openSUSE Security Update: java-1_6_0-openjdk security update ______________________________________________________________________________ Announcement ID: openSUSE-SU-2010:0182-1 Rating: important References: #594415 Cross-References: CVE-2009-3555 CVE-2010-0082 CVE-2010-0084 CVE-2010-0085 CVE-2010-0088 CVE-2010-0091 CVE-2010-0092 CVE-2010-0093 CVE-2010-0094 CVE-2010-0095 CVE-2010-0837 CVE-2010-0838 CVE-2010-0840 CVE-2010-0845 CVE-2010-0847 CVE-2010-0848 Affected Products: openSUSE 11.2 openSUSE 11.1 openSUSE 11.0 ______________________________________________________________________________ An update that fixes 16 vulnerabilities is now available. Description: java-1_6_0-openjdk version 1.7.3 fixes serveral security issues: - CVE-2010-0837: JAR 'unpack200' must verify input parameters - CVE-2010-0845: No ClassCastException for HashAttributeSet constructors if run with -Xcomp - CVE-2010-0838: CMM readMabCurveData Buffer Overflow Vulnerability - CVE-2010-0082: Loader-constraint table allows arrays instead of only the base-classes - CVE-2010-0095: Subclasses of InetAddress may incorrectly interpret network addresses - CVE-2010-0085: File TOCTOU deserialization vulnerability - CVE-2010-0091: Unsigned applet can retrieve the dragged information before drop action occurs - CVE-2010-0088: Inflater/Deflater clone issues - CVE-2010-0084: Policy/PolicyFile leak dynamic ProtectionDomains. - CVE-2010-0092: AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error - CVE-2010-0094: Deserialization of RMIConnectionImpl objects should enforce stricter checks - CVE-2010-0093: System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes - CVE-2010-0840: Applet Trusted Methods Chaining Privilege Escalation Vulnerability - CVE-2010-0848: AWT Library Invalid Index Vulnerability - CVE-2010-0847: ImagingLib arbitrary code execution vulnerability - CVE-2009-3555: TLS: MITM attacks via session renegotiation Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.2: zypper in -t patch java-1_6_0-openjdk-2362 - openSUSE 11.1: zypper in -t patch java-1_6_0-openjdk-2362 - openSUSE 11.0: zypper in -t patch java-1_6_0-openjdk-2362 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.2 (i586 src x86_64): java-1_6_0-openjdk-1.6.0.0_b17-2.1.1 - openSUSE 11.2 (i586 x86_64): java-1_6_0-openjdk-devel-1.6.0.0_b17-2.1.1 java-1_6_0-openjdk-plugin-1.6.0.0_b17-2.1.1 - openSUSE 11.2 (noarch): java-1_6_0-openjdk-demo-1.6.0.0_b17-2.1.1 java-1_6_0-openjdk-javadoc-1.6.0.0_b17-2.1.1 java-1_6_0-openjdk-src-1.6.0.0_b17-2.1.1 - openSUSE 11.1 (i586 ppc src x86_64): java-1_6_0-openjdk-1.6.0.0_b17-2.3.1 - openSUSE 11.1 (i586 ppc x86_64): java-1_6_0-openjdk-demo-1.6.0.0_b17-2.3.1 java-1_6_0-openjdk-devel-1.6.0.0_b17-2.3.1 java-1_6_0-openjdk-javadoc-1.6.0.0_b17-2.3.1 java-1_6_0-openjdk-plugin-1.6.0.0_b17-2.3.1 java-1_6_0-openjdk-src-1.6.0.0_b17-2.3.1 - openSUSE 11.0 (i586 ppc src x86_64): java-1_6_0-openjdk-1.6.0.0_b17-2.3 - openSUSE 11.0 (i586 ppc x86_64): java-1_6_0-openjdk-demo-1.6.0.0_b17-2.3 java-1_6_0-openjdk-devel-1.6.0.0_b17-2.3 java-1_6_0-openjdk-javadoc-1.6.0.0_b17-2.3 java-1_6_0-openjdk-plugin-1.6.0.0_b17-2.3 java-1_6_0-openjdk-src-1.6.0.0_b17-2.3 References: http://support.novell.com/security/cve/CVE-2009-3555.html http://support.novell.com/security/cve/CVE-2010-0082.html http://support.novell.com/security/cve/CVE-2010-0084.html http://support.novell.com/security/cve/CVE-2010-0085.html http://support.novell.com/security/cve/CVE-2010-0088.html http://support.novell.com/security/cve/CVE-2010-0091.html http://support.novell.com/security/cve/CVE-2010-0092.html http://support.novell.com/security/cve/CVE-2010-0093.html http://support.novell.com/security/cve/CVE-2010-0094.html http://support.novell.com/security/cve/CVE-2010-0095.html http://support.novell.com/security/cve/CVE-2010-0837.html http://support.novell.com/security/cve/CVE-2010-0838.html http://support.novell.com/security/cve/CVE-2010-0840.html http://support.novell.com/security/cve/CVE-2010-0845.html http://support.novell.com/security/cve/CVE-2010-0847.html http://support.novell.com/security/cve/CVE-2010-0848.html https://bugzilla.novell.com/594415