFIRM  https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193347
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193347
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
(UNKNOWN)  CONFIRM  https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
https://kb.juniper.net/JSA10783
(UNKNOWN)  CONFIRM  https://kb.juniper.net/JSA10783
https://kc.mcafee.com/corporate/index?page=content&id=SB10163
(UNKNOWN)  CONFIRM  https://kc.mcafee.com/corporate/index?page=content&id=SB10163
https://security.gentoo.org/glsa/201512-10
(UNKNOWN)  GENTOO  GLSA-201512-10
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709
(UNKNOWN)  CONFIRM  https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709
https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf
(VENDOR_ADVISORY)  MISC  https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

- 漏洞信息

RC4 加密问题漏洞
中危 加密问题
2015-04-02 00:00:00 2015-04-02 00:00:00
远程  
        

RC4是美国软件开发者罗纳德-李维斯特(Ron Rivest)所研发的一套密钥长度可变的流加密算法。该算法由伪随机数生成器和异或运算组成,且支持加解密使用相同的密钥。

TLS协议和SSL协议中使用的RC4算法中存在安全漏洞,该漏洞源于程序在初始化阶段没有正确组合状态数据和密钥数据。远程攻击者可通过嗅探特定的网络流量,然后实施暴力破解攻击利用该漏洞对数据流中的初始化字节实施plaintext-recovery攻击。

- 公告与补丁

        目前厂商暂未发布修复措施解决此安全问题,建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法:
        https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

- 漏洞信息 (F131896)

Red Hat Security Advisory 2015-1006-01 (PacketStormID:F131896)
2015-05-13 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1006-01 - IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.6.0-ibm security update
Advisory ID:       RHSA-2015:1006-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1006.html
Issue date:        2015-05-13
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR16-FP4 release. All running
instances of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm

ppc:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.s390.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

ppc64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.ppc.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.ppc64.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.i686.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVU16HXlSAg2UNWIIRAv4ZAKCZFz3t93vvFLN3TKeIIkrCLCfJVgCgkgwf
4gqMoizth0uxHxklRYtWjSo=
=gCmI
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131895)

Red Hat Security Advisory 2015-1007-01 (PacketStormID:F131895)
2015-05-13 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1007-01 - IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-ibm security update
Advisory ID:       RHSA-2015:1007-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1007.html
Issue date:        2015-05-13
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.7.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64

3. Description:

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR9 release. All running instances
of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm

x86_64:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm

ppc:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.ppc64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.ppc.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.ppc64.rpm

s390x:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.s390x.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.s390.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.s390x.rpm

x86_64:
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-demo-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-devel-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.9.0-1jpp.1.el5.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.i386.rpm
java-1.7.0-ibm-src-1.7.0.9.0-1jpp.1.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVU17bXlSAg2UNWIIRAposAKCl1KKypq8jh2fZMiMQSgQebqOoUACgv6ub
8xby/2Wo5myeInqZfXjH5zs=
=ltGy
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131943)

Red Hat Security Advisory 2015-1020-01 (PacketStormID:F131943)
2015-05-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1020-01 - IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.1-ibm security update
Advisory ID:       RHSA-2015:1020-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1020.html
Issue date:        2015-05-20
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.7.1-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 6 and 7 Supplementary.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64

3. Description:

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment
and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478,
CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

All users of java-1.7.1-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7R1 SR3 release. All running instances
of IBM Java must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

ppc64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.ppc.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.ppc64.rpm

s390x:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.s390.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.s390.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.s390x.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.ppc.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.ppc64.rpm

s390x:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.s390.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.s390.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.s390x.rpm

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 7):

ppc64le:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 7):

x86_64:
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-demo-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.i686.rpm
java-1.7.1-ibm-devel-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-jdbc-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-plugin-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm
java-1.7.1-ibm-src-1.7.1.3.0-1jpp.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVXOTGXlSAg2UNWIIRAvfJAJ9DovG7A8ayKhzQHDvfw5uZBYQYugCeKjis
QkKpSNCwvzHfJyVERdTh+TM=
=or85
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F131942)

Red Hat Security Advisory 2015-1021-01 (PacketStormID:F131942)
2015-05-20 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1021-01 - IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat Product Security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.5.0-ibm security update
Advisory ID:       RHSA-2015:1021-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1021.html
Issue date:        2015-05-20
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0459 CVE-2015-0469 CVE-2015-0477 
                   CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 
                   CVE-2015-0491 CVE-2015-1914 CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.5.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further information
about these flaws can be found on the IBM Java Security alerts page, listed
in the References section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192,
CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,
CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

IBM Java SDK and JRE 5.0 will not receive software updates after September
2015. This date is referred to as the End of Service (EOS) date. Customers
are advised to migrate to current versions of IBM Java at this time. IBM
Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise
Linux 5 and 6 Supplementary content sets and will continue to receive
updates based on IBM's lifecycle policy, linked to in the References
section.

Customers can also consider OpenJDK, an open source implementation of
the Java SE specification. OpenJDK is available by default on supported
hardware architectures.

All users of java-1.5.0-ibm are advised to upgrade to these updated
packages, containing the IBM J2SE 5.0 SR16-FP10 release. All running
instances of IBM Java must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 5):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm

ppc:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-accessibility-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el5.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.i386.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el5.x86_64.rpm

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

ppc64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.ppc.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.ppc64.rpm

s390x:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.s390.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.s390.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.5.0-ibm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-demo-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-devel-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-javacomm-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm
java-1.5.0-ibm-jdbc-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-plugin-1.5.0.16.10-1jpp.1.el6_6.i686.rpm
java-1.5.0-ibm-src-1.5.0.16.10-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#important
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4
https://www.ibm.com/developerworks/java/jdk/lifecycle/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVXOXmXlSAg2UNWIIRAv6RAJ0Wli4mxD2sHeRcN+jUh3Sd0yaBQgCdEdn+
v8Nap371hJaGfnf1nw5/Yz8=
=rSqP
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132261)

Red Hat Security Advisory 2015-1091-01 (PacketStormID:F132261)
2015-06-11 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2005-1080,CVE-2015-0138,CVE-2015-0192,CVE-2015-0458,CVE-2015-0459,CVE-2015-0469,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-0491,CVE-2015-1914,CVE-2015-2808
[点击下载]

Red Hat Security Advisory 2015-1091-01 - IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Satellite 5. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat Satellite IBM Java Runtime security update
Advisory ID:       RHSA-2015:1091-01
Product:           Red Hat Satellite
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1091.html
Issue date:        2015-06-11
CVE Names:         CVE-2005-1080 CVE-2015-0138 CVE-2015-0192 
                   CVE-2015-0458 CVE-2015-0459 CVE-2015-0469 
                   CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 
                   CVE-2015-0488 CVE-2015-0491 CVE-2015-1914 
                   CVE-2015-2808 
=====================================================================

1. Summary:

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Satellite 5.6 and 5.7.

Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Satellite 5.6 (RHEL v.5) - s390x, x86_64
Red Hat Satellite 5.6 (RHEL v.6) - s390x, x86_64
Red Hat Satellite 5.7 (RHEL v.6) - s390x, x86_64

3. Description:

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Satellite 5. In a typical
operating environment, these are of low security risk as the runtime is not
used on untrusted applets. Further information about these flaws can be
found on the IBM Java Security alerts page, listed in the References
section. (CVE-2005-1080, CVE-2015-0138, CVE-2015-0192, CVE-2015-0458,
CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480,
CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808)

The CVE-2015-0478 issue was discovered by Florian Weimer of Red Hat
Product Security.

Note: With this update, the IBM JDK now disables RC4 SSL/TLS cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to from the References section, for additional details
about this change.

Users of Red Hat Satellite 5.6 and 5.7 are advised to upgrade to these
updated packages, which contain the IBM Java SE 6 SR16-FP4 release. For
this update to take effect, Red Hat Satellite must be restarted
("/usr/sbin/rhn-satellite restart"), as well as all running instances of
IBM Java.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

606442 - CVE-2005-1080 jar: directory traversal vulnerability
1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1210355 - CVE-2015-0478 OpenJDK: RSA implementation hardening (JCE, 8071726)
1210829 - CVE-2015-0469 ICU: layout engine glyphStorage off-by-one (OpenJDK 2D, 8067699)
1211299 - CVE-2015-0477 OpenJDK: incorrect permissions check in resource loading (Beans, 8068320)
1211504 - CVE-2015-0480 OpenJDK: jar directory traversal issues (Tools, 8064601)
1211543 - CVE-2015-0488 OpenJDK: certificate options parsing uncaught exception (JSSE, 8068720)
1211768 - CVE-2015-0459 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211769 - CVE-2015-0491 Oracle JDK: unspecified vulnerability fixed in 5.0u85, 6u95, 7u79 and 8u45 (2D)
1211771 - CVE-2015-0458 Oracle JDK: unspecified vulnerability fixed in 6u95, 7u79 and 8u45 (Deployment)
1219212 - CVE-2015-0192 IBM JDK: unspecified Java sandbox restrictions bypass
1219215 - CVE-2015-1914 IBM JDK: unspecified partial Java sandbox restrictions bypass
1219223 - CVE-2015-0138 IBM JDK: ephemeral RSA keys accepted for non-export SSL/TLS cipher suites (FREAK)

6. Package List:

Red Hat Satellite 5.6 (RHEL v.5):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el5.x86_64.rpm

Red Hat Satellite 5.6 (RHEL v.6):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

Red Hat Satellite 5.7 (RHEL v.6):

Source:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.src.rpm

s390x:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.s390x.rpm

x86_64:
java-1.6.0-ibm-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.16.4-1jpp.1.el6_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2005-1080
https://access.redhat.com/security/cve/CVE-2015-0138
https://access.redhat.com/security/cve/CVE-2015-0192
https://access.redhat.com/security/cve/CVE-2015-0458
https://access.redhat.com/security/cve/CVE-2015-0459
https://access.redhat.com/security/cve/CVE-2015-0469
https://access.redhat.com/security/cve/CVE-2015-0477
https://access.redhat.com/security/cve/CVE-2015-0478
https://access.redhat.com/security/cve/CVE-2015-0480
https://access.redhat.com/security/cve/CVE-2015-0488
https://access.redhat.com/security/cve/CVE-2015-0491
https://access.redhat.com/security/cve/CVE-2015-1914
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/updates/classification/#low
https://www.ibm.com/developerworks/java/jdk/alerts/
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c4

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVedP0XlSAg2UNWIIRAg5vAJ4nwysR3mdqiINAkBuO7RTvoMLb+wCgrSa/
7hMnap3QFFVLXgF/jDPGSDE=
=PnnG
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132345)

HP Security Bulletin HPSBGN03338 1 (PacketStormID:F132345)
2015-06-17 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03338 1 - A potential security vulnerability has been identified with HP Service Manager running SSLv3. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the SSLv3 vulnerability known as RC4 cipher Bar Mitzvah vulnerability. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04687922

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04687922
Version: 1

HPSBGN03338 rev.1 - HP Service Manager running RC4, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-06-17
Last Updated: 2015-06-17

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Service
Manager running SSLv3. The vulnerability could be exploited remotely to allow
disclosure of information.

Note: This is the SSLv3 vulnerability known as RC4 cipher Bar Mitzvah
vulnerability.

References:

CVE-2015-2808
SSRT102073

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Service Manager for Windows, Linux and Solaris

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has released the following document to resolve the vulnerability in HP
Service Manager: https://softwaresupport.hp.com/group/softwaresupport/search-
result/-/facetsearch/document/KM01566352

HISTORY
Version:1 (rev.1) - 17 June 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlWBoJcACgkQ4B86/C0qfVmiCgCgxxByenh/jwHbvMRjg3XqECs3
k6cAn1PoclIL5OG7tViNtz9eq45YvxQL
=s6NX
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132344)

HP Security Bulletin HPSBGN03350 1 (PacketStormID:F132344)
2015-06-17 00:00:00
HP  hp.com
advisory
CVE-2015-2802,CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03350 1 - A potential security vulnerability has been identified with HP SiteScope. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the TLS vulnerability known as the RC4 cipher Bar Mitzvah vulnerability, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04708650

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04708650
Version: 1

HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-06-17
Last Updated: 2015-06-17

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP SiteScope. The
vulnerability could be exploited remotely to allow disclosure of information.

Note: This is the TLS vulnerability known as the RC4 cipher Bar Mitzvah
vulnerability, which could be exploited remotely to allow disclosure of
information

References: CVE-2015-2808 (SSRT102102)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SiteScope v11.2x and v11.3x on Windows, Linux and Solaris

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2802    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following support documentation for HP SiteScope to
resolve this vulnerability: https://softwaresupport.hp.com/group/softwaresupp
ort/search-result/-/facetsearch/document/KM01658992

HISTORY
Version:1 (rev.1) - 17 June 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlWBl2YACgkQ4B86/C0qfVlVTgCdFhaZYgly/HKICgKHwJa1X6iM
OzYAoKiN+BD+lj3Gt5tRtE6lLVO19rN4
=gNOg
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132593)

HP Security Bulletin HPSBGN03352 2 (PacketStormID:F132593)
2015-07-08 00:00:00
HP  hp.com
advisory
CVE-2015-2802,CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03352 2 - A potential security vulnerability has been identified with HP Asset Manager. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be exploited remotely to allow disclosure of information. Revision 2 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04711380

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04711380
Version: 2

HPSBGN03352 rev.2 - HP Asset Manager Using RC4, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-06
Last Updated: 2015-07-06

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Asset Manager.
The vulnerability could be exploited remotely to allow disclosure of
information.

Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be
exploited remotely to allow disclosure of information.

References: CVE-2015-2808 (SSRT102104)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

Asset Manager v9.30, v9.31, v9.32
Asset Manager v9.40, v9.41
Asset Manager v9.50
Asset Manager Cloudsystem Chargeback v9.40

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2802    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following support documentation for HP Asset Manager to
resolve this vulnerability:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01593128

HISTORY
Version:1 (rev.1) - 6 July 2015 Initial release
Version:2 (rev.2) - 6 July 2015 Added version numbers

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlWa0z4ACgkQ4B86/C0qfVlsUACffqvKJefKfYDjG6Jb6s5yXKlw
LWQAnjH00r4Su/52+Bg19C0lcm4qaG7A
=2yNa
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132592)

HP Security Bulletin HPSBGN03354 1 (PacketStormID:F132592)
2015-07-08 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03354 1 - A potential security vulnerability has been identified with HP Connect-IT. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04716090
Version: 1

HPSBGN03354 rev.1 - HP Connect-IT Using RC4, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-06
Last Updated: 2015-07-06

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Connect-IT.
The vulnerability could be exploited remotely to allow disclosure of
information.

Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be
exploited remotely to allow disclosure of information.

