Oval Definition:oval:com.redhat.rhsa:def:20120730
Revision Date:2012-06-13Version:635
Title:RHSA-2012:0730: java-1.6.0-openjdk security update (Important)
Description:These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.

  • Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711, CVE-2012-1719)

  • It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. (CVE-2012-1716)

  • Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine. (CVE-2012-1713)

  • Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

  • It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop. (CVE-2012-1724)

  • It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored. (CVE-2012-1718)

  • It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files. (CVE-2012-1717)

    This erratum also upgrades the OpenJDK package to IcedTea6 1.10.8. Refer to the NEWS file, linked to in the References, for further information.

    All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2012-1711
    CVE-2012-1713
    CVE-2012-1716
    CVE-2012-1717
    CVE-2012-1718
    CVE-2012-1719
    CVE-2012-1723
    CVE-2012-1724
    CVE-2012-1725
    RHSA-2012:0730
    RHSA-2012:0730-00
    RHSA-2012:0730-01
    RHSA-2012:0730-01
    Platform(s):Red Hat Enterprise Linux 5
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 5 is installed
  • AND
  • java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.27.1.10.8.el5_8
  • AND java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key
  • java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.27.1.10.8.el5_8
  • AND java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key
  • java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.27.1.10.8.el5_8
  • AND java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key
  • java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.27.1.10.8.el5_8
  • AND java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
  • java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.27.1.10.8.el5_8
  • AND java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key
    • BACK