Home / mailingsPDF  

[RHSA-2007:0829-01] Critical: java-1.5.0-ibm security update

Posted on 07 August 2007
RedHat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Critical: java-1.5.0-ibm security update
Advisory ID: RHSA-2007:0829-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0829.html
Issue date: 2007-08-07
Updated on: 2007-08-07
Product: Red Hat Enterprise Linux Extras
CVE Names: CVE-2007-2435 CVE-2007-2788 CVE-2007-2789
CVE-2007-3004 CVE-2007-3005 CVE-2007-3503
CVE-2007-3655 CVE-2007-3922
- ---------------------------------------------------------------------

1. Summary:

Updated java-1.5.0-ibm packages that correct several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
RHEL Desktop Supplementary (v. 5 client) - i386, x86_64
RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64

3. Problem description:

IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and
the IBM Java 2 Software Development Kit.

A security vulnerability in the Java Web Start component was discovered. An
untrusted application could elevate it's privileges, allowing it to read
and write local files that are accessible to the user running the Java Web
Start application. (CVE-2007-2435)

A buffer overflow in the Java Runtime Environment image handling code was
found. An untrusted applet or application could use this flaw to elevate
its privileges and potentially execute arbitrary code as the user running
the java virtual machine. (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004)

An unspecified vulnerability was discovered in the Java Runtime
Environment. An untrusted applet or application could cause the java
virtual machine to become unresponsive. (CVE-2007-3005)

The Javadoc tool was able to generate HTML documentation pages that
contained cross-site scripting (XSS) vulnerabilities. A remote attacker
could use this to inject arbitrary web script or HTML. (CVE-2007-3503)

The Java Web Start URL parsing component contains a buffer overflow
vulnerability within the parsing code for JNLP files. A remote attacker
could create a malicious JNLP file that could trigger this flaw and execute
arbitrary code when opened. (CVE-2007-3655)

A flaw was found in the applet class loader. An untrusted applet could use
this flaw to circumvent network access restrictions, possibly connecting
to services hosted on the machine that executed the applet. (CVE-2007-3922)

All users of java-ibm-1.5.0 should upgrade to these updated packages, which
contain IBM's 1.5.0 SR5a Java release that resolves these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

239660 - CVE-2007-2435 javaws vulnerabilities
242595 - CVE-2007-3004 Integer overflow in IBM JDK's ICC profile parser
246765 - CVE-2007-3503 HTML files generated with Javadoc are vulnerable to a XSS
248864 - CVE-2007-3655 A buffer overflow vulnerability in Java Web Start URL parsing code
249533 - CVE-2007-3922 Vulnerability in the Java Runtime Environment May Allow an Untrusted Applet to Circumvent Network Access Restrictions
250725 - CVE-2007-2788 Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit
250729 - CVE-2007-2789 BMP image parser vulnerability
250733 - CVE-2007-3005 Unspecified vulnerability in Sun JRE

6. RPMs required:

Red Hat Enterprise Linux AS version 4 Extras:

i386:
f03a0b949023f7af674cb6123d8c0b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpm
514ba2cdf984fe905023ef3137f8c694 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.i386.rpm
abf1d7c47b0269002233598509526f4f java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.i386.rpm
cc42fb902725004893ef74afb34ad2ed java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.i386.rpm
48e501d6ee684fda5dc086edbf7f39d0 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.i386.rpm
7422f1586b4aa396ae356d975c7b4d07 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.i386.rpm
f103cbcb03961bd51227162d9b43add0 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.i386.rpm

ppc:
80d25e87c9d725749ecc7c6468567f26 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.ppc.rpm
eaa0a132e164dc2917eee3fb1de4fde7 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.ppc.rpm
46df229ed548b1ea96e47ea74096dff0 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.ppc.rpm
b927c7b01a7f274fba7d8ad1947d1734 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.ppc.rpm
84524729176d121a79d61c900df08c6f java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.ppc.rpm
f89c2e4ca7de93506091a4bfe33d925e java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.ppc.rpm
052566c7a7b1e5d30a143ba5330d99e2 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.ppc.rpm

s390:
e3a7c49d0eef762fe0b51629b58cff5d java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.s390.rpm
0ee5a83ddc19a4b2875050754fed2e7c java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.s390.rpm
90d581f8efd18918b85604424b4e808d java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.s390.rpm
26d463ee95fc4348bf2fc84542249981 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.s390.rpm
a1f3607d5410dcd740aa7c52e96864f3 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.s390.rpm

s390x:
3825bc7bbadd3e373a7b9976e7f459f2 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.s390x.rpm
36531b05b1bf8535e9670fd2bb21c9e5 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.s390x.rpm
0838e5b3621892896eddeb409cdf4164 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.s390x.rpm
8e72d1ce7aecb19e65ed4cd1fd3eb6e7 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.s390x.rpm

x86_64:
ad554406f3343e89a702612300fe3b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.x86_64.rpm
ea0d3cce9cb1b4e58e61f8838bef44af java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.x86_64.rpm
571af0ab215861528cd04c43f2277a80 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.x86_64.rpm
c27c5adbbbcf66b718868bae7dfa71c2 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.x86_64.rpm
f41a2d5ce9916b8d9c34eb13b6ed799e java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.x86_64.rpm

Red Hat