To: [email protected]Subject: [ MDVSA-2009:137 ] java-1.6.0-openjdk
Date: Fri, 19 Jun 2009 19:47:01 +0200
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1MHiB3-0004aq-AO@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:137
http://www.mandriva.com/security/
_______________________________________________________________________
Package : java-1.6.0-openjdk
Date : June 20, 2009
Affected: 2009.0, 2009.1
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been identified and fixed in
Little cms library embedded in OpenJDK:
A memory leak flaw allows remote attackers to cause a denial of service
(memory consumption and application crash) via a crafted image file
(CVE-2009-0581).
Multiple integer overflows allow remote attackers to execute arbitrary
code via a crafted image file that triggers a heap-based buffer
overflow (CVE-2009-0723).
Multiple stack-based buffer overflows allow remote attackers to
execute arbitrary code via a crafted image file associated with a large
integer value for the (1) input or (2) output channel (CVE-2009-0733).
A flaw in the transformations of monochrome profiles allows remote
attackers to cause denial of service triggered by a NULL pointer
dereference via a crafted image file (CVE-2009-0793).
Further security fixes in the JRE and in the Java API of OpenJDK:
A flaw in handling temporary font files by the Java Virtual
Machine (JVM) allows remote attackers to cause denial of service
(CVE-2006-2426).
An integer overflow flaw was found in Pulse-Java when handling Pulse
audio source data lines. An attacker could use this flaw to cause an
applet to crash, leading to a denial of service (CVE-2009-0794).
A flaw in Java Runtime Environment initialized LDAP connections
allows authenticated remote users to cause denial of service on the
LDAP service (CVE-2009-1093).
A flaw in the Java Runtime Environment LDAP client in handling server
LDAP responses allows remote attackers to execute arbitrary code on
the client side via malicious server response (CVE-2009-1094).
Buffer overflows in the the Java Runtime Environment unpack200 utility
allow remote attackers to execute arbitrary code via an crafted applet
(CVE-2009-1095, CVE-2009-1096).
A buffer overflow in the splash screen processing allows a attackers
to execute arbitrary code (CVE-2009-1097).
A buffer overflow in GIF images handling allows remote attackers to
execute arbitrary code via an crafted GIF image (CVE-2009-1098).
A flaw in the Java API for XML Web Services (JAX-WS) service endpoint
handling allows remote attackers to cause a denial of service on the
service endpoint's server side (CVE-2009-1101).
A flaw in the Java Runtime Environment Virtual Machine code generation
allows remote attackers to execute arbitrary code via a crafted applet
(CVE-2009-1102).
This update provides fixes for these issues.
Update:
java-1.6.0-openjdk requires rhino packages and these has been further
updated.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0794http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
912bfaa5d15e09b410af7b20605e7a1f 2009.0/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
786629a41c5c892280577f14b097d118 2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
7a4ad719a41456847161a5da058916b1 2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
dd8e42f6419f0f0c564c2d10f66c1c51 2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
ecb3e34b02fe6366ea74d3b460913a18 2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
ec978b519cce142f0419fe9fcdfa49dd 2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
0985ffc0a6bc78d7cea8f2fd9c9b060b 2009.0/i586/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm
7665b20e0252718afabd10529743522e 2009.0/i586/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm
4179b415f870de30ad9bb2227ef1fbc3 2009.0/i586/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm
72a6d30e3807a63e77aa2ebee32716b2 2009.0/i586/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm
9b760b15223e7cb0146790ec5f7a77f1 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm
8f2f2ce3c178cd87e526a0b8fe8918e7 2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
5cebb2bb47360800ceac229941689fad 2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
5405df1af7fae349beb431618fba7fd2 2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
03969d440901d4fd31106d792a395534 2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
0e727c5840611998aef5499fa241464e 2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
9d72b8a28b6a21dac221244ac51b2e1b 2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
8fcffa782992c1cc15858c2a0894ba00 2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
e3f2ad3c55426cf9c4b336ab880f9ff7 2009.0/x86_64/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm
579005e8d20d5c559ee240c35095aeeb 2009.0/x86_64/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm
384403e6dae7eadefed13682b0b924f1 2009.0/x86_64/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm
fd8327ed0d455a9e116ff6fcfc96a849 2009.0/x86_64/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm
9b760b15223e7cb0146790ec5f7a77f1 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm
8f2f2ce3c178cd87e526a0b8fe8918e7 2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
e3a6b131e6b24c5bdd1401bb09363cf7 2009.1/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
75555512a7eb8b122bb0b5d7d40168e9 2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
0f45f662d06b4e820c725358d39ee9d1 2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
86624b1b4142e1e97ea4e5195e7f92dd 2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
2eb9b7a15dc0d8f02e88ea0a567ccf10 2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
8ca13d69103a5d861abdb45e8cd45bae 2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
b785c9c5d02abfd121bbe21d388e60c6 2009.1/i586/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm
0d7b54d508a807f40fb895f57fc4be14 2009.1/i586/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm
25fd10e12bca1b22f10bd66150c5cac2 2009.1/i586/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm
2687abe0ea6c72ae1a340646a102175f 2009.1/i586/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm
b943cbf0170778e2e5d5c924a937ab6c 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm
295300b3094f6486d13c0e29dd0aaa01 2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
8b72108f53cf01197bc96713a4c5886b 2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
5c0ad9be1191b441ade9f9c27ebf2bfa 2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
47d6080378ac8288c945adb06906ee5d 2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
631685330646881f15f5fc3ce43e496c 2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
f5f89addbe29f886b8a9a956f1bccd0d 2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
8d35903fed1e52aa5bfeee82ba27ffa8 2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
a13593fdfc42296a1661ff6512cedd23 2009.1/x86_64/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm
1d371aba339ae4061610412df205af53 2009.1/x86_64/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm
92cd2f41ceaf3f6941cfd48a464e4ecd 2009.1/x86_64/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm
c593be725e85426ced97ff0d23c215d9 2009.1/x86_64/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm
b943cbf0170778e2e5d5c924a937ab6c 2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm
295300b3094f6486d13c0e29dd0aaa01 2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKO6OnmqjQ0CJFipgRAkvnAJ97DF6nfZ4Gl3iBkhfczGXddU3RXACeP9bE
QuKPXc7lJkSexrCFo5wWRbA=
=/8An
-----END PGP SIGNATURE-----