References: CVE-2015-2808 (SSRT102105)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Connect-IT v9.40
HP Connect-IT v9.50, v9.51, v9.52, v9.53
HP Connect-IT v9.60

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following support documentation for HP Connect-IT to
resolve this vulnerability:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01602368

HISTORY
Version:1 (rev.1) - 6 July 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlWawUgACgkQ4B86/C0qfVmeYACgzia3w5YNq2KSqrmLPd17raAB
hJEAoKX1scxTAs5x76kTkQ9HsNKuho/p
=BI0a
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132698)

Red Hat Security Advisory 2015-1230-01 (PacketStormID:F132698)
2015-07-16 00:00:00
Red Hat  
advisory,java,protocol
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1230-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.7.0-openjdk security update
Advisory ID:       RHSA-2015:1230-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1230.html
Issue date:        2015-07-15
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 
                   CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 
                   CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 
                   CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)

A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)

Note: With this update, OpenJDK now disables RC4 SSL/TLS cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.

A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.

It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.i386.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.i386.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el5_11.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVpljRXlSAg2UNWIIRAl93AJ0bTWDExJ3gT6Vf3jj7gLWm1931JQCfSHwy
geoA6gBwA56Ep9ZcHnUCxAU=
=qQgk
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132697)

Red Hat Security Advisory 2015-1229-01 (PacketStormID:F132697)
2015-07-16 00:00:00
Red Hat  
advisory,java,protocol
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1229-01 - The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-openjdk security update
Advisory ID:       RHSA-2015:1229-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1229.html
Issue date:        2015-07-15
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 
                   CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 
                   CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 
                   CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.7.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)

A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)

Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.

A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.

It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.src.rpm

i386:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.i686.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.i686.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.i686.rpm

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.el6_6.noarch.rpm

x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.2.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.2.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.src.rpm

ppc64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm

s390x:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.s390x.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.ael7b_1.src.rpm

ppc64le:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.2.el7_1.noarch.rpm

ppc64:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.ppc64.rpm

s390x:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.s390x.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.s390x.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.2.ael7b_1.noarch.rpm

ppc64le:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.src.rpm

x86_64:
java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-headless-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.2.el7_1.noarch.rpm

x86_64:
java-1.7.0-openjdk-accessibility-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.85-2.6.1.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#critical
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVpliAXlSAg2UNWIIRAmDIAKC0SKJPEBiUrI0sgDcQMZTM/nm7nwCfUIje
QU57Hj/UGZeY+OmKchPFPcI=
=miFC
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132696)

Red Hat Security Advisory 2015-1228-01 (PacketStormID:F132696)
2015-07-16 00:00:00
Red Hat  
advisory,java,protocol
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2659,CVE-2015-2808,CVE-2015-3149,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1228-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.8.0-openjdk security update
Advisory ID:       RHSA-2015:1228-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1228.html
Issue date:        2015-07-15
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 
                   CVE-2015-2659 CVE-2015-2808 CVE-2015-3149 
                   CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 
                   CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 
                   CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.8.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)

It was discovered that the GCM (Galois Counter Mode) implementation in the
Security component of OpenJDK failed to properly perform a null check.
This could cause the Java Virtual Machine to crash when an application
performed encryption using a block cipher in the GCM mode. (CVE-2015-2659)

A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)

Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.

A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.

It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)

Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. Note: This issue was
originally fixed as CVE-2015-0383, but the fix was regressed in the
RHSA-2015:0809 advisory. (CVE-2015-3149)

All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1213365 - CVE-2015-3149 OpenJDK8: insecure hsperfdata temporary file handling, CVE-2015-0383 regression (Hotspot)
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242144 - CVE-2015-2659 OpenJDK: GCM cipher issue causing JVM crash (Security, 8067648)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.src.rpm

i386:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.i686.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.i686.rpm

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6.noarch.rpm

x86_64:
java-1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.src.rpm

ppc64:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.ppc64.rpm

s390x:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.s390x.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.51-1.b16.ael7b_1.src.rpm

ppc64le:
java-1.8.0-openjdk-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1.noarch.rpm

ppc64:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.ppc64.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.ppc64.rpm

s390x:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.s390x.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.s390x.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.ael7b_1.noarch.rpm

ppc64le:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.ael7b_1.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.src.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1.noarch.rpm

x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2659
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-3149
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVpldOXlSAg2UNWIIRAu9SAJ92MiEsuPBvTxxbyV6QS9HV1Y53rQCgpe2m
01qo91WXwuMDSBGf90l0Ky4=
=SsFY
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132729)

Red Hat Security Advisory 2015-1243-01 (PacketStormID:F132729)
2015-07-17 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2627,CVE-2015-2628,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1243-01 - Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.6.0-sun security update
Advisory ID:       RHSA-2015:1243-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1243.html
Issue date:        2015-07-17
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2627 CVE-2015-2628 
                   CVE-2015-2632 CVE-2015-2637 CVE-2015-2638 
                   CVE-2015-2664 CVE-2015-2808 CVE-2015-4000 
                   CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 
                   CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.6.0-sun packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Client 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625, CVE-2015-2627,
CVE-2015-2628, CVE-2015-2632, CVE-2015-2637, CVE-2015-2638, CVE-2015-2664,
CVE-2015-2808, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733,
CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to
reject DH key sizes below 768 bits to address the CVE-2015-4000 issue.
Refer to Red Hat Bugzilla bug 1223211, linked to in the References section,
for additional details about this change.

All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 101 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)
1243283 - CVE-2015-2638 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243287 - CVE-2015-2637 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243291 - CVE-2015-2627 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Install)
1243300 - CVE-2015-2664 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Deployment)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Client 5:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 5:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el5_11.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.i586.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.i686.rpm

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el6_6.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.i686.rpm
java-1.6.0-sun-devel-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.101-1jpp.1.el7_1.x86_64.rpm
java-1.6.0-sun-src-1.6.0.101-1jpp.1.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2627
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2637
https://access.redhat.com/security/cve/CVE-2015-2638
https://access.redhat.com/security/cve/CVE-2015-2664
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#important
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVqLm+XlSAg2UNWIIRAmqWAJ4kyvLDxDGV47RXb4dcVG2ZmSZ5ygCgvcHE
y8dq5EZIYIIFkIl8UrukDXA=
=zhej
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132728)

Red Hat Security Advisory 2015-1242-01 (PacketStormID:F132728)
2015-07-17 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2015-2590,CVE-2015-2596,CVE-2015-2601,CVE-2015-2613,CVE-2015-2619,CVE-2015-2621,CVE-2015-2625,CVE-2015-2627,CVE-2015-2628,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4729,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4736,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1242-01 - Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.7.0-oracle security update
Advisory ID:       RHSA-2015:1242-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1242.html
Issue date:        2015-07-17
CVE Names:         CVE-2015-2590 CVE-2015-2596 CVE-2015-2601 
                   CVE-2015-2613 CVE-2015-2619 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2627 CVE-2015-2628 
                   CVE-2015-2632 CVE-2015-2637 CVE-2015-2638 
                   CVE-2015-2664 CVE-2015-2808 CVE-2015-4000 
                   CVE-2015-4729 CVE-2015-4731 CVE-2015-4732 
                   CVE-2015-4733 CVE-2015-4736 CVE-2015-4748 
                   CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.7.0-oracle packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Client 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 5 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 7 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2596, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619,
CVE-2015-2621, CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632,
CVE-2015-2637, CVE-2015-2638, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000,
CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736,
CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to
reject DH key sizes below 768 bits to address the CVE-2015-4000 issue.
Refer to Red Hat Bugzilla bug 1223211, linked to in the References section,
for additional details about this change.

All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 85 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1242456 - CVE-2015-2613 NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)
1243283 - CVE-2015-2638 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243284 - CVE-2015-4736 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (Deployment)
1243286 - CVE-2015-2619 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (2D)
1243287 - CVE-2015-2637 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243288 - CVE-2015-2596 Oracle JDK: unspecified vulnerability fixed in 7u85 (Hotspot)
1243290 - CVE-2015-4729 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (Deployment)
1243291 - CVE-2015-2627 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Install)
1243300 - CVE-2015-2664 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Deployment)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Client 5:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 5:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.1.el5_11.i586.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.1.el5_11.i586.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.1.el5_11.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.1.el5_11.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.i686.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el6_6.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.i686.rpm
java-1.7.0-oracle-devel-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.85-1jpp.2.el7_1.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.85-1jpp.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2596
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2613
https://access.redhat.com/security/cve/CVE-2015-2619
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2627
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2637
https://access.redhat.com/security/cve/CVE-2015-2638
https://access.redhat.com/security/cve/CVE-2015-2664
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4729
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4736
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVqLkQXlSAg2UNWIIRApPYAJ9mDcyE1m+byX7SKQCYCjCAkFjAOwCgqaS3
39j8idlEHkcFVfGf9Ka+tVc=
=i6Lu
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132727)

Red Hat Security Advisory 2015-1241-01 (PacketStormID:F132727)
2015-07-17 00:00:00
Red Hat  
advisory,java,vulnerability
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2619,CVE-2015-2621,CVE-2015-2625,CVE-2015-2627,CVE-2015-2628,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2659,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4729,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4736,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1241-01 - Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: java-1.8.0-oracle security update
Advisory ID:       RHSA-2015:1241-01
Product:           Oracle Java for Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1241.html
Issue date:        2015-07-17
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 
                   CVE-2015-2619 CVE-2015-2621 CVE-2015-2625 
                   CVE-2015-2627 CVE-2015-2628 CVE-2015-2632 
                   CVE-2015-2637 CVE-2015-2638 CVE-2015-2659 
                   CVE-2015-2664 CVE-2015-2808 CVE-2015-4000 
                   CVE-2015-4729 CVE-2015-4731 CVE-2015-4732 
                   CVE-2015-4733 CVE-2015-4736 CVE-2015-4748 
                   CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.8.0-oracle packages that fix several security issues are now
available for Oracle Java for Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux HPC Node 6 - x86_64
Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64
Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64

3. Description:

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and
the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime
Environment and the Oracle Java Software Development Kit. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2619, CVE-2015-2621,
CVE-2015-2625, CVE-2015-2627, CVE-2015-2628, CVE-2015-2632, CVE-2015-2637,
CVE-2015-2638, CVE-2015-2659, CVE-2015-2664, CVE-2015-2808, CVE-2015-4000,
CVE-2015-4729, CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4736,
CVE-2015-4748, CVE-2015-4749, CVE-2015-4760)

Note: With this update, Oracle JDK now disables RC4 TLS/SSL cipher suites
by default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla
bug 1207101, linked to in the References section, for additional details
about this change.

Note: This update forces the TLS/SSL client implementation in Oracle JDK to
reject DH key sizes below 768 bits to address the CVE-2015-4000 issue.
Refer to Red Hat Bugzilla bug 1223211, linked to in the References section,
for additional details about this change.

All users of java-1.8.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 8 Update 51 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242144 - CVE-2015-2659 OpenJDK: GCM cipher issue causing JVM crash (Security, 8067648)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1242456 - CVE-2015-2613 NSS / JCE: missing EC parameter validation in ECDH_Derive() (OpenJDK JCE, 8075833)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)
1243283 - CVE-2015-2638 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243284 - CVE-2015-4736 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (Deployment)
1243286 - CVE-2015-2619 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (2D)
1243287 - CVE-2015-2637 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (2D)
1243290 - CVE-2015-4729 Oracle JDK: unspecified vulnerability fixed in 7u85 and 8u51 (Deployment)
1243291 - CVE-2015-2627 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Install)
1243300 - CVE-2015-2664 Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51 (Deployment)

6. Package List:

Oracle Java for Red Hat Enterprise Linux Desktop 6:

i386:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux HPC Node 6:

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server 6:

i386:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation 6:

i386:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.i686.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.i686.rpm

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el6_6.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el6_6.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Client (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Server (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el7_1.x86_64.rpm

Oracle Java for Red Hat Enterprise Linux Workstation (v. 7):

x86_64:
java-1.8.0-oracle-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-devel-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-javafx-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-jdbc-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-plugin-1.8.0.51-1jpp.2.el7_1.x86_64.rpm
java-1.8.0-oracle-src-1.8.0.51-1jpp.2.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2613
https://access.redhat.com/security/cve/CVE-2015-2619
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2627
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2637
https://access.redhat.com/security/cve/CVE-2015-2638
https://access.redhat.com/security/cve/CVE-2015-2659
https://access.redhat.com/security/cve/CVE-2015-2664
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4729
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4736
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVqLh3XlSAg2UNWIIRAg4lAJ9JxQXiR0q2W+1AjS0MQsPXh9KJcwCglatz
BcA6pGcDVhK5CWrc7VD+U7I=
=KJKN
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132753)

HP Security Bulletin HPSBMU03377 1 (PacketStormID:F132753)
2015-07-20 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBMU03377 1 - A potential security vulnerability has been identified with HP Release Control running RC4. This is the SSL/TLS vulnerability known as "Bar Mitzvah" which could be exploited remotely resulting in disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04743784

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04743784
Version: 1

HPSBMU03377 rev.1 - HP Release Control running RC4, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-16
Last Updated: 2015-07-16

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Release
Control running RC4.

This is the SSL/TLS vulnerability known as "Bar Mitzvah" which could be
exploited remotely resulting in disclosure of information.

References: CVE-2015-2808 (SSRT102150)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Release Control v9.13, v9.20, v9.21, v9.21P1, and v9.21P2

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided information at the following location to resolve the
vulnerability in HP Release Control:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01728554

HISTORY
Version:1 (rev.1) - 16 July 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlWnvZwACgkQ4B86/C0qfVktGgCfWQIaMKxWgG9FcaeVpjb0FHP1
TKwAoLko/devADtlJZcAcu5qK7/EsX4z
=wUr8
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132835)

Debian Security Advisory 3316-1 (PacketStormID:F132835)
2015-07-27 00:00:00
Debian  debian.org
advisory,java,denial of service,arbitrary,vulnerability,info disclosure
linux,debian
CVE-2014-8873,CVE-2015-0460,CVE-2015-0469,CVE-2015-0470,CVE-2015-0477,CVE-2015-0478,CVE-2015-0480,CVE-2015-0488,CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Debian Linux Security Advisory 3316-1 - Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3316-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 25, 2015                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2014-8873 CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 
                 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488
                 CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
                 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
                 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
                 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.

For the oldstable distribution (wheezy), these problems have been fixed
in version 7u79-2.5.6-1~deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 7u79-2.5.6-1~deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 7u79-2.5.6-1.

