openSUSE-SU-2010:0957-1 (important): java-1_6_0-openjdk security update fixing various vulnerabilities

17 Nov 2010

      openSUSE Security Update: java-1_6_0-openjdk security update fixing various vulnerabilities
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2010:0957-1
Rating:             important
References:         #642531 
Cross-References:   CVE-2009-3555 CVE-2010-3541 CVE-2010-3548
                    CVE-2010-3549 CVE-2010-3551 CVE-2010-3553
                    CVE-2010-3554 CVE-2010-3557 CVE-2010-3561
                    CVE-2010-3562 CVE-2010-3564 CVE-2010-3565
                    CVE-2010-3566 CVE-2010-3567 CVE-2010-3568
                    CVE-2010-3569 CVE-2010-3573 CVE-2010-3574

Affected Products:
                    openSUSE 11.3
                    openSUSE 11.2
                    openSUSE 11.1
______________________________________________________________________________

   An update that fixes 18 vulnerabilities is now available.

Description:

   Icedtea included in java-1_6_0-openjdk  was updated to
   version 1.7.5/1.8.2/1.9.1 to fix several security issues:

   * S6914943, CVE-2009-3555: TLS: MITM attacks via
   session renegotiation
   * S6559775, CVE-2010-3568: OpenJDK Deserialization Race
   condition
   * S6891766, CVE-2010-3554: OpenJDK corba reflection
   vulnerabilities
   * S6925710, CVE-2010-3562: OpenJDK IndexColorModel
   double-free
   * S6938813, CVE-2010-3557: OpenJDK Swing mutable static
   * S6957564, CVE-2010-3548: OpenJDK DNS server IP
   address information leak
   * S6958060, CVE-2010-3564: OpenJDK kerberos
   vulnerability
   * S6963023, CVE-2010-3565: OpenJDK JPEG writeImage
   remote code execution
   * S6963489, CVE-2010-3566: OpenJDK ICC Profile remote
   code execution
   * S6966692, CVE-2010-3569: OpenJDK Serialization
   inconsistencies
   * S6622002, CVE-2010-3553: UIDefault.ProxyLazyValue has
   unsafe reflection usage
   * S6925672, CVE-2010-3561: Privileged
   ServerSocket.accept allows receiving connections from any
   host
   * S6952017, CVE-2010-3549: HttpURLConnection chunked
   encoding issue (Http request splitting)
   * S6952603, CVE-2010-3551: NetworkInterface reveals
   local network address to untrusted code
   * S6961084, CVE-2010-3541: limit setting of some
   request headers in HttpURLConnection
   * S6963285, CVE-2010-3567: Crash in ICU Opentype layout
   engine due to mismatch in character counts
   * S6980004, CVE-2010-3573: limit HTTP request cookie
   headers in HttpURLConnection
   * S6981426, CVE-2010-3574: limit use of TRACE method in
   HttpURLConnection

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.3:

      zypper in -t patch java-1_6_0-openjdk-3500

   - openSUSE 11.2:

      zypper in -t patch java-1_6_0-openjdk-3500

   - openSUSE 11.1:

      zypper in -t patch java-1_6_0-openjdk-3500

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 11.3 (i586 x86_64):

      java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.2.2

   - openSUSE 11.3 (noarch):

      java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.1-0.2.2

   - openSUSE 11.2 (i586 x86_64):

      java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.2.2

   - openSUSE 11.2 (noarch):

      java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.1-0.2.2
      java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.1-0.2.2

   - openSUSE 11.1 (i586 x86_64):

      java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.1.3
      java-1_6_0-openjdk-demo-1.6.0.0_b20.1.9.1-0.1.3
      java-1_6_0-openjdk-devel-1.6.0.0_b20.1.9.1-0.1.3
      java-1_6_0-openjdk-javadoc-1.6.0.0_b20.1.9.1-0.1.3
      java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.1.3
      java-1_6_0-openjdk-src-1.6.0.0_b20.1.9.1-0.1.3

References:

   http://support.novell.com/security/cve/CVE-2009-3555.html
   http://support.novell.com/security/cve/CVE-2010-3541.html
   http://support.novell.com/security/cve/CVE-2010-3548.html
   http://support.novell.com/security/cve/CVE-2010-3549.html
   http://support.novell.com/security/cve/CVE-2010-3551.html
   http://support.novell.com/security/cve/CVE-2010-3553.html
   http://support.novell.com/security/cve/CVE-2010-3554.html
   http://support.novell.com/security/cve/CVE-2010-3557.html
   http://support.novell.com/security/cve/CVE-2010-3561.html
   http://support.novell.com/security/cve/CVE-2010-3562.html
   http://support.novell.com/security/cve/CVE-2010-3564.html
   http://support.novell.com/security/cve/CVE-2010-3565.html
   http://support.novell.com/security/cve/CVE-2010-3566.html
   http://support.novell.com/security/cve/CVE-2010-3567.html
   http://support.novell.com/security/cve/CVE-2010-3568.html
   http://support.novell.com/security/cve/CVE-2010-3569.html
   http://support.novell.com/security/cve/CVE-2010-3573.html
   http://support.novell.com/security/cve/CVE-2010-3574.html
   https://bugzilla.novell.com/642531

openSUSE-SU-2010:0957-1 (important): java-1_6_0-openjdk security update fixing various vulnerabilities

opensuse-security＠opensuse.org