Critical CentOS java-1.6.0-openjdk Update

Metadata

critical
10.0
java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm, java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.src.rpm, java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm, java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm, java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm, java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm, java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm, java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm, java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm, java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm, java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm
CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480
rhn.redhat.com, lists.centos.org
2013-02-09
2017-07-27 19:04
ALAS-2013-155
ALAS-2013-156
Important CentOS java-1.7.0-openjdk Update
Important CentOS java-1.6.0-openjdk Update
CVE-2013-1476 openjdk-7
CVE-2013-1478 openjdk-7
CVE-2013-0443 openjdk-7
CVE-2013-0445 openjdk-7
CVE-2013-0433 openjdk-7
CVE-2013-0434 openjdk-7
CVE-2013-0425 openjdk-6
CVE-2013-0427 openjdk-6
CVE-2013-1478 openjdk-6
CVE-2013-0429 openjdk-6
CVE-2013-1476 openjdk-6
CVE-2013-0445 openjdk-6
CVE-2013-0432 openjdk-6
CVE-2013-0433 openjdk-6
CVE-2013-0434 openjdk-6
CVE-2013-0435 openjdk-6
CVE-2013-0440 openjdk-7
CVE-2013-0440 openjdk-6
CVE-2013-0443 openjdk-6
CVE-2013-0424 openjdk-7
CVE-2013-0428 openjdk-7
CVE-2013-0429 openjdk-7
CVE-2013-1475 openjdk-7
CVE-2013-0425 openjdk-7
CVE-2013-0426 openjdk-7
CVE-2013-0426 openjdk-6
CVE-2013-0427 openjdk-7
CVE-2013-0428 openjdk-6
CVE-2013-0442 openjdk-7
CVE-2013-0442 openjdk-6
CVE-2013-1475 openjdk-6
CVE-2013-0450 openjdk-6
CVE-2013-1480 openjdk-7
CVE-2013-0450 openjdk-7
CVE-2013-1480 openjdk-6
CVE-2013-0432 openjdk-7
CVE-2013-0441 openjdk-6
CVE-2013-0441 openjdk-7
CVE-2013-0435 openjdk-7
CVE-2013-0424 openjdk-6
CVE-2013-0432
CVE-2013-1475
CVE-2013-0441
CVE-2013-0440
CVE-2013-0424
CVE-2013-0450
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0433
CVE-2013-0428
CVE-2013-0429
CVE-2013-0435
CVE-2013-1480
CVE-2013-0443
CVE-2013-0445
CVE-2013-0434
CVE-2013-1476
CVE-2013-1478
CVE-2013-0442
2017-04-01 19:06
2017-01-05 20:10

Description


Updated java-1.6.0-openjdk packages that fix several security issues are
now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

Multiple improper permission check issues were discovered in the AWT,
CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,
CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0428)

Multiple flaws were found in the way image parsers in the 2D and AWT
components handled image raster parameters. A specially-crafted image could
cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)

A flaw was found in the AWT component's clipboard handling code. An
untrusted Java application or applet could use this flaw to access
clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)

The default Java security properties configuration did not restrict access
to certain com.sun.xml.internal packages. An untrusted Java application or
applet could use this flaw to access information, bypassing certain Java
sandbox restrictions. This update lists the whole package as restricted.
(CVE-2013-0435)

Multiple improper permission check issues were discovered in the Libraries,
Networking, and JAXP components. An untrusted Java application or applet
could use these flaws to bypass certain Java sandbox restrictions.
(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)

It was discovered that the RMI component's CGIHandler class used user
inputs in error messages without any sanitization. An attacker could use
this flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)

It was discovered that the SSL/TLS implementation in the JSSE component
did not properly enforce handshake message ordering, allowing an unlimited
number of handshake restarts. A remote attacker could use this flaw to
make an SSL/TLS server using JSSE consume an excessive amount of CPU by
continuously restarting the handshake. (CVE-2013-0440)

It was discovered that the JSSE component did not properly validate
Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw
to perform a small subgroup attack. (CVE-2013-0443)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea6 1.11.6. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
6 java-1.6.0-openjdk java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm
java-1.6.0-openjdk java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.src.rpm
java-1.6.0-openjdk java-1.6.0-openjdk-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm
java-1.6.0-openjdk-demo java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm
java-1.6.0-openjdk-demo java-1.6.0-openjdk-demo-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm
java-1.6.0-openjdk-devel java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm
java-1.6.0-openjdk-devel java-1.6.0-openjdk-devel-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm
java-1.6.0-openjdk-javadoc java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm
java-1.6.0-openjdk-javadoc java-1.6.0-openjdk-javadoc-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm
java-1.6.0-openjdk-src java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.i686.rpm
java-1.6.0-openjdk-src java-1.6.0-openjdk-src-1.6.0.0-1.54.1.11.6.el6_3.x86_64.rpm