We recommend that you upgrade your openjdk-7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVs2DrAAoJEBDCk7bDfE42DG8QAJXbD/hks9A+ytcoVAQe0Aq0
2xoZwEuSn8QyKiC8uP49jMWreR7SQ8eRpoNZzQ13iZjQE0aRGPMEOd0rA20EEXk8
BPzuvpctAmSbfchFLd+1pAAuXX/a2VC3aw+zIFvRnH2GQPFpZjWm7KczxXrsLyGK
jpowbTtSYJBcZCg6Cs1S1A3bFg/BKFxaJzrDqndYFPXQwW8tDQlT9I/Sx8tpigDH
cqW0sbjmHvxJAr61pxcUIrd2WJ2PhjMsRXlucC57DwzjLULZ11WrATLgVLkQUhea
shMXEp77uCRJJyf/TPJJVvMDqBdfUQY5LwllW+liAQylHCq0YW4XACvkUVDRdwS5
FHjtu90Sd7AOOF8LhwzQ6bSWZPXrtYpQYykAFSdqBCU+8wOlz1fFNq7Ne74B/n5f
vjqeYWMuf3/Fg/tNNlrx4jJlZzIwnERuAbbT+R9EytcInTTJhsdUYdCWRQi1JXtD
pkjDtKx6gauIxaR9J1z6vE3EBAebhQwZrkieXHtJyrt2Ywls+b7fsf0QvM/qXN26
7LabsuQHCphsE/xf9tv0xPoQK9Q0GfLWDC/l/S+0mzIru3o0eSn5/63xY1a/vuQt
q4mF4AZnlvNeUG8liYzbfSEmQNQ+cCNZF2CRkBzU95pjTASKQIm+hCbno2Zk9ky9
solb6saRbLOtnTNRQYnL
=aOkr
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132900)

Red Hat Security Advisory 2015-1526-01 (PacketStormID:F132900)
2015-08-03 00:00:00
Red Hat  
advisory,java,protocol
linux,redhat
CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Red Hat Security Advisory 2015-1526-01 - The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.6.0-openjdk security update
Advisory ID:       RHSA-2015:1526-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-1526.html
Issue date:        2015-07-30
CVE Names:         CVE-2015-2590 CVE-2015-2601 CVE-2015-2621 
                   CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 
                   CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 
                   CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 
                   CVE-2015-4749 CVE-2015-4760 
=====================================================================

1. Summary:

Updated java-1.6.0-openjdk packages that fix multiple security issues are
now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)

A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)

Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.

A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them to decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.

It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1207101 - CVE-2015-2808 SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher
1223211 - CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
1241965 - CVE-2015-2625 OpenJDK: name for reverse DNS lookup used in certificate identity check (JSSE, 8067694)
1242019 - CVE-2015-2601 OpenJDK: non-constant time comparisons in crypto code (JCE, 8074865)
1242232 - CVE-2015-2628 OpenJDK: IIOPInputStream type confusion vulnerability (CORBA, 8076376)
1242234 - CVE-2015-4731 OpenJDK: improper permission checks in MBeanServerInvocationHandler (JMX, 8076397)
1242240 - CVE-2015-4732 OpenJDK: insufficient context checks during object deserialization (Libraries, 8076405)
1242275 - CVE-2015-4733 OpenJDK: RemoteObjectInvocationHandler allows calling finalize() (RMI, 8076409)
1242281 - CVE-2015-4748 OpenJDK: incorrect OCSP nextUpdate checking (Libraries, 8075374)
1242372 - CVE-2015-2621 OpenJDK: incorrect code permission checks in RMIConnectionImpl (JMX, 8075853)
1242379 - CVE-2015-4749 OpenJDK: DnsClient fails to release request information after error (JNDI, 8075378)
1242394 - CVE-2015-2632 ICU: integer overflow in LETableReference verifyLength() (OpenJDK 2D, 8077520)
1242447 - CVE-2015-4760 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8071715)
1243139 - CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)

6. Package List:

Red Hat Enterprise Linux Desktop (v. 5 client):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.i386.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.i386.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el5_11.x86_64.rpm

Red Hat Enterprise Linux Desktop (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.src.rpm

i386:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.i686.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.i686.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el6_7.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm

ppc64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm

s390x:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.s390x.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.s390x.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.s390x.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.ppc64.rpm

s390x:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.s390x.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.s390x.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.s390x.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.s390x.rpm

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.src.rpm

x86_64:
java-1.6.0-openjdk-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm
java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.el7_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
https://access.redhat.com/security/updates/classification/#important
https://bugzilla.redhat.com/show_bug.cgi?id=1207101#c11
https://bugzilla.redhat.com/show_bug.cgi?id=1223211#c33

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFVulvzXlSAg2UNWIIRAmaeAJoCxD34LErxdkOHHsYpS21hu8NJ7ACgnbxy
AM58F212G/DZWyApoAfiS38=
=UmAX
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F132894)

Ubuntu Security Notice USN-2696-1 (PacketStormID:F132894)
2015-08-03 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,vulnerability,info disclosure
linux,ubuntu
CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Ubuntu Security Notice 2696-1 - Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. Several vulnerabilities were discovered in the cryptographic components of the OpenJDK JRE. An attacker could exploit these to expose sensitive data over the network. Various other issues were also addressed.

Content-Disposition: inline

==========================================================================Ubuntu Security Notice USN-2696-1
July 30, 2015

openjdk-7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.04
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenJDK 7.

Software Description:
- openjdk-7: Open Source Java implementation

Details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity, and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731,
CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748)

Several vulnerabilities were discovered in the cryptographic components
of the OpenJDK JRE. An attacker could exploit these to expose sensitive
data over the network. (CVE-2015-2601, CVE-2015-2808, CVE-2015-4000,
CVE-2015-2625, CVE-2015-2613)

As a security improvement, this update modifies OpenJDK behavior to
disable RC4 TLS/SSL cipher suites by default.

As a security improvement, this update modifies OpenJDK behavior to
reject DH key sizes below 768 bits by default, preventing a possible
downgrade attack.

Several vulnerabilities were discovered in the OpenJDK JRE related
to information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2015-2621, CVE-2015-2632)

A vulnerability was discovered with how the JNDI component of the
OpenJDK JRE handles DNS resolutions. A remote attacker could exploit
this to cause a denial of service. (CVE-2015-4749)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.04:
  icedtea-7-jre-jamvm             7u79-2.5.6-0ubuntu1.15.04.1
  openjdk-7-jdk                   7u79-2.5.6-0ubuntu1.15.04.1
  openjdk-7-jre                   7u79-2.5.6-0ubuntu1.15.04.1
  openjdk-7-jre-headless          7u79-2.5.6-0ubuntu1.15.04.1
  openjdk-7-jre-lib               7u79-2.5.6-0ubuntu1.15.04.1
  openjdk-7-jre-zero              7u79-2.5.6-0ubuntu1.15.04.1

Ubuntu 14.04 LTS:
  icedtea-7-jre-jamvm             7u79-2.5.6-0ubuntu1.14.04.1
  openjdk-7-jdk                   7u79-2.5.6-0ubuntu1.14.04.1
  openjdk-7-jre                   7u79-2.5.6-0ubuntu1.14.04.1
  openjdk-7-jre-headless          7u79-2.5.6-0ubuntu1.14.04.1
  openjdk-7-jre-lib               7u79-2.5.6-0ubuntu1.14.04.1
  openjdk-7-jre-zero              7u79-2.5.6-0ubuntu1.14.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2696-1
  CVE-2015-2590, CVE-2015-2601, CVE-2015-2613, CVE-2015-2621,
  CVE-2015-2625, CVE-2015-2628, CVE-2015-2632, CVE-2015-2808,
  CVE-2015-4000, CVE-2015-4000, CVE-2015-4731, CVE-2015-4732,
  CVE-2015-4733, CVE-2015-4748, CVE-2015-4749, CVE-2015-4760,
  https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/LogJam

Package Information:
  https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.15.04.1
  https://launchpad.net/ubuntu/+source/openjdk-7/7u79-2.5.6-0ubuntu1.14.04.1
    

- 漏洞信息 (F132891)

HP Security Bulletin HPSBGN03366 1 (PacketStormID:F132891)
2015-08-03 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03366 1 - A potential security vulnerability has been identified with HP Business Process Insight. This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04726896

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04726896
Version: 1

HPSBGN03366 rev.1 - HP Business Process Insight with RC4 Stream Cipher,
Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-29
Last Updated: 2015-07-29

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Business
Process Insight.

This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be
exploited remotely to allow disclosure of information.

References:

CVE-2015-2808 (Remote Disclosure of Information)
SSRT102127

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Business Process Insight v9.x

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following instructions available to resolve this
vulnerability in HP Business Process Insight:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01705055

HISTORY
Version:1 (rev.1) - 29 July 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlW43AYACgkQ4B86/C0qfVmCFwCdFXc2EHYiboBK7sV4QkMGdTV9
5J0An3b92BlSGliq0NOP8x1pPAcZGaRE
=4prp
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132890)

HP Security Bulletin HPSBGN03367 1 (PacketStormID:F132890)
2015-08-03 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03367 1 - A potential security vulnerability has been identified with HP TransactionVision. This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04727082

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04727082
Version: 1

HPSBGN03367 rev.1 - HP TransactionVision with RC4 Stream Cipher, Remote
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-29
Last Updated: 2015-07-29

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP
TransactionVision.

This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be
exploited remotely to allow disclosure of information.

References:

CVE-2015-2808 (Remote Disclosure of Information)
SSRT102129

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP TransactionVision v9.x

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following instructions available to resolve this
vulnerability in HP TransactionVision:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01705056

HISTORY
Version:1 (rev.1) - 29 July 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlW42JUACgkQ4B86/C0qfVmnHQCg4a0pJHNLvo+731hnIdrpIZ92
HGgAn3FOhcntfUJdtkXaqM1s9Wvj/Sfg
=IlJv
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132872)

HP Security Bulletin HPSBGN03372 1 (PacketStormID:F132872)
2015-07-28 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03372 1 - A potential security vulnerability has been identified with HP Business Process Monitor. Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04739254

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04739254
Version: 1

HPSBGN03372 rev.1 - HP Business Process Monitor using RC4, Remote Disclosure
of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-28
Last Updated: 2015-07-28

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Business
Process Monitor.

Note: This is the RC4 vulnerability known as Bar Mitzvah, which could be
exploited remotely to allow disclosure of information.

References: CVE-2015-2808 (SSRT102133)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Business Process Monitor v9.02, v9.03
HP Business Process Monitor v9.1x, v9.2x

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following support documentation for HP Business Process
Monitor to resolve this vulnerability:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01708693

HISTORY
Version:1 (rev.1) - 28 July 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlW32XEACgkQ4B86/C0qfVkNaACePXKF6ySawopCC7DwshtS21u2
obYAoPhsULfL0kb20kCvyTSq9nTo8Yq2
=NFSv
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F132989)

Ubuntu Security Notice USN-2706-1 (PacketStormID:F132989)
2015-08-07 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,vulnerability,info disclosure
linux,ubuntu
CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Ubuntu Security Notice 2706-1 - Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity, and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. Several vulnerabilities were discovered in the cryptographic components of the OpenJDK JRE. An attacker could exploit these to expose sensitive data over the network. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-2706-1
August 06, 2015

openjdk-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenJDK 6.

Software Description:
- openjdk-6: Open Source Java implementation

Details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity, and availability. An attacker
could exploit these to cause a denial of service or expose sensitive
data over the network. (CVE-2015-2590, CVE-2015-2628, CVE-2015-4731,
CVE-2015-4732, CVE-2015-4733, CVE-2015-4760, CVE-2015-4748)

Several vulnerabilities were discovered in the cryptographic components
of the OpenJDK JRE. An attacker could exploit these to expose sensitive
data over the network. (CVE-2015-2601, CVE-2015-2808, CVE-2015-4000,
CVE-2015-2625, CVE-2015-2613)

As a security improvement, this update modifies OpenJDK behavior to
disable RC4 TLS/SSL cipher suites by default.

As a security improvement, this update modifies OpenJDK behavior to
reject DH key sizes below 768 bits by default, preventing a possible
downgrade attack.

Several vulnerabilities were discovered in the OpenJDK JRE related
to information disclosure. An attacker could exploit these to expose
sensitive data over the network. (CVE-2015-2621, CVE-2015-2632)

A vulnerability was discovered with how the JNDI component of the
OpenJDK JRE handles DNS resolutions. A remote attacker could exploit
this to cause a denial of service. (CVE-2015-4749)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
  icedtea-6-jre-cacao             6b36-1.13.8-0ubuntu1~12.04
  icedtea-6-jre-jamvm             6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-jdk                   6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-jre                   6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-jre-headless          6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-jre-lib               6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-jre-zero              6b36-1.13.8-0ubuntu1~12.04
  openjdk-6-source                6b36-1.13.8-0ubuntu1~12.04

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2706-1
  CVE-2015-2590, CVE-2015-2601, CVE-2015-2621, CVE-2015-2625,
  CVE-2015-2628, CVE-2015-2632, CVE-2015-2808, CVE-2015-4000,
  CVE-2015-4731, CVE-2015-4732, CVE-2015-4733, CVE-2015-4748,
  CVE-2015-4749, CVE-2015-4760

Package Information:
  https://launchpad.net/ubuntu/+source/openjdk-6/6b36-1.13.8-0ubuntu1~12.04

    

- 漏洞信息 (F133234)

Debian Security Advisory 3339-1 (PacketStormID:F133234)
2015-08-21 00:00:00
Debian  debian.org
advisory,java,denial of service,arbitrary,vulnerability,info disclosure
linux,debian
CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2621,CVE-2015-2625,CVE-2015-2628,CVE-2015-2632,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760
[点击下载]

Debian Linux Security Advisory 3339-1 - Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure, denial of service or insecure cryptography.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3339-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 19, 2015                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-6
CVE ID         : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621 
                 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
                 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
                 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.
                                 
For the oldstable distribution (wheezy), these problems have been fixed
in version 6b36-1.13.8-1~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV1ORoAAoJEBDCk7bDfE42zBoP/AscgmbgvoRKFRkxMCjNyDns
iMWVGpvt5Axsv576uHdhqKGnEFhVCUwHEqcFBTNKwn8AAj1sBuH7pK4M6P0aPjLu
7IvSzfIPdQ0PabFhJmeGcrc4CEswRGmumV2HRnfkvvcgxffwF4jJNYwwAr7anWxq
yQSNWxu1HkwW8r/QKlU6D9tTgIgktp0t39St1U6WTxpTrTnI1Po8d6RHNE0HzDQn
XEVtU2LGLqW712WTpP0d0MOZOO+AuxBWxqjfYpIkTVUC6kbQeV+4on44jMenECnI
CyQnQskFTsChLkoYpbTxtV6DAxPWvqj6Ps3IwwNnWksa327CO4Yzwf93+uUby78W
4BM8bYJ0AgN+IdEqJ8EtyaYyCXJmpWTgs+zh8pkRgU1gmsr5qAug/IOttAVApf+g
z731jHSXIjwhEyILwPQCm7/zfpJtOgeBGlJFbD+JEGmK0hJOpiWVUpN/ZN/Bl7km
obLjZD8cfD/DzkIeKYMGdRW5zbVlemz/mGI3xJV7LBq3Isyj3AXopCI4G0U964Xq
gCftCF+UrD+ZAepPz8/b08C3b2vX2bT4FzYY002Bq9qqD/f66OJw6WnGeCFRABlC
/vt+p3wFc1sjzDAXj67oJjBbl/tZeFH2mflKLulCiGwFB3gMx62552pEUYgosFZs
VOYPhnjlH3QVaYnFKmFb
=ng8s
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133274)

HP Security Bulletin HPSBMU03345 1 (PacketStormID:F133274)
2015-08-24 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-0204,CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBMU03345 1 - Potential security vulnerabilities have been identified with HP Network Node Manager i and Smart Plugins (iSPIs). The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The SSLv3 vulnerability using US export-grade RSA encryption known as FREAK could be exploited remotely to allow unauthorized . Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04773241

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04773241
Version: 1

HPSBMU03345 rev.1 - HP Network Node Manager i (NNMi) and Smart Plugins
(iSPIs) for HP-UX, Linux, Solaris, and Windows, Remote Disclosure of
Information, Unauthorized Modification

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-20
Last Updated: 2015-08-20

Potential Security Impact: Remote disclosure of information, unauthorized
modification

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Network Node
Manager i and Smart Plugins (iSPIs) .

