Detalji
Kreirano: 07 Studeni 2011
U radu programskog paketa java-1.6.0-openjdk uočen je niz sigurnosnih propusta. Udaljenom napadaču omogućuju utjecanje na pouzdanost, integritet i dostupnost podataka, te otkrivanje osjetljivih informacija.
Paket:
java-1.6.0-openjdk
Operacijski sustavi:
Fedora 16
Kritičnost:
8.7
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
neovlašteni pristup sustavu, otkrivanje osjetljivih informacija
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-3547, CVE-2011-3548, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3544, CVE-2011-3521, CVE-2011-3554, CVE-2011-3389, CVE-2011-3558, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560
Izvorni ID preporuke:
FEDORA-2011-15020
Izvor:
Fedora
Problem:
Propusti su posljedica višestrukih nespecificiranih pogrešaka u komponenti Java Runtime Environment te nepravilnosti u implementaciji SSL protokola.
Posljedica:
Napadač ih može iskoristiti za otkrivanje određenih podataka te utjecanje na pouzdanost, integritet i dostupnost podataka.
Rješenje:
Korisnicima se preporuča da nadograde svoje pakete.
Izvorni tekst preporuke
---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-15020
2011-10-28 21:25:53
---------------------------------------------------------------------------=
-----
Name : java-1.6.0-openjdk
Product : Fedora 16
Version : 1.6.0.0
Release : 60.1.10.4.fc16
URL : http://icedtea.classpath.org/
Summary : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.
---------------------------------------------------------------------------=
-----
Update Information:
Update to latest upstream bugfix release
* Security fixes
- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under Secur=
ityManager
- S7046794, CVE-2011-3553: JAX-WS stack-traces information leak
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting en=
gine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress erro=
r checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack agai=
nst SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConne=
ction
* Bug fixes
- RH727195: Japanese font mappings are broken
* Backports
- S6826104, RH730015: Getting a NullPointer exception when clicked on App=
lication & Toolkit Modal dialog
* Zero/Shark
- PR690: Shark fails to JIT using hs20.
- PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.
* Added Patch6 as (probably temporally) solution for S7103224 for buildabil=
ity on newest glibc libraries.
---------------------------------------------------------------------------=
-----
References:
[ 1 ] Bug #745387 - CVE-2011-3547 OpenJDK: InputStream skip() information=
leak (Networking/IO, 7000600)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745387
[ 2 ] Bug #745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ct=
or (AWT, 7019773)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745473
[ 3 ] Bug #745391 - CVE-2011-3551 OpenJDK: Java2D TransformHelper integer=
overflow (2D, 7023640)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745391
[ 4 ] Bug #745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket l=
imit under SecurityManager (Networking, 7032417)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745397
[ 5 ] Bug #745476 - CVE-2011-3553 OpenJDK: JAX-WS stack-traces informatio=
n leak (JAX-WS, 7046794)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745476
[ 6 ] Bug #745399 - CVE-2011-3544 OpenJDK: missing SecurityManager checks=
in scripting engine (Scripting, 7046823)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745399
[ 7 ] Bug #745442 - CVE-2011-3521 OpenJDK: IIOP deserialization code exec=
ution (Deserialization, 7055902)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745442
[ 8 ] Bug #745447 - CVE-2011-3554 OpenJDK: insufficient pack200 JAR files=
uncompress error checks (Runtime, 7057857)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745447
[ 9 ] Bug #737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext atta=
ck against SSL/TLS (BEAST)
https://bugzilla.redhat.com/show_bug.cgi?id=3D737506
[ 10 ] Bug #745492 - CVE-2011-3558 OpenJDK: Hotspot unspecified issue (Ho=
tspot, 7070134)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745492
[ 11 ] Bug #745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code ex=
ecution (RMI, 7077466)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745459
[ 12 ] Bug #745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code =
execution (RMI, 7083012)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745464
[ 13 ] Bug #745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls=
in HttpsURLConnection (JSSE, 7096936)
https://bugzilla.redhat.com/show_bug.cgi?id=3D745379
---------------------------------------------------------------------------=
-----
This update can be installed with the "yum" update program. Use =
su -c 'yum update java-1.6.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke