SUSE Security Update: Security update for java-1_5_0-ibm ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0376-1 Rating: important References: #891699 #901223 #901239 #904889 #916265 #916266 Cross-References: CVE-2014-8891 CVE-2014-8892 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that solves two vulnerabilities and has four fixes is now available. Description: java-1_5_0-ibm has been updated to fix 19 security issues: * CVE-2014-8891: Unspecified vulnerability (bnc#916266). * CVE-2014-8892: Unspecified vulnerability (bnc#916265). * CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via vectors related to the shared classes cache (bnc#904889). * CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue (bnc#901223). * CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D (bnc#901239). * CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE (bnc#901239). * CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#901239). * CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security (bnc#901239). * CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot (bnc#891699). * CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX (bnc#891699). * CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing (bnc#891699). * CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries (bnc#891699). * CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security (bnc#891699). * CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement (bnc#891699). * CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security (bnc#891699). Security Issues: * CVE-2014-8892 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8892> * CVE-2014-8891 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891> Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): java-1_5_0-ibm-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-fonts-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (s390x x86_64): java-1_5_0-ibm-32bit-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-devel-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (x86_64): java-1_5_0-ibm-alsa-32bit-1.5.0_sr16.9-0.6.1 - SUSE Linux Enterprise Server 10 SP4 LTSS (i586): java-1_5_0-ibm-alsa-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-jdbc-1.5.0_sr16.9-0.6.1 java-1_5_0-ibm-plugin-1.5.0_sr16.9-0.6.1 References: http://support.novell.com/security/cve/CVE-2014-8891.html http://support.novell.com/security/cve/CVE-2014-8892.html https://bugzilla.suse.com/891699 https://bugzilla.suse.com/901223 https://bugzilla.suse.com/901239 https://bugzilla.suse.com/904889 https://bugzilla.suse.com/916265 https://bugzilla.suse.com/916266 http://download.suse.com/patch/finder/?keywords=2c3b79e944e87fd633df27d6879f... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org