The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.
The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman
key exchange known as "Logjam" could be exploited remotely to allow
unauthorized modification.
The SSLv3 vulnerability using US export-grade RSA encryption known as FREAK
could be exploited remotely to allow unauthorized

References:

CVE-2015-4000 (aka LogJam, SSRT102095)
CVE-2015-2808 (aka Bar Mitzvah)
CVE-2015-0204 (aka Freak)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Network Node Manager i version v9.0x. v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI Performance for QA v9.0x, v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI for IP Multicast QA v9.0x, v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI for MPLS VPN v9.0x, v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI for IP Telephony v9.0x, v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI for NET v9.0x, v9.1x, v9.2x, v10.0x
HP Network Node Manager iSPI Performance for Metrics v9.0x, v9.1x, v9.2x,
v10.0x
HP Network Node Manager iSPI Performance for Traffic v9.0x, v9.1x, v9.2x,
v10.0x

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
CVE-2015-0204    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following updates for HP Network Node Manager i and Smart
Plugins (iSPIs)

HP Network Node Manager i and Smart Plugins (iSPIs) Version
 Link to update for CVE-2015-4000 (LogJam)

HP Network Node Manager i version v9.1x, v9.2x
iSPI Performance for QA
iSPI for IP Multicast
iSPI for MPLS VPN
iSPI for IP Telephony

 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01704653

HP Network Node Manager iSPI for Metrics v9.1x, v9.2x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740484

HP Network Node Manager iSPI for Traffic v9.1x, v9.2x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740489

Note: v10.x is not affected by LogJam

HP Network Node Manager i and Smart Plugins (iSPIs) Version
 Link to update for CVE-2015-2808 (Bar Mitzvah)

HP Network Node Manager i version v9.1x, v9.2x, v10.x
iSPI Performance for QA
iSPI for IP Multicast
iSPI for MPLS VPN
iSPI for IP Telephony

 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01704651

HP Network Node Manager iSPI for Metrics v9.1x, v9.2x, v10.0x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740486

HP Network Node Manager iSPI for Traffic v9.1x, v9.2x, v10.0x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740487

HP Network Node Manager i and Smart Plugins (iSPIs) Version
 Link to update for CVE-2015-0204 (Freak)

HP Network Node Manager i version v9.x, v10.x
iSPI Performance for QA
iSPI for IP Multicast
iSPI for MPLS VPN
iSPI for IP Telephony

 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01704633https://softwaresupport.hp.com/group/softwaresupport/
search-result/-/facetsearch/document/KM01704633

HP Network Node Manager iSPI for Metrics v9.1x, v9.2x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740481

HP Network Node Manager iSPI for Traffic v9.1x, v9.2x
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/KM01740488

Note: v10.x is not affected by FREAK

HISTORY
Version:1 (rev.1) - 20 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlXV8KcACgkQ4B86/C0qfVmtiACg6UXXZlqWm+xPbKJlsx6B6L6S
uloAoM7ko3uZ3e1tX/FX+FX15hFusM2D
=za4B
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133337)

HP Security Bulletin HPSBGN03405 1 (PacketStormID:F133337)
2015-08-26 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBGN03405 1 - Potential security vulnerabilities have been identified in HP Integration Adaptor. The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04773004

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04773004
Version: 1

HPSBGN03405 rev.1 - HP Integration Adaptor, Remote Unauthorized Modification,
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-25
Last Updated: 2015-08-25

Potential Security Impact: Remote unauthorized modification, disclosure of
information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Integration
Adaptor.

  - The TLS vulnerability using US export-grade 512-bit keys in
Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to
allow unauthorized modification.
  - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah"
could be exploited remotely to allow disclosure of information.

References:

CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102214

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integration Adaptor v9.12.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information available to resolve the
vulnerability for the impacted versions of HP Integration Adaptor.

  Please consult HP Software Support Online (SSO):

    https://softwaresupport.hp.com/group/softwaresupport/search-result/-/face
tsearch/document/KM01763510?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 25 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlXcmY4ACgkQ4B86/C0qfVmj7wCfTQBQT74m2enq5IIrb9II5+do
9m8AoIqsy5s0D9ABNrEnGv/cwa81598Q
=wO9x
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133336)

HP Security Bulletin HPSBGN03399 1 (PacketStormID:F133336)
2015-08-26 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBGN03399 1 - Potential security vulnerabilities have been identified in HP BSM Connector (BSMC). The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04767175

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04767175
Version: 1

HPSBGN03399 rev.1 - HP BSM Connector (BSMC), Remote Unauthorized
Modification, Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-25
Last Updated: 2015-08-25

Potential Security Impact: Remote unauthorized modification, disclosure of
information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP BSM Connector
(BSMC).

  - The TLS vulnerability using US export-grade 512-bit keys in
Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to
allow unauthorized modification.
  - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah"
could be exploited remotely to allow disclosure of information.

References:

CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102199, SSRT102205

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP BSM Connector (BSMC) v9.20, v9.21, v9.22, v9.23, and v10.00.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information available to resolve the
vulnerabilities for the impacted versions of HP BSM Connector (BSMC).

  Please consult HP Software Support Online (SSO):

    BSMC 9.2x

      https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fa
cetsearch/document/KM01762681

    BSMC 10.0

      https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fa
cetsearch/document/KM01758600?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 25 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlXcmY4ACgkQ4B86/C0qfVkkGACg6r1zitX/sCSn2X4apFuS/dV/
QSMAn0wrsKxABxXlcBP4dy3KTubTltop
=AMbn
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133330)

HP Security Bulletin HPSBGN03415 1 (PacketStormID:F133330)
2015-08-26 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03415 1 - Potential security vulnerabilities have been identified in HP Operations Agent Virtual Appliance. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04777255

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04777255
Version: 1

HPSBGN03415 rev.1 - HP Operations Agent Virtual Appliance, Remote Disclosure
of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-25
Last Updated: 2015-08-25

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Operations
Agent Virtual Appliance.

The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.

References:

CVE-2015-2808 - "Bar Mitzvah"
SSRT102201

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Agent Virtual Appliance v11.11, v11.12, v11.13, v11.14.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information available to resolve the
vulnerabilities for the impacted versions of HP Operations Agent Virtual
Appliance.

Please consult HP Software Support Online (SSO):
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01762720?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 25 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlXc2VQACgkQ4B86/C0qfVlLqACeIqOcQxuAaP27DlSwGD5qpvf5
8nIAn0mPlNqDMwFRJ3k+sOnreNsdg8nF
=aDaY
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133329)

HP Security Bulletin HPSBGN03414 1 (PacketStormID:F133329)
2015-08-26 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03414 1 - Potential security vulnerabilities have been identified in HP Operations Agent. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04777195

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04777195
Version: 1

HPSBGN03414 rev.1 - HP Operations Agent, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-25
Last Updated: 2015-08-25

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Operations
Agent.

The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.

References:

CVE-2015-2808 - "Bar Mitzvah"
SSRT102200

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Agent v11.0, v11.01, v11.02, v11.03, v11.04, v11.05, v11.10,
v11.11, v11.12, v11.13, v11.20, and v11.14.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information available to resolve the
vulnerabilities for the impacted versions of HP Operations Agent.

Please consult HP Software Support Online (SSO):
https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01758900?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 25 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlXcz4EACgkQ4B86/C0qfVl96wCgopvx99n1jar+wLeOG5mw//vW
7mMAn3RFdpyhQow08uLzhhOlEA38HDEn
=lpKV
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133392)

HP Security Bulletin HPSBGN03403 1 (PacketStormID:F133392)
2015-09-01 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03403 1 - A potential security vulnerability has been identified in HP Virtualization Performance Viewer. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow unauthorized disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04773256

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04773256
Version: 1

HPSBGN03403 rev.1 - HP Virtualization Performance Viewer, Remote Unauthorized
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-31
Last Updated: 2015-08-31

Potential Security Impact: Remote unauthorized disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP Virtualization
Performance Viewer.

The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow unauthorized disclosure of information.

References:

CVE-2015-2808 - "Bar Mitzvah"
SSRT102198

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Virtualization Performance Viewer v1.20, v2.0, v2.01, v2.10.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information and software updates
available to resolve the vulnerability for the impacted versions of HP
Virtualization Performance Viewer.

Please consult HP Software Support Online (SSO):

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01766980?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 31 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlXkeTgACgkQ4B86/C0qfVkAWwCg1LV9eYr19BYVPz3NKnX6heCb
LrEAoOMt2BvvInF2DaDuXhF4Xgmhrwsi
=1FfU
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133391)

HP Security Bulletin HPSBMU03401 1 (PacketStormID:F133391)
2015-09-01 00:00:00
HP  hp.com
advisory,vulnerability
linux,unix
CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBMU03401 1 - Potential security vulnerabilities have been identified in HP Operations Manager for UNIX and Linux. The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04770140

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04770140
Version: 1

HPSBMU03401 rev.1 - HP Operations Manager for UNIX and Linux, Remote
Unauthorized Modification, Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-31
Last Updated: 2015-08-31

Potential Security Impact: Remote unauthorized modification, disclosure of
information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Operations
Manager for UNIX and Linux.

The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman
key exchange known as "Logjam" could be exploited remotely to allow
unauthorized modification.
The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.

References:

CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102212

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Manager for UNIX and Linux v9.10, v9.11, v9.20, and v9.21

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following update available for HP Operations Manager for UNIX
and Linux to resolve the vulnerabilities. Please consult HP Software Support
Online (SSO):

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01777542?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 31 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAlXkgh4ACgkQ4B86/C0qfVlElACg2UuzUcejFm4liH0prGLN/Brz
vpYAoPocUhPllOebDrd9kI09cRWfOdA3
=MPoU
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133366)

HP Security Bulletin HPSBGN03407 1 (PacketStormID:F133366)
2015-08-28 00:00:00
HP  hp.com
advisory,vulnerability
windows
CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBGN03407 1 - Potential security vulnerabilities have been identified in HP Operations Manager for Windows. The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04773119

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04773119
Version: 1

HPSBGN03407 rev.1 - HP Operations Manager for Windows, Remote Unauthorized
Modification, Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-27
Last Updated: 2015-08-27

Potential Security Impact: Remote unauthorized modification, disclosure of
information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Operations
Manager for Windows.

The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman
key exchange known as "Logjam" could be exploited remotely to allow
unauthorized modification.
The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.

References:

CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102197, SSRT102207

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Operations Manager for Windows v8.10, v8.16, and v9.0.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information available for HP Operations
Manager for Windows to resolve the vulnerabilities. Please consult HP
Software Support Online (SSO):

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/KM01762684?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 27 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlXfeSIACgkQ4B86/C0qfVm7tgCbBNI/mrDMcqFUnpkGUtRSfNXT
PwMAoKRk+IV2Zr0lQtXX/sMFEP/Ahxub
=h157
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133344)

HP Security Bulletin HPSBGN03402 2 (PacketStormID:F133344)
2015-08-27 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2015-2808,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBGN03402 2 - Potential security vulnerabilities have been identified in HP Performance Manager. The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 2 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04772190

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04772190
Version: 2

HPSBGN03402 rev.2 - HP Performance Manager, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-26
Last Updated: 2015-08-26

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in HP Performance
Manager.

  - The TLS vulnerability using US export-grade 512-bit keys in
Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to
allow unauthorized modification.
  - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah"
could be exploited remotely to allow disclosure of information.

References:

CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102204, SSRT102208

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Performance Manager v9.0x and v9.20.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following mitigation information and software updates
available to resolve the vulnerabilities for the impacted versions of HP
Performance Manager.

  Please consult HP Software Support Online (SSO):

    CVE-2015-4000 - "Logjam"

      https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fa
cetsearch/document/KM01766982

    CVE-2015-2808 - "Bar Mitzvah"

      https://softwaresupport.hp.com/group/softwaresupport/search-result/-/fa
cetsearch/document/KM01766997?lang=en&cc=us&hpappid=113963_OSP_PRO_HPE

HISTORY
Version:1 (rev.1) - 26 August 2015 Initial release
Version:2 (rev.2) - 26 August 2015 Added missing CVSS entry for CVE-2015-4000

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlXeD7MACgkQ4B86/C0qfVnWNQCg/oJToFheNexuaTTitrXn/SIJ
ZvsAn3sYWpBLGlk18RxS67RICVZfckxK
=oc4Z
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133836)

HP Security Bulletin HPSBST03418 2 (PacketStormID:F133836)
2015-10-05 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2014-3566,CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBST03418 2 - A potential security vulnerabilities have been identified with HP P6000 Command View Software. They are the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "POODLE", and the RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" which could be exploited remotely to allow disclosure of information. Revision 2 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04779034

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04779034
Version: 2

HPSBST03418 rev.2 - HP P6000 Command View Software, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-09-15
Last Updated: 2015-10-01

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerabilities have been identified with HP P6000
Command View Software . They are the SSLv3 vulnerability known as "Padding
Oracle on Downgraded Legacy Encryption" also known as "POODLE", and the RC4
stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" which could be
exploited remotely to allow disclosure of information.

References:

CVE-2014-3566 - "POODLE"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102013

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP P6000 Command View Software v10.3.6 and earlier running on Windows and
Linux

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2014-3566    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has released the following software update to resolve the vulnerability in
HP P6000 Command View Software.

HP P6000 Command View Software v10.3.7

The HP P6000 Command View 10.3.7 software can be obtained at the HP Support
Center here: http://h20565.www2.hpe.com/portal/site/hpsc by signing into your
HP Passport account.
Note: A valid HP Passport account is required to access this software. For
more information about downloading this software, contact your HP
representative.

HISTORY
Version:1 (rev.1) - 15 September 2015 Initial release
Version:2 (rev.2) - 1 October 2015 Added CVE-2015-2808, added documentation
on how to find the update.

