lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MHiB3-0004au-FG@titan.mandriva.com>
Date: Fri, 19 Jun 2009 19:47:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:137 ] java-1.6.0-openjdk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:137
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : java-1.6.0-openjdk
 Date    : June 20, 2009
 Affected: 2009.0, 2009.1
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed in
 Little cms library embedded in OpenJDK:
 
 A memory leak flaw allows remote attackers to cause a denial of service
 (memory consumption and application crash) via a crafted image file
 (CVE-2009-0581).
 
 Multiple integer overflows allow remote attackers to execute arbitrary
 code via a crafted image file that triggers a heap-based buffer
 overflow (CVE-2009-0723).
 
 Multiple stack-based buffer overflows allow remote attackers to
 execute arbitrary code via a crafted image file associated with a large
 integer value for the (1) input or (2) output channel (CVE-2009-0733).
 
 A flaw in the transformations of monochrome profiles allows remote
 attackers to cause denial of service triggered by a NULL pointer
 dereference via a crafted image file (CVE-2009-0793).
 
 Further security fixes in the JRE and in the Java API of OpenJDK:
 
 A flaw in handling temporary font files by the Java Virtual
 Machine (JVM) allows remote attackers to cause denial of service
 (CVE-2006-2426).
 
 An integer overflow flaw was found in Pulse-Java when handling Pulse
 audio source data lines. An attacker could use this flaw to cause an
 applet to crash, leading to a denial of service (CVE-2009-0794).
 
 A flaw in Java Runtime Environment initialized LDAP connections
 allows authenticated remote users to cause denial of service on the
 LDAP service (CVE-2009-1093).
 
 A flaw in the Java Runtime Environment LDAP client in handling server
 LDAP responses allows remote attackers to execute arbitrary code on
 the client side via malicious server response (CVE-2009-1094).
 
 Buffer overflows in the the Java Runtime Environment unpack200 utility
 allow remote attackers to execute arbitrary code via an crafted applet
 (CVE-2009-1095, CVE-2009-1096).
 
 A buffer overflow in the splash screen processing allows a attackers
 to execute arbitrary code (CVE-2009-1097).
 
 A buffer overflow in GIF images handling allows remote attackers to
 execute arbitrary code via an crafted GIF image (CVE-2009-1098).
 
 A flaw in the Java API for XML Web Services (JAX-WS) service endpoint
 handling allows remote attackers to cause a denial of service on the
 service endpoint's server side (CVE-2009-1101).
 
 A flaw in the Java Runtime Environment Virtual Machine code generation
 allows remote attackers to execute arbitrary code via a crafted applet
 (CVE-2009-1102).
 
 This update provides fixes for these issues.

 Update:

 java-1.6.0-openjdk requires rhino packages and these has been further
 updated.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0581
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0723
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0733
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0793
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2426
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0794
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 912bfaa5d15e09b410af7b20605e7a1f  2009.0/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 786629a41c5c892280577f14b097d118  2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 7a4ad719a41456847161a5da058916b1  2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 dd8e42f6419f0f0c564c2d10f66c1c51  2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 ecb3e34b02fe6366ea74d3b460913a18  2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 ec978b519cce142f0419fe9fcdfa49dd  2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.i586.rpm
 0985ffc0a6bc78d7cea8f2fd9c9b060b  2009.0/i586/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm
 7665b20e0252718afabd10529743522e  2009.0/i586/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm
 4179b415f870de30ad9bb2227ef1fbc3  2009.0/i586/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm
 72a6d30e3807a63e77aa2ebee32716b2  2009.0/i586/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm 
 9b760b15223e7cb0146790ec5f7a77f1  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm
 8f2f2ce3c178cd87e526a0b8fe8918e7  2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 5cebb2bb47360800ceac229941689fad  2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 5405df1af7fae349beb431618fba7fd2  2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 03969d440901d4fd31106d792a395534  2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 0e727c5840611998aef5499fa241464e  2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 9d72b8a28b6a21dac221244ac51b2e1b  2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 8fcffa782992c1cc15858c2a0894ba00  2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.0.x86_64.rpm
 e3f2ad3c55426cf9c4b336ab880f9ff7  2009.0/x86_64/rhino-1.7-0.0.2.1mdv2009.0.noarch.rpm
 579005e8d20d5c559ee240c35095aeeb  2009.0/x86_64/rhino-demo-1.7-0.0.2.1mdv2009.0.noarch.rpm
 384403e6dae7eadefed13682b0b924f1  2009.0/x86_64/rhino-javadoc-1.7-0.0.2.1mdv2009.0.noarch.rpm
 fd8327ed0d455a9e116ff6fcfc96a849  2009.0/x86_64/rhino-manual-1.7-0.0.2.1mdv2009.0.noarch.rpm 
 9b760b15223e7cb0146790ec5f7a77f1  2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.0.src.rpm
 8f2f2ce3c178cd87e526a0b8fe8918e7  2009.0/SRPMS/rhino-1.7-0.0.2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 e3a6b131e6b24c5bdd1401bb09363cf7  2009.1/i586/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 75555512a7eb8b122bb0b5d7d40168e9  2009.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 0f45f662d06b4e820c725358d39ee9d1  2009.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 86624b1b4142e1e97ea4e5195e7f92dd  2009.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 2eb9b7a15dc0d8f02e88ea0a567ccf10  2009.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 8ca13d69103a5d861abdb45e8cd45bae  2009.1/i586/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.i586.rpm
 b785c9c5d02abfd121bbe21d388e60c6  2009.1/i586/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm
 0d7b54d508a807f40fb895f57fc4be14  2009.1/i586/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm
 25fd10e12bca1b22f10bd66150c5cac2  2009.1/i586/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm
 2687abe0ea6c72ae1a340646a102175f  2009.1/i586/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm 
 b943cbf0170778e2e5d5c924a937ab6c  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm
 295300b3094f6486d13c0e29dd0aaa01  2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 8b72108f53cf01197bc96713a4c5886b  2009.1/x86_64/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 5c0ad9be1191b441ade9f9c27ebf2bfa  2009.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 47d6080378ac8288c945adb06906ee5d  2009.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 631685330646881f15f5fc3ce43e496c  2009.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 f5f89addbe29f886b8a9a956f1bccd0d  2009.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 8d35903fed1e52aa5bfeee82ba27ffa8  2009.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-0.20.b16.0.2mdv2009.1.x86_64.rpm
 a13593fdfc42296a1661ff6512cedd23  2009.1/x86_64/rhino-1.7-0.0.3.1mdv2009.1.noarch.rpm
 1d371aba339ae4061610412df205af53  2009.1/x86_64/rhino-demo-1.7-0.0.3.1mdv2009.1.noarch.rpm
 92cd2f41ceaf3f6941cfd48a464e4ecd  2009.1/x86_64/rhino-javadoc-1.7-0.0.3.1mdv2009.1.noarch.rpm
 c593be725e85426ced97ff0d23c215d9  2009.1/x86_64/rhino-manual-1.7-0.0.3.1mdv2009.1.noarch.rpm 
 b943cbf0170778e2e5d5c924a937ab6c  2009.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-0.20.b16.0.2mdv2009.1.src.rpm
 295300b3094f6486d13c0e29dd0aaa01  2009.1/SRPMS/rhino-1.7-0.0.3.1mdv2009.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKO6OnmqjQ0CJFipgRAkvnAJ97DF6nfZ4Gl3iBkhfczGXddU3RXACeP9bE
QuKPXc7lJkSexrCFo5wWRbA=
=/8An
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