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEUEARECAAYFAlYNfCsACgkQ4B86/C0qfVlIFACUC3JvF9SqoRRsJNL3d5BV1bMU
hwCfa8BXAj7JIhryoGQ3TX+GHW2s2rU=
=wp8+
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F133990)

HP Security Bulletin HPSBUX03512 SSRT102254 1 (PacketStormID:F133990)
2015-10-16 00:00:00
HP  hp.com
advisory,web,denial of service,vulnerability
hpux
CVE-2013-5704,CVE-2014-0118,CVE-2014-0226,CVE-2014-0231,CVE-2015-2808,CVE-2015-3183,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBUX03512 SSRT102254 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including.. - The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04832246

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04832246
Version: 1

HPSBUX03512 SSRT102254 rev.1 - HP-UX Web Server Suite running Apache, Remote
Denial of Service (DoS) and Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-10-15
Last Updated: 2015-10-15

Potential Security Impact: Remote Denial of Service (DoS), access restriction
bypass, unauthorized modification, disclosure of information, local access
restriction bypass

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Web Server
Suite running Apache. These vulnerabilities could be exploited remotely to
create a Denial of Service (DoS) and other impacts including...

  - The TLS vulnerability using US export-grade 512-bit keys in
Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to
allow unauthorized modification.
  - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah"
could be exploited remotely to allow disclosure of information.

References:

CVE-2013-5704
CVE-2014-0118
CVE-2014-0226
CVE-2014-0231
CVE-2015-3183
CVE-2015-4000 - "Logjam"
CVE-2015-2808 - "Bar Mitzvah"
SSRT102254

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX Web Server Suite 2.2.15.21 Apache

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2013-5704    (AV:N/AC:L/Au:N/C:N/I:P/A:N)       5.0
CVE-2014-0118    (AV:N/AC:M/Au:N/C:N/I:N/A:P)       4.3
CVE-2014-0226    (AV:N/AC:M/Au:N/C:P/I:P/A:P)       6.8
CVE-2014-0231    (AV:N/AC:L/Au:N/C:N/I:N/A:P)       5.0
CVE-2015-3183    (AV:N/AC:L/Au:N/C:N/I:P/A:N)       5.0
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following software updates to resolve the vulnerabilities
with HP-UX Web Server Suite running Apache.

  The updates are available for download from http://software.hp.com

  NOTE: HP-UX Web Server Suite v3.31 HPUXWSATW331 contains the following
components:

    - Apache v2.2.15.23
    - Tomcat Servlet Engine 5.5.36.02
    - PHP 5.2.17.04

  HP-UX 11i Release
   Apache Depot name

  B.11.23 (11i v2 32-bit)
   HP_UX_11.23_HP_UX_11.23_HPUXWS22ATW-B331-11-23-32.depot

  B.11.23 (11i v2 64-bit)
   HP_UX_11.23_HP_UX_11.23_HPUXWS22ATW-B331-11-23-64.depot

MANUAL ACTIONS: Yes - Update
Download and install the software update

PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.23
=============
hpuxws22APACHE32.APACHE
hpuxws22APACHE32.APACHE2
hpuxws22APACHE32.AUTH_LDAP
hpuxws22APACHE32.AUTH_LDAP2
hpuxws22APACHE32.MOD_JK
hpuxws22APACHE32.MOD_JK2
hpuxws22APACHE32.MOD_PERL
hpuxws22APACHE32.MOD_PERL2
hpuxws22APACHE32.PHP
hpuxws22APACHE32.PHP2
hpuxws22APACHE32.WEBPROXY
hpuxws22APACHE32.WEBPROXY2
hpuxws22APACHE.APACHE
hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.15.18 or subsequent

hpuxws22TOMCAT32.TOMCAT
hpuxws22TOMCAT.TOMCAT
action: install revision C.6.0.35.01 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 15 October 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlYfx08ACgkQ4B86/C0qfVnAPgCcD1TArWUoxWzLfCuWwOFStft/
ykwAoLdFUZfsjmnzKg/Tg7sUg3pCdD0m
=ickD
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F135172)

HP Security Bulletin HPSBUX03435 SSRT102977 1 (PacketStormID:F135172)
2016-01-08 00:00:00
HP  hp.com
advisory,remote,web,denial of service,vulnerability
hpux
CVE-2015-2808,CVE-2015-3183,CVE-2015-4000
[点击下载]

HP Security Bulletin HPSBUX03435 SSRT102977 1 - Potential security vulnerabilities have been identified with HP-UX Web Server Suite running Apache on HP-UX 11iv3. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts including: The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" could be exploited remotely to allow unauthorized modification. The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Apache does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04926789

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04926789
Version: 1

HPSBUX03435 SSRT102977 rev.1 - HP-UX Web Server Suite running Apache, Remote
Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-01-07
Last Updated: 2016-01-07

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX Web Server
Suite running Apache on HP-UX 11iv3. These vulnerabilities could be exploited
remotely to create a Denial of Service (DoS) and other impacts including:

The TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman
key exchange known as "Logjam" could be exploited remotely to allow
unauthorized modification.
The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could
be exploited remotely to allow disclosure of information.
Apache does not properly parse chunk headers, which allows remote attackers
to conduct HTTP request smuggling attacks via a crafted request, related to
mishandling of large chunk-size values and invalid chunk-extension
characters.

References:

CVE-2015-4000
CVE-2015-2808
CVE-2015-3183
PSRT102977

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX Web Server Suite v4.05 HPUXWSATW405 httpd prior to 2.2.29.02

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2015-4000    (AV:N/AC:M/Au:N/C:N/I:P/A:N)       4.3
CVE-2015-2808    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3
CVE-2015-3183    (AV:N/AC:L/Au:N/C:N/I:P/A:N)       5.0
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HPE has provided the following software updates to resolve the
vulnerabilities with HP-UX Web Server Suite running Apache.

The updates are available for download from the following location:

https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumbe
r=HPUXWSATW406

Issues addressed:

CVE-2015-4000:

Disable Export cipher by default.
DH parameter with 1024 bits is used by default.
Allow to configure custom DHE or ECDHE parameters by appending the concerned
parameter file to the certificate file given for the SSLCertificateFile
directive.

CVE-2015-2808:

Disable RC4 cipher in configuration file.

Notes:

HP-UX Web Server Suite v4.06 HPUXWSATW406 contains the following components:

Apache B.2.2.29.02
Tomcat Servlet Engine C.6.0.43.01
PHP 5.4.40.1 (Part of Apache)
Webmin A.1.070.13

See HPE Security Bulletin HPSBUX03512 for information about resolution for
Apache web server of HP-UX 11iv2 at the following location:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04832246
MANUAL ACTIONS: Yes - Update
Download and install the software update

PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HPE and lists recommended actions that may apply to a specific
HP-UX system. It can also download patches and create a depot automatically.
For more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.31 IA/PA
===================

hpuxws22APACHE.APACHE
hpuxws22APACHE.AUTH_LDAP
hpuxws22APACHE.MOD_JK
hpuxws22APACHE.MOD_PERL
hpuxws22APACHE.PHP
hpuxws22APACHE.WEBPROXY
action: install revision B.2.2.29.02 or subsequent

hpuxws22TOMCAT.TOMCAT
action: install revision C.6.0.43.01 or subsequent

HP-UX B.11.31 PA
================

hpuxws22APACHE.APACHE2
hpuxws22APACHE.AUTH_LDAP2
hpuxws22APACHE.MOD_JK2
hpuxws22APACHE.MOD_PERL2
hpuxws22APACHE.PHP2
hpuxws22APACHE.WEBPROXY2
action: install revision B.2.2.29.02 or subsequent

HP-UX B.11.23 IA/PA
===================

hpuxws22WEBMIN.HPDOCS
hpuxws22WEBMIN.WEBMIN
action: install revision A.1.070.13 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) - 7 January 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJWjuWVAAoJEGIGBBYqRO9/F8cIAKkmvi34c61+czIsxIndUDqf
KihRwazBnAHI5iSR7JZrGgUkO9AailGT/uoWwruQr1nyR5EMnitoqJz2ZEKgEkF0
auQ5Duw8s62OBd6eVy80MiqNgGISn8F58jAE/0ruP3ECsvhQVFMslJlBxTsZjs57
O4mg576Y1rw0lAVhC8aAPqHNGPlVdyHDdlluVL2WKfGhvl5nzeZAeWWzgkjQk2jp
ttbEnpzYwYugPOQjUpAl6RVp6nboUAd/3dt0h4KcabcaKsuC1cIeQ1o3FyDffdpi
f3cpCjRpx08Esx9iIVrHJiXFKlmHTAu+KeEAjorSZyHmnkSKwZAv4QoNToWGSGk=
=n0d0
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F137746)

HP Security Bulletin HPSBGN03627 1 (PacketStormID:F137746)
2016-07-01 00:00:00
HP  hp.com
advisory
CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBGN03627 1 - A potential security vulnerability has been identified with HPE Service Manager. This is the RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c05193347

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05193347
Version: 1

HPSBGN03627 rev.1 - HPE Service Manager using OpenSSL, Remote Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-07-01
Last Updated: 2016-07-01

Potential Security Impact: Remote Disclosure of Information

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HPE Service
Manager. This is the RC4 stream cipher vulnerability in SSL/TLS known as "Bar
Mitzvah" could be exploited remotely to allow disclosure of information.

References:

CVE-2015-2808
PSRT110156

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Service Manager Software versions 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40

BACKGROUND

  CVSS Base Metrics
  =================
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

    CVE-2015-2808
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
      4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    Information on CVSS is documented in
    HPE Customer Notice HPSN-2008-002 here:

      https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docI
d=emr_na-c01345499

RESOLUTION

HPE has made the following mitigation information available to resolve the
vulnerability for the impacted versions of HPE Service Manager: https://softw
aresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document
/KM01566352

For versions 9.30, 9.31, 9.32, 9.33, 9.34 please:

Upgrade to SM 9.35.P4 (recommended) or SM 9.34.P5

SM9.35 P4 package, SM 9.35 AIX Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143332

SM 9.35 HP Itanium Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143206

SM 9.35 HP Itanium Server for Oracle 12c 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143388

SM 9.35 Linux Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143530

SM 9.35 Solaris Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143276

SM 9.35 Windows Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143589

SM 9.34.P5 package, AIX Server 9.34.5003 p5

https://softwaresupport.hpe.com/km/KM02310304

HP Itanium Server 9.34.5003 p5

https://softwaresupport.hpe.com/km/KM02311066

Linux Server 9.34.5003 p5

https://softwaresupport.hpe.com/km/KM02310566

Solaris Server 9.34.5003 p5

https://softwaresupport.hpe.com/km/KM02311656

Windows Server 9.34.5003 p5

https://softwaresupport.hpe.com/km/KM02310486

For version 9.35 please:

Upgrade to SM 9.35.P4

SM9.35 P4 package, SM 9.35 AIX Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143332

SM 9.35 HP Itanium Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143206

SM 9.35 HP Itanium Server for Oracle 12c 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143388

SM 9.35 Linux Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143530

SM 9.35 Solaris Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143276

SM 9.35 Windows Server 9.35.4001 p4

https://softwaresupport.hpe.com/km/KM02143589

For version 9.40 please:

Upgrade to SM 9.41.P3

SM9.41.P3 package, Service Manager 9.41.3016 p3 - Server for AIX

https://softwaresupport.hpe.com/km/KM02236813

Service Manager 9.41.3016 p3 - Server for HP-UX/IA

https://softwaresupport.hpe.com/km/KM02236897

Service Manager 9.41.3016 p3 - Server for Linux

https://softwaresupport.hpe.com/km/KM02236827

Service Manager 9.41.3016 p3 - Server for Solaris

https://softwaresupport.hpe.com/km/KM02236843

Service Manager 9.41.3016 p3 - Server for Windows

https://softwaresupport.hpe.com/km/KM02236929

HISTORY
Version:1 (rev.1) - 1 July 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXdtmDAAoJEGIGBBYqRO9/APYIAJLJtaUC2DnGdKUVVwLeULjU
xc19Q1TC+hYbIZ3b7oE6CjXwxqJzaLD71j5Pn2W89tVdrl/PDhQvoGZtpN4wW0FM
Na4nMIrJaqIDmk+uHlb3AcR+BrEcwI9vd5HHe4XeNIFXBSAWV5Ql3rbZkY+HdcUu
rHon2T5JGIeZi3tOQxt/cEYl78nySGoihNMBnajTB1+h9dqq2Wf4WWGcvWTjgI6O
ZgJYSu6BQPk3y3TmIWNrU9H8vU6htib9Z6oVanqghkVSASXFquiT5dCwJoXpT6cd
PbvyZbs/KMMf2hvnjZ2kBOkXYR5dKQ4kxzNnKs89pvRIUeqPrWdWCIJdqGdrC9k=
=a4Vm
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F138866)

HP Security Bulletin HPSBHF03654 1 (PacketStormID:F138866)
2016-09-27 00:00:00
HP  hp.com
advisory,vulnerability
CVE-2004-2761,CVE-2013-2566,CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBHF03654 1 - Potential security vulnerabilities have been identified with HPE iMC PLAT network products using SSL/TLS. These vulnerabilities could be exploited remotely resulting in disclosure of information and other impacts. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05289935

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05289935
Version: 1

HPSBHF03654 rev.1 - HPE iMC PLAT Network Products using SSL/TLS, Multiple
Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-26
Last Updated: 2016-09-26

Potential Security Impact: Multiple Remote Vulnerabilities

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HPE iMC PLAT
network products using SSL/TLS. These vulnerabilities could be exploited
remotely resulting in disclosure of information and other impacts including:

  - The MD5 Message-Digest Algorithm is not collision resistant, which makes
it easier for context-dependent attackers to conduct spoofing attacks, as
demonstrated by attacks on the use of MD5 in the signature algorithm of an
X.509 certificate.
  - The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many
single-byte biases, which makes it easier for remote attackers to conduct
plaintext-recovery attacks via statistical analysis of ciphertext in a large
number of sessions that use the same plaintext.
  - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah"
could be exploited remotely to allow disclosure of information.

References:

  - CVE-2004-2761 - SSL/TLS MD5 Algorithm is not collision resistant
  - CVE-2013-2566 - SSL/TLS RC4 algorithm vulnerability
  - CVE-2015-2808 - SSL/TLS RC4 stream vulnerability known as "Bar Mitzvah"
  - PSRT110210

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
  - HPE iMC PLAT - Please refer to the RESOLUTION
 below for a list of impacted products. All product versions are impacted
prior to the fixed version listed.

BACKGROUND

  CVSS Base Metrics
  =================
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

    CVE-2004-2761
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
      5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

    CVE-2013-2566
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
      4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    CVE-2015-2808
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
      4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    Information on CVSS is documented in
    HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION
HPE has made the following software available to resolve the vulnerabilities
in the iMC PLAT network products listed.

  + **iMC PLAT - Version: IMC PLAT 7.2, E0403P10**

      - JD125A  HP IMC Std S/W Platform w/100-node
      - JD126A  HP IMC Ent S/W Platform w/100-node
      - JD808A  HP IMC Ent Platform w/100-node License
      - JD814A   HP A-IMC Enterprise Edition Software DVD Media
      - JD815A  HP IMC Std Platform w/100-node License
      - JD816A  HP A-IMC Standard Edition Software DVD Media
      - JF288AAE  HP Network Director to Intelligent Management Center
Upgrade E-LTU
      - JF289AAE  HP Enterprise Management System to Intelligent Management
Center Upgrade E-LTU
      - JF377A  HP IMC Std S/W Platform w/100-node Lic
      - JF377AAE  HP IMC Std S/W Pltfrm w/100-node E-LTU
      - JF378A  HP IMC Ent S/W Platform w/200-node Lic
      - JF378AAE  HP IMC Ent S/W Pltfrm w/200-node E-LTU
      - JG546AAE  HP IMC Basic SW Platform w/50-node E-LTU
      - JG548AAE  HP PCM+ to IMC Bsc Upgr w/50-node E-LTU
      - JG549AAE  HP PCM+ to IMC Std Upgr w/200-node E-LTU
      - JG747AAE  HP IMC Std SW Plat w/ 50 Nodes E-LTU
      - JG748AAE  HP IMC Ent SW Plat w/ 50 Nodes E-LTU
      - JG550AAE HPE PCM+ Mobility Manager to IMC Basic WLAN Platform Upgrade
50-node and 150-AP E-LTU
      - JG590AAE HPE IMC Basic WLAN Manager Software Platform 50 Access Point
E-LTU
      - JG660AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance
Edition E-LTU
      - JG766AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU
      - JG767AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance
Edition E-LTU
      - JG768AAE HPE PCM+ to IMC Standard Software Platform Upgrade with
200-node E-LTU

**Note:** Please contact HPE Technical Support if any assistance is needed
acquiring the software updates.

HISTORY
Version:1 (rev.1) - 26 September 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJX6Y+0AAoJEGIGBBYqRO9/dA8IAKidS/RY8sNSoWI47dDiKZAb
GprSFEHJ9iAPoWjomMK6244VcLcz3UQUfyrlI9fNZDJSZbnsUrXlJEhpy69kPDQL
GpxzIonv3O/aji6sV5DYOLSm7YUQcL7ioNI3IzNKM88BicAvAhHKn7ukQ+cfS1bx
ij2Njird7EWOWVO9BiugDr3g9+9DLhC/ohNzxKoHZP2vOpXY009K9EIG4PLSyF35
R+Rqz67MkWPx4LdNTvhrE68UMIUtRiEQulvJ5DDT6lREEmfYXoMwcbIxeY3pX6Nf
NM7AqsSJgOlOHqelc49CQbGF6XpZs1TIOq4SnZsug4nLRlN/QjtheRrA8ds0C2I=
=ZppV
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F139894)

HP Security Bulletin HPSBHF03673 1 (PacketStormID:F139894)
2016-11-24 00:00:00
HP  hp.com
advisory,spoof,vulnerability
CVE-2004-2761,CVE-2013-2566,CVE-2015-2808
[点击下载]

HP Security Bulletin HPSBHF03673 1 - Security vulnerabilities in MD5 message digest algorithm and RC4 ciphersuite could potentially impact HPE Comware 5 and Comware 7 network products using SSL/TLS. These vulnerabilities could be exploited remotely to conduct spoofing attacks and plaintext recovery attacks resulting in disclosure of information. Revision 1 of this advisory.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05336888

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05336888
Version: 1

HPSBHF03673 rev.1 - HPE Comware 5 and Comware 7 Network Products using
SSL/TLS, Multiple Remote Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-18
Last Updated: 2016-11-18

Potential Security Impact: Remote: Multiple Vulnerabilities

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Security vulnerabilities in MD5 message digest algorithm and RC4 ciphersuite
could potentially impact HPE Comware 5 and Comware 7 network products using
SSL/TLS. These vulnerabilities could be exploited remotely to conduct
spoofing attacks and plaintext recovery attacks resulting in disclosure of
information.

References:

  - CVE-2004-2761 - MD5 Hash Collision Vulnerability
  - CVE-2013-2566 - SSL/TLS RC4 algorithm vulnerability
  - CVE-2015-2808 - SSL/TLS RC4 stream vulnerability known as "Bar Mitzvah"

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - Comware 5 (CW5) Products All versions
  - Comware 7 (CW7) Products All versions

BACKGROUND

  CVSS Base Metrics
  =================
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

    CVE-2004-2761
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
      5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

    CVE-2013-2566
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
      4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    CVE-2015-2808
      5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
      4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

    Information on CVSS is documented in
    HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has released the following mitigation information to resolve the
vulnerabilities in HPE Comware 5 and Comware 7 network products.

  *Note:* Please contact HPE Technical Support for any assistance configuring
the recommended settings.

**Mitigation for the hash collision vulnerability in the MD5 Algorithm:**

  + For Comware V7, this issue only exists when the key-type is RSA and the
public key length less than 1024 bits.
    Since the default length of the RSA key is 1024 bits, the length should
only have to be set manually if necessary.
    
      Example command to set the RSA key length to 1024 bits:
      
          public-key rsa general name xxx length 1024
    
  + For Comware V5, this issue only exists when the key-type is RSA.
    HPE recommends using DSA and ECDSA keys and not an RSA key.

**Mitigation for the RC4 vulnerabilities:**
  
  HPE recommends disabling RC2 and RC4 ciphers.
  
  + For Comware V7, remove the RC2/RC4 ciphers:
        
    - exp_rsa_rc2_md5
    - exp_rsa_rc4_md5
    - rsa_rc4_128_md5
    - rsa_rc4_128_sha

          Example using the *ssl server-policy anamea ciphersuite* command to
omit the RC2/RC4 ciphers:
        
            ssl server-policy anamea ciphersuite { dhe_rsa_aes_128_cbc_sha |
dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha }

          Example using the *ssl client-policy anamea prefer-cipher* command
to omit the RC2/RC4 ciphers:  

            ssl client-policy anamea prefer-cipher { dhe_rsa_aes_128_cbc_sha
| dhe_rsa_aes_256_cbc_sha | exp_rsa_des_cbc_sha | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha }


  + For Comware V5, remove the following RC4 ciphers:
        
    - rsa_rc4_128_md5
    - rsa_rc4_128_sha

          Example using the *ssl server-policy anamea ciphersuite* command to
omit the RC4 ciphers:
        
            ssl server-policy anamea ciphersuite { rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha| rsa_des_cbc_sha }

          Example using the *ssl client-policy anamea prefer-cipher* command
to omit the RC4 ciphers:  

            ssl client-policy anamea prefer-cipher { rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha |rsa_aes_256_cbc_sha | rsa_des_cbc_sha }


**COMWARE 5 Products**

  + **HSR6602 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC176A HP 6602 Router Chassis
      - JG353A HP HSR6602-G Router
      - JG354A HP HSR6602-XG Router
      - JG355A HP 6600 MCP-X1 Router Main Processing Unit
      - JG356A HP 6600 MCP-X2 Router Main Processing Unit
      - JG776A HP HSR6602-G TAA-compliant Router
      - JG777A HP HSR6602-XG TAA-compliant Router
      - JG778A HP 6600 MCP-X2 Router TAA-compliant Main Processing Unit
  + **HSR6800 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG361A HP HSR6802 Router Chassis
      - JG361B HP HSR6802 Router Chassis
      - JG362A HP HSR6804 Router Chassis
      - JG362B HP HSR6804 Router Chassis
      - JG363A HP HSR6808 Router Chassis
      - JG363B HP HSR6808 Router Chassis
      - JG364A HP HSR6800 RSE-X2 Router Main Processing Unit
      - JG779A HP HSR6800 RSE-X2 Router TAA-compliant Main Processing Unit
  + **MSR20 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD432A HP A-MSR20-21 Router
      - JD662A HP MSR20-20 Router
      - JD663A HP A-MSR20-21 Router
      - JD663B HP MSR20-21 Router
      - JD664A HP MSR20-40 Router
      - JF228A HP MSR20-40 Router
      - JF283A HP MSR20-20 Router
  + **MSR20-1X  (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD431A HP MSR20-10 Router
      - JD667A HP MSR20-15 IW Multi-Service Router
      - JD668A HP MSR20-13 Multi-Service Router
      - JD669A HP MSR20-13 W Multi-Service Router
      - JD670A HP MSR20-15 A Multi-Service Router
      - JD671A HP MSR20-15 AW Multi-Service Router
      - JD672A HP MSR20-15 I Multi-Service Router
      - JD673A HP MSR20-11 Multi-Service Router
      - JD674A HP MSR20-12 Multi-Service Router
      - JD675A HP MSR20-12 W Multi-Service Router
      - JD676A HP MSR20-12 T1 Multi-Service Router
      - JF236A HP MSR20-15-I Router
      - JF237A HP MSR20-15-A Router
      - JF238A HP MSR20-15-I-W Router
      - JF239A HP MSR20-11 Router
      - JF240A HP MSR20-13 Router
      - JF241A HP MSR20-12 Router
      - JF806A HP MSR20-12-T Router
      - JF807A HP MSR20-12-W Router
      - JF808A HP MSR20-13-W Router
      - JF809A HP MSR20-15-A-W Router
      - JF817A HP MSR20-15 Router
      - JG209A HP MSR20-12-T-W Router (NA)
      - JG210A HP MSR20-13-W Router (NA)
  + **MSR 30 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD654A HP MSR30-60 POE Multi-Service Router
      - JD657A HP MSR30-40 Multi-Service Router
      - JD658A HP MSR30-60 Multi-Service Router
      - JD660A HP MSR30-20 POE Multi-Service Router
      - JD661A HP MSR30-40 POE Multi-Service Router
      - JD666A HP MSR30-20 Multi-Service Router
      - JF229A HP MSR30-40 Router
      - JF230A HP MSR30-60 Router
      - JF232A HP RTMSR3040-AC-OVSAS-H3
      - JF235A HP MSR30-20 DC Router
      - JF284A HP MSR30-20 Router
      - JF287A HP MSR30-40 DC Router
      - JF801A HP MSR30-60 DC Router
      - JF802A HP MSR30-20 PoE Router
      - JF803A HP MSR30-40 PoE Router
      - JF804A HP MSR30-60 PoE Router
      - JG728A HP MSR30-20 TAA-compliant DC Router
      - JG729A HP MSR30-20 TAA-compliant Router
  + **MSR 30-16 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD659A HP MSR30-16 POE Multi-Service Router
      - JD665A HP MSR30-16 Multi-Service Router
      - JF233A HP MSR30-16 Router
      - JF234A HP MSR30-16 PoE Router
  + **MSR 30-1X (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JF800A HP MSR30-11 Router
      - JF816A HP MSR30-10 2 FE /2 SIC /1 MIM MS Rtr
      - JG182A HP MSR30-11E Router
      - JG183A HP MSR30-11F Router
      - JG184A HP MSR30-10 DC Router
  + **MSR 50 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD433A HP MSR50-40 Router
      - JD653A HP MSR50 Processor Module
      - JD655A HP MSR50-40 Multi-Service Router
      - JD656A HP MSR50-60 Multi-Service Router
      - JF231A HP MSR50-60 Router
      - JF285A HP MSR50-40 DC Router
      - JF640A HP MSR50-60 Rtr Chassis w DC PwrSupply
  + **MSR 50-G2 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD429A HP MSR50 G2 Processor Module
      - JD429B HP MSR50 G2 Processor Module
  + **MSR 9XX (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JF812A HP MSR900 Router
      - JF813A HP MSR920 Router
      - JF814A HP MSR900-W Router
      - JF815A HP MSR920 2FEWAN/8FELAN/.11 b/g Rtr
      - JG207A HP MSR900-W Router (NA)
      - JG208A HP MSR920-W Router (NA)
  + **MSR 93X (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG511A HP MSR930 Router
      - JG511B HP MSR930 Router
      - JG512A HP MSR930 Wireless Router
      - JG513A HP MSR930 3G Router
      - JG513B HP MSR930 3G Router
      - JG514A HP MSR931 Router
      - JG514B HP MSR931 Router
      - JG515A HP MSR931 3G Router
      - JG516A HP MSR933 Router
      - JG517A HP MSR933 3G Router
      - JG518A HP MSR935 Router
      - JG518B HP MSR935 Router
      - JG519A HP MSR935 Wireless Router
      - JG520A HP MSR935 3G Router
      - JG531A HP MSR931 Dual 3G Router
      - JG531B HP MSR931 Dual 3G Router
      - JG596A HP MSR930 4G LTE/3G CDMA Router
      - JG597A HP MSR936 Wireless Router
      - JG665A HP MSR930 4G LTE/3G WCDMA Global Router
      - JG704A HP MSR930 4G LTE/3G WCDMA  ATT Router
      - JH009A HP MSR931 Serial (TI) Router
      - JH010A HP MSR933 G.SHDSL (TI) Router
      - JH011A HP MSR935 ADSL2+ (TI) Router
      - JH012A HP MSR930 Wireless 802.11n (NA) Router
      - JH012B HP MSR930 Wireless 802.11n (NA) Router
      - JH013A HP MSR935 Wireless 802.11n (NA) Router
  + **MSR1000 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG732A HP MSR1003-8 AC Router
  + **12500 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC072B HP 12500 Main Processing Unit
      - JC085A HP A12518 Switch Chassis
      - JC086A HP A12508 Switch Chassis
      - JC652A HP 12508 DC Switch Chassis
      - JC653A HP 12518 DC Switch Chassis
      - JC654A HP 12504 AC Switch Chassis
      - JC655A HP 12504 DC Switch Chassis
      - JC808A HP 12500 TAA Main Processing Unit
      - JF430A HP A12518 Switch Chassis
      - JF430B HP 12518 Switch Chassis
      - JF430C HP 12518 AC Switch Chassis
      - JF431A HP A12508 Switch Chassis
      - JF431B HP 12508 Switch Chassis
      - JF431C HP 12508 AC Switch Chassis
  + **9500E (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC124A HP A9508 Switch Chassis
      - JC124B HP 9505 Switch Chassis
      - JC125A HP A9512 Switch Chassis
      - JC125B HP 9512 Switch Chassis
      - JC474A HP A9508-V Switch Chassis
      - JC474B HP 9508-V Switch Chassis
  + **10500 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC611A HP 10508-V Switch Chassis
      - JC612A HP 10508 Switch Chassis
      - JC613A HP 10504 Switch Chassis
      - JC614A HP 10500 Main Processing Unit
      - JC748A HP 10512 Switch Chassis
      - JG375A HP 10500 TAA-compliant Main Processing Unit
      - JG820A HP 10504 TAA-compliant Switch Chassis
      - JG821A HP 10508 TAA-compliant Switch Chassis
      - JG822A HP 10508-V TAA-compliant Switch Chassis
      - JG823A HP 10512 TAA-compliant Switch Chassis
  + **7500 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC666A HP 7503-S 144Gbps Fabric/MPU with PoE Upgradable 20-port
Gig-T/4-port GbE Combo
      - JC697A HP 7502 TAA-compliant Main Processing Unit
      - JC698A HP 7503-S 144Gbps TAA Fabric / MPU with 16 GbE SFP Ports and 8
GbE Combo Ports
      - JC699A HP 7500 384Gbps TAA-compliant Fabric / MPU with 2 10GbE XFP
Ports
      - JC700A HP 7500 384Gbps TAA-compliant Fabric / Main Processing Unit
      - JC701A HP 7500 768Gbps TAA-compliant Fabric / Main Processing Unit
      - JD193A HP 7500 384Gbps Fabric Module with 2 XFP Ports
      - JD193B HP 7500 384Gbps Fabric Module with 2 XFP Ports
      - JD194A HP 7500 384Gbps Fabric Module
      - JD194B HP 7500 384Gbps Fabric Module
      - JD195A HP 7500 384Gbps Advanced Fabric Module
      - JD196A HP 7502 Fabric Module
      - JD220A HP 7500 768Gbps Fabric Module
      - JD224A HP 7500 384Gbps Fabric Module with 12 SFP Ports
      - JD238A HP 7510 Switch Chassis
      - JD238B HP 7510 Switch Chassis
      - JD239A HP 7506 Switch Chassis
      - JD239B HP 7506 Switch Chassis
      - JD240A HP 7503 Switch Chassis
      - JD240B HP 7503 Switch Chassis
      - JD241A HP 7506-V Switch Chassis
      - JD241B HP 7506-V Switch Chassis
      - JD242A HP 7502 Switch Chassis
      - JD242B HP 7502 Switch Chassis
      - JD243A HP 7503-S Switch Chassis with 1 Fabric Slot
      - JD243B HP 7503-S Switch Chassis with 1 Fabric Slot
      - JE164A HP E7902 Switch Chassis
      - JE165A HP E7903 Switch Chassis
      - JE166A HP E7903 1 Fabric Slot Switch Chassis
      - JE167A HP E7906 Switch Chassis
      - JE168A HP E7906 Vertical Switch Chassis
      - JE169A HP E7910 Switch Chassis
  + **6125G/XG Blade Switch - Version: See Mitigation**
    * HP Network Products
      - 737220-B21 HP 6125G Blade Switch with TAA
      - 737226-B21 HP 6125G/XG Blade Switch with TAA
      - 658250-B21 HP 6125G/XG Blade Switch Opt Kit
      - 658247-B21 HP 6125G Blade Switch Opt Kit
  + **5830 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC691A HP 5830AF-48G Switch with 1 Interface Slot
      - JC694A HP 5830AF-96G Switch
      - JG316A HP 5830AF-48G TAA-compliant Switch w/1 Interface Slot
      - JG374A HP 5830AF-96G TAA-compliant Switch
  + **5800 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC099A HP 5800-24G-PoE Switch
      - JC099B HP 5800-24G-PoE+ Switch
      - JC100A HP 5800-24G Switch
      - JC100B HP 5800-24G Switch
      - JC101A HP 5800-48G Switch with 2 Slots
      - JC101B HP 5800-48G-PoE+ Switch with 2 Interface Slots
      - JC103A HP 5800-24G-SFP Switch
      - JC103B HP 5800-24G-SFP Switch with 1 Interface Slot
      - JC104A HP 5800-48G-PoE Switch
      - JC104B HP 5800-48G-PoE+ Switch with 1 Interface Slot
      - JC105A HP 5800-48G Switch
      - JC105B HP 5800-48G Switch with 1 Interface Slot
      - JG254A HP 5800-24G-PoE+ TAA-compliant Switch
      - JG254B HP 5800-24G-PoE+ TAA-compliant Switch
      - JG255A HP 5800-24G TAA-compliant Switch
      - JG255B HP 5800-24G TAA-compliant Switch
      - JG256A HP 5800-24G-SFP TAA-compliant Switch with 1 Interface Slot
      - JG256B HP 5800-24G-SFP TAA-compliant Switch with 1 Interface Slot
      - JG257A HP 5800-48G-PoE+ TAA-compliant Switch with 1 Interface Slot
      - JG257B HP 5800-48G-PoE+ TAA-compliant Switch with 1 Interface Slot
      - JG258A HP 5800-48G TAA-compliant Switch with 1 Interface Slot
      - JG258B HP 5800-48G TAA-compliant Switch with 1 Interface Slot
      - JG225A HP 5800AF-48G Switch
      - JG225B HP 5800AF-48G Switch
      - JG242A HP 5800-48G-PoE+ TAA-compliant Switch with 2 Interface Slots
      - JG242B HP 5800-48G-PoE+ TAA-compliant Switch with 2 Interface
      - JG243A HP 5820-24XG-SFP+ TAA-compliant Switch
      - JG243B HP 5820-24XG-SFP+ TAA-compliant Switch
      - JG259A HP 5820X-14XG-SFP+ TAA-compliant Switch with 2 Interface Slots
& 1 OAA Slot
      - JG259B HP 5820-14XG-SFP+ TAA-compliant Switch with 2 Interface Slots
and 1 OAA Slot
      - JC106A HP 5820-14XG-SFP+ Switch with 2 Slots
      - JC106B HP 5820-14XG-SFP+ Switch with 2 Interface Slots & 1 OAA Slot
      - JG219A HP 5820AF-24XG Switch
      - JG219B HP 5820AF-24XG Switch
      - JC102A HP 5820-24XG-SFP+ Switch
      - JC102B HP 5820-24XG-SFP+ Switch
  + **5500 HI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG311A HP 5500-24G-4SFP HI Switch with 2 Interface Slots
      - JG312A HP 5500-48G-4SFP HI Switch with 2 Interface Slots
      - JG541A HP 5500-24G-PoE+-4SFP HI Switch with 2 Interface Slots
      - JG542A HP 5500-48G-PoE+-4SFP HI Switch with 2 Interface Slots
      - JG543A HP 5500-24G-SFP HI Switch with 2 Interface Slots
      - JG679A HP 5500-24G-PoE+-4SFP HI TAA-compliant Switch with 2 Interface
Slots
      - JG680A HP 5500-48G-PoE+-4SFP HI TAA-compliant Switch with 2 Interface
Slots
      - JG681A HP 5500-24G-SFP HI TAA-compliant Switch with 2 Interface Slots
  + **5500 EI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD373A HP 5500-24G DC EI Switch
      - JD374A HP 5500-24G-SFP EI Switch
      - JD375A HP 5500-48G EI Switch
      - JD376A HP 5500-48G-PoE EI Switch
      - JD377A HP 5500-24G EI Switch
      - JD378A HP 5500-24G-PoE EI Switch
      - JD379A HP 5500-24G-SFP DC EI Switch
      - JG240A HP 5500-48G-PoE+ EI Switch with 2 Interface Slots
      - JG241A HP 5500-24G-PoE+ EI Switch with 2 Interface Slots
      - JG249A HP 5500-24G-SFP EI TAA-compliant Switch with 2 Interface
      - JG250A HP 5500-24G EI TAA-compliant Switch with 2 Interface Slots
      - JG251A HP 5500-48G EI TAA-compliant Switch with 2 Interface Slots
      - JG252A HP 5500-24G-PoE+ EI TAA-compliant Switch with 2 Interface
Slots
      - JG253A HP 5500-48G-PoE+ EI TAA-compliant Switch with 2 Interface
Slots
  + **4800G (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD007A HP 4800-24G Switch
      - JD008A HP 4800-24G-PoE Switch
      - JD009A HP 4800-24G-SFP Switch
      - JD010A HP 4800-48G Switch
      - JD011A HP 4800-48G-PoE Switch
  + **5500SI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD369A HP 5500-24G SI Switch
      - JD370A HP 5500-48G SI Switch
      - JD371A HP 5500-24G-PoE SI Switch
      - JD372A HP 5500-48G-PoE SI Switch
      - JG238A HP 5500-24G-PoE+ SI Switch with 2 Interface Slots
      - JG239A HP 5500-48G-PoE+ SI Switch with 2 Interface Slots
  + **4500G (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JF428A HP 4510-48G Switch
      - JF847A HP 4510-24G Switch
  + **5120 EI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JE066A HP 5120-24G EI Switch
      - JE067A HP 5120-48G EI Switch
      - JE068A HP 5120-24G EI Switch with 2 Interface Slots
      - JE069A HP 5120-48G EI Switch with 2 Interface Slots
      - JE070A HP 5120-24G-PoE EI 2-slot Switch
      - JE071A HP 5120-48G-PoE EI 2-slot Switch
      - JG236A HP 5120-24G-PoE+ EI Switch with 2 Interface Slots
      - JG237A HP 5120-48G-PoE+ EI Switch with 2 Interface Slots
      - JG245A HP 5120-24G EI TAA-compliant Switch with 2 Interface Slots
      - JG246A HP 5120-48G EI TAA-compliant Switch with 2 Interface Slots
      - JG247A HP 5120-24G-PoE+ EI TAA-compliant Switch with 2 Slots
      - JG248A HP 5120-48G-PoE+ EI TAA-compliant Switch with 2 Slots
  + **4210G (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JF844A HP 4210-24G Switch
      - JF845A HP 4210-48G Switch
      - JF846A HP 4210-24G-PoE Switch
  + **5120 SI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JE072A HP 5120-48G SI Switch
      - JE072B HPE 5120 48G SI Switch
      - JE073A HP 5120-16G SI Switch
      - JE073B HPE 5120 16G SI Switch
      - JE074A HP 5120-24G SI Switch
      - JE074B HPE 5120 24G SI Switch
      - JG091A HP 5120-24G-PoE+ (370W) SI Switch
      - JG091B HPE 5120 24G PoE+ (370W) SI Switch
      - JG092A HP 5120-24G-PoE+ (170W) SI Switch
      - JG309B HPE 5120 8G PoE+ (180W) SI Switch
      - JG310B HPE 5120 8G PoE+ (65W) SI Switch
  + **3610 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD335A HP 3610-48 Switch
      - JD336A HP 3610-24-4G-SFP Switch
      - JD337A HP 3610-24-2G-2G-SFP Switch
      - JD338A HP 3610-24-SFP Switch
  + **3600V2 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG299A HP 3600-24 v2 EI Switch
      - JG299B HP 3600-24 v2 EI Switch
      - JG300A HP 3600-48 v2 EI Switch
      - JG300B HP 3600-48 v2 EI Switch
      - JG301A HP 3600-24-PoE+ v2 EI Switch
      - JG301B HP 3600-24-PoE+ v2 EI Switch
      - JG301C HP 3600-24-PoE+ v2 EI Switch
      - JG302A HP 3600-48-PoE+ v2 EI Switch
      - JG302B HP 3600-48-PoE+ v2 EI Switch
      - JG302C HP 3600-48-PoE+ v2 EI Switch
      - JG303A HP 3600-24-SFP v2 EI Switch
      - JG303B HP 3600-24-SFP v2 EI Switch
      - JG304A HP 3600-24 v2 SI Switch
      - JG304B HP 3600-24 v2 SI Switch
      - JG305A HP 3600-48 v2 SI Switch
      - JG305B HP 3600-48 v2 SI Switch
      - JG306A HP 3600-24-PoE+ v2 SI Switch
      - JG306B HP 3600-24-PoE+ v2 SI Switch
      - JG306C HP 3600-24-PoE+ v2 SI Switch
      - JG307A HP 3600-48-PoE+ v2 SI Switch
      - JG307B HP 3600-48-PoE+ v2 SI Switch
      - JG307C HP 3600-48-PoE+ v2 SI Switch
  + **3100V2-48 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG315A HP 3100-48 v2 Switch
      - JG315B HP 3100-48 v2 Switch
  + **HP870 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG723A HP 870 Unified Wired-WLAN Appliance
      - JG725A HP 870 Unified Wired-WLAN TAA-compliant Appliance
  + **HP850 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG722A HP 850 Unified Wired-WLAN Appliance
      - JG724A HP 850 Unified Wired-WLAN TAA-compliant Appliance
  + **HP830 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG640A HP 830 24-Port PoE+ Unified Wired-WLAN Switch
      - JG641A HP 830 8-port PoE+ Unified Wired-WLAN Switch
      - JG646A HP 830 24-Port PoE+ Unified Wired-WLAN TAA-compliant Switch
      - JG647A HP 830 8-Port PoE+ Unified Wired-WLAN TAA-compliant
  + **HP6000 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG639A HP 10500/7500 20G Unified Wired-WLAN Module
      - JG645A HP 10500/7500 20G Unified Wired-WLAN TAA-compliant Module
  + **WX5004-EI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD447B HP WX5002 Access Controller
      - JD448A HP WX5004 Access Controller
      - JD448B HP WX5004 Access Controller
      - JD469A HP WX5004 Access Controller
  + **SecBlade FW (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JC635A HP 12500 VPN Firewall Module
      - JD245A HP 9500 VPN Firewall Module
      - JD249A HP 10500/7500 Advanced VPN Firewall Module
      - JD250A HP 6600 Firewall Processing Router Module
      - JD251A HP 8800 Firewall Processing Module
      - JD255A HP 5820 VPN Firewall Module
  + **F1000-E (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD272A HP F1000-E VPN Firewall Appliance
  + **F1000-A-EI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG214A HP F1000-A-EI VPN Firewall Appliance
  + **F1000-S-EI (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG213A HP F1000-S-EI VPN Firewall Appliance
  + **F5000-A (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD259A HP A5000-A5 VPN Firewall Chassis
      - JG215A HP F5000 Firewall Main Processing Unit
      - JG216A HP F5000 Firewall Standalone Chassis
  + **U200S and CS (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD273A HP U200-S UTM Appliance
  + **U200A and M (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JD275A HP U200-A UTM Appliance
  + **F5000-C/S (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG650A HP F5000-C VPN Firewall Appliance
      - JG370A HP F5000-S VPN Firewall Appliance
  + **SecBlade III (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG371A HP 12500 20Gbps VPN Firewall Module
      - JG372A HP 10500/11900/7500 20Gbps VPN Firewall Module
  + **6600 RSE RU (Comware 5 Low Encryption SW) - Version: See Mitigation**
    * HP Network Products
      - JC177A HP 6608 Router
      - JC177B HP 6608 Router Chassis
      - JC178A HP 6604 Router Chassis
      - JC178B HP 6604 Router Chassis
      - JC496A HP 6616 Router Chassis
      - JC566A HP 6600 RSE-X1 Router Main Processing Unit
      - JG780A HP 6600 RSE-X1 TAA-compliant Main Processing Unit
  + **6600 RPE RU (Comware 5 Low Encryption SW) - Version: See Mitigation**
    * HP Network Products
      - JC165A HP 6600 RPE-X1 Router Module
      - JG781A HP 6600 RPE-X1 TAA-compliant Main Processing Unit
  + **6602 RU (Comware 5 Low Encryption SW) - Version: See Mitigation**
    * HP Network Products
      - JC176A HP 6602 Router Chassis
  + **HSR6602 RU (Comware 5 Low Encryption SW) - Version: See Mitigation**
    * HP Network Products
      - JC177A HP 6608 Router
      - JC177B HP 6608 Router Chassis
      - JC178A HP 6604 Router Chassis
      - JC178B HP 6604 Router Chassis
      - JC496A HP 6616 Router Chassis
      - JG353A HP HSR6602-G Router
      - JG354A HP HSR6602-XG Router
      - JG355A HP 6600 MCP-X1 Router Main Processing Unit
      - JG356A HP 6600 MCP-X2 Router Main Processing Unit
      - JG776A HP HSR6602-G TAA-compliant Router
      - JG777A HP HSR6602-XG TAA-compliant Router
      - JG778A HP 6600 MCP-X2 Router TAA-compliant Main Processing Unit
  + **HSR6800 RU (Comware 5 Low Encryption SW) - Version: See Mitigation**
    * HP Network Products
      - JG361A HP HSR6802 Router Chassis
      - JG361B HP HSR6802 Router Chassis
      - JG362A HP HSR6804 Router Chassis
      - JG362B HP HSR6804 Router Chassis
      - JG363A HP HSR6808 Router Chassis
      - JG363B HP HSR6808 Router Chassis
      - JG364A HP HSR6800 RSE-X2 Router Main Processing Unit
      - JG779A HP HSR6800 RSE-X2 Router TAA-compliant Main Processing Unit
  + **SMB1910 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG540A HP 1910-48 Switch
      - JG539A HP 1910-24-PoE+ Switch
      - JG538A HP 1910-24 Switch
      - JG537A HP 1910-8 -PoE+ Switch
      - JG536A HP 1910-8 Switch
  + **SMB1920 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG928A HP 1920-48G-PoE+ (370W) Switch
      - JG927A HP 1920-48G Switch
      - JG926A HP 1920-24G-PoE+ (370W) Switch
      - JG925A HP 1920-24G-PoE+ (180W) Switch
      - JG924A HP 1920-24G Switch
      - JG923A HP 1920-16G Switch
      - JG922A HP 1920-8G-PoE+ (180W) Switch
      - JG921A HP 1920-8G-PoE+ (65W) Switch
      - JG920A HP 1920-8G Switch
  + **V1910 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JE005A HP 1910-16G Switch
      - JE006A HP 1910-24G Switch
      - JE007A HP 1910-24G-PoE (365W) Switch
      - JE008A HP 1910-24G-PoE(170W) Switch
      - JE009A HP 1910-48G Switch
      - JG348A HP 1910-8G Switch
      - JG349A HP 1910-8G-PoE+ (65W) Switch
      - JG350A HP 1910-8G-PoE+ (180W) Switch
  + **SMB 1620 (Comware 5) - Version: See Mitigation**
    * HP Network Products
      - JG914A HP 1620-48G Switch
      - JG913A HP 1620-24G Switch
      - JG912A HP 1620-8G Switch


**COMWARE 7 Products**

  + **12500 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JC072B HP 12500 Main Processing Unit
      - JC085A HP A12518 Switch Chassis
      - JC086A HP A12508 Switch Chassis
      - JC652A HP 12508 DC Switch Chassis
      - JC653A HP 12518 DC Switch Chassis
      - JC654A HP 12504 AC Switch Chassis
      - JC655A HP 12504 DC Switch Chassis
      - JF430A HP A12518 Switch Chassis
      - JF430B HP 12518 Switch Chassis
      - JF430C HP 12518 AC Switch Chassis
      - JF431A HP A12508 Switch Chassis
      - JF431B HP 12508 Switch Chassis
      - JF431C HP 12508 AC Switch Chassis
      - JG497A HP 12500 MPU w/Comware V7 OS
      - JG782A HP FF 12508E AC Switch Chassis
      - JG783A HP FF 12508E DC Switch Chassis
      - JG784A HP FF 12518E AC Switch Chassis
      - JG785A HP FF 12518E DC Switch Chassis
      - JG802A HP FF 12500E MPU
  + **10500 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JC611A HP 10508-V Switch Chassis
      - JC612A HP 10508 Switch Chassis
      - JC613A HP 10504 Switch Chassis
      - JC748A HP 10512 Switch Chassis
      - JG608A HP FlexFabric 11908-V Switch Chassis
      - JG609A HP FlexFabric 11900 Main Processing Unit
      - JG820A HP 10504 TAA Switch Chassis
      - JG821A HP 10508 TAA Switch Chassis
      - JG822A HP 10508-V TAA Switch Chassis
      - JG823A HP 10512 TAA Switch Chassis
      - JG496A HP 10500 Type A MPU w/Comware v7 OS
      - JH198A HP 10500 Type D Main Processing Unit with Comware v7 Operating
System
      - JH206A HP 10500 Type D TAA-compliant with Comware v7 Operating System
Main Processing Unit
  + **12900 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG619A HP FlexFabric 12910 Switch AC Chassis
      - JG621A HP FlexFabric 12910 Main Processing Unit
      - JG632A HP FlexFabric 12916 Switch AC Chassis
      - JG634A HP FlexFabric 12916 Main Processing Unit
      - JH104A HP FlexFabric 12900E Main Processing Unit
      - JH114A HP FlexFabric 12910 TAA-compliant Main Processing Unit
      - JH263A HP FlexFabric 12904E Main Processing Unit
      - JH255A HP FlexFabric 12908E Switch Chassis
      - JH262A HP FlexFabric 12904E Switch Chassis
      - JH113A HP FlexFabric 12910 TAA-compliant Switch AC Chassis
      - JH103A HP FlexFabric 12916E Switch Chassis
  + **5900 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JC772A HP 5900AF-48XG-4QSFP+ Switch
      - JG296A HP 5920AF-24XG Switch
      - JG336A HP 5900AF-48XGT-4QSFP+ Switch
      - JG510A HP 5900AF-48G-4XG-2QSFP+ Switch
      - JG554A HP 5900AF-48XG-4QSFP+ TAA Switch
      - JG555A HP 5920AF-24XG TAA Switch
      - JG838A HP FF 5900CP-48XG-4QSFP+ Switch
      - JH036A HP FlexFabric 5900CP 48XG 4QSFP+ TAA-Compliant
      - JH037A HP 5900AF 48XGT 4QSFP+ TAA-Compliant Switch
      - JH038A HP 5900AF 48G 4XG 2QSFP+ TAA-Compliant
  + **MSR1000 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG875A HP MSR1002-4 AC Router
      - JH060A HP MSR1003-8S AC Router
  + **MSR2000 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG411A HP MSR2003 AC Router
      - JG734A HP MSR2004-24 AC Router
      - JG735A HP MSR2004-48 Router
      - JG866A HP MSR2003 TAA-compliant AC Router
  + **MSR3000 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG404A HP MSR3064 Router
      - JG405A HP MSR3044 Router
      - JG406A HP MSR3024 AC Router
      - JG407A HP MSR3024 DC Router
      - JG408A HP MSR3024 PoE Router
      - JG409A HP MSR3012 AC Router
      - JG410A HP MSR3012 DC Router
      - JG861A HP MSR3024 TAA-compliant AC Router
  + **MSR4000 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG402A HP MSR4080 Router Chassis
      - JG403A HP MSR4060 Router Chassis
      - JG412A HP MSR4000 MPU-100 Main Processing Unit
      - JG869A HP MSR4000 TAA-compliant MPU-100 Main Processing Unit
  + **VSR (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG810AAE HP VSR1001 Virtual Services Router 60 Day Evaluation
Software
      - JG811AAE HP VSR1001 Comware 7 Virtual Services Router
      - JG812AAE HP VSR1004 Comware 7 Virtual Services Router
      - JG813AAE HP VSR1008 Comware 7 Virtual Services Router
  + **7900 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG682A HP FlexFabric 7904 Switch Chassis
      - JG841A HP FlexFabric 7910 Switch Chassis
      - JG842A HP FlexFabric 7910 7.2Tbps Fabric / Main Processing Unit
      - JH001A HP FlexFabric 7910 2.4Tbps Fabric / Main Processing Unit
      - JH122A HP FlexFabric 7904 TAA-compliant Switch Chassis
      - JH123A HP FlexFabric 7910 TAA-compliant Switch Chassis
      - JH124A HP FlexFabric 7910 7.2Tbps TAA-compliant Fabric/Main
Processing Unit
      - JH125A HP FlexFabric 7910 2.4Tbps TAA-compliant Fabric/Main
Processing Unit
  + **5130 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG932A HP 5130-24G-4SFP+ EI Switch
      - JG933A HP 5130-24G-SFP-4SFP+ EI Switch
      - JG934A HP 5130-48G-4SFP+ EI Switch
      - JG936A HP 5130-24G-PoE+-4SFP+ (370W) EI Switch
      - JG937A HP 5130-48G-PoE+-4SFP+ (370W) EI Switch
      - JG938A HP 5130-24G-2SFP+-2XGT EI Switch
      - JG939A HP 5130-48G-2SFP+-2XGT EI Switch
      - JG940A HP 5130-24G-PoE+-2SFP+-2XGT (370W) EI Switch
      - JG941A HP 5130-48G-PoE+-2SFP+-2XGT (370W) EI Switch
      - JG975A HP 5130-24G-4SFP+ EI Brazil Switch
      - JG976A HP 5130-48G-4SFP+ EI Brazil Switch
      - JG977A HP 5130-24G-PoE+-4SFP+ (370W) EI Brazil Switch
      - JG978A HP 5130-48G-PoE+-4SFP+ (370W) EI Brazil Switch
  + **6125XLG - Version: See Mitigation**
    * HP Network Products
      - 711307-B21 HP 6125XLG Blade Switch
      - 737230-B21 HP 6125XLG Blade Switch with TAA
  + **6127XLG - Version: See Mitigation**
    * HP Network Products
      - 787635 HP 6127XLG Blade Switch Opt Kit
  + **Moonshot - Version: See Mitigation**
    * HP Network Products
      - 786617-B21 - HP Moonshot-45Gc Switch Module
      - 704654-B21 - HP Moonshot-45XGc Switch Module
      - 786619-B21 - HP Moonshot-180XGc Switch Module
  + **5700 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG894A HP FlexFabric 5700-48G-4XG-2QSFP+ Switch
      - JG895A HP FlexFabric 5700-48G-4XG-2QSFP+ TAA-compliant Switch
      - JG896A HP FlexFabric 5700-40XG-2QSFP+ Switch
      - JG897A HP FlexFabric 5700-40XG-2QSFP+ TAA-compliant Switch
      - JG898A HP FlexFabric 5700-32XGT-8XG-2QSFP+ Switch
      - JG899A HP FlexFabric 5700-32XGT-8XG-2QSFP+ TAA-compliant Switch
  + **5930 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG726A HP FlexFabric 5930 32QSFP+ Switch
      - JG727A HP FlexFabric 5930 32QSFP+ TAA-compliant Switch
      - JH178A HP FlexFabric 5930 2QSFP+ 2-slot Switch
      - JH179A HP FlexFabric 5930 4-slot Switch
      - JH187A HP FlexFabric 5930 2QSFP+ 2-slot TAA-compliant Switch
      - JH188A HP FlexFabric 5930 4-slot TAA-compliant Switch
  + **HSR6600 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG353A HP HSR6602-G Router
      - JG354A HP HSR6602-XG Router
      - JG776A HP HSR6602-G TAA-compliant Router
      - JG777A HP HSR6602-XG TAA-compliant Router
  + **HSR6800 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG361A HP HSR6802 Router Chassis
      - JG361B HP HSR6802 Router Chassis
      - JG362A HP HSR6804 Router Chassis
      - JG362B HP HSR6804 Router Chassis
      - JG363A HP HSR6808 Router Chassis
      - JG363B HP HSR6808 Router Chassis
      - JG364A HP HSR6800 RSE-X2 Router Main Processing Unit
      - JG779A HP HSR6800 RSE-X2 Router TAA-compliant Main Processing
      - JH075A HP HSR6800 RSE-X3 Router Main Processing Unit
  + **1950 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JG960A HP 1950-24G-4XG Switch
      - JG961A HP 1950-48G-2SFP+-2XGT Switch
      - JG962A HP 1950-24G-2SFP+-2XGT-PoE+(370W) Switch
      - JG963A HP 1950-48G-2SFP+-2XGT-PoE+(370W) Switch
  + **7500 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JD238C HP 7510 Switch Chassis
      - JD239C HP 7506 Switch Chassis
      - JD240C HP 7503 Switch Chassis
      - JD242C HP 7502 Switch Chassis
      - JH207A HP 7500 1.2Tbps Fabric with 2-port 40GbE QSFP+ for IRF-Only
Main Processing Unit
      - JH208A HP 7502 Main Processing Unit
      - JH209A HP 7500 2.4Tbps Fabric with 8-port 1/10GbE SFP+ and 2-port
40GbE QSFP+ Main Processing Unit
  + **5950 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JH321A HPE FlexFabric 5950 32QSFP28 Switch
  + **5940 (Comware 7) - Version: See Mitigation**
    * HP Network Products
      - JH390A HPE FlexFabric 5940 48SFP+ 6QSFP28 Switch
      - JH391A HPE FlexFabric 5940 48XGT 6QSFP28 Switch
      - JH394A HPE FlexFabric 5940 48XGT 6QSFP+ Switch
      - JH395A HPE FlexFabric 5940 48SFP+ 6QSFP+ Switch
      - JH396A HPE FlexFabric 5940 32QSFP+ Switch
      - JH397A HPE FlexFabric 5940 2-slot Switch
      - JH398A HPE FlexFabric 5940 4-slot Switch

HISTORY
Version:1 (rev.1) - 18 November 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-alert@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJYLytTAAoJELXhAxt7SZaiMjYIAI4xgRNJCPqOZ40XLUNhxYrc
HyqTd62PbcGOPTFya1qOo16V94eJ5id5oRHOtcrFjJKtDedDS6OoAe5HWYXvLEI3
0fEzCNjk9aHTcvuf2t17MGhS0Fk2JrZ0191RFONKuEkqgMmK0d44SGMrVXSA28Dj
phW1dzm1HiJO0NPUOa+cYMhNt0+I7b+ulD6FdldNdqx4fNtlXiHvcRbF4Wffe2hD
N2hlvx1Wu1iu2g75XPNPOPYhDRkyAm79P2HZGCUohQlhWsRgcJRnubojJBr7CMf9
2Ud7MwYL4jTKK/mFdim4ej/hwPn3SCb5ekhTUBFDlu2J2DjUYi2xDQgyQkhuUIg=
=NGQO
-----END PGP SIGNATURE-----
    

- 漏洞信息

SSL/TLS RC4 CVE-2015-2808 Information Disclosure Weakness
Design Error 73684
Yes No
2015-03-31 12:00:00 2015-03-31 12:00:00
Unknown

- 受影响的程序版本

Apple Safari 0

- 漏洞讨论

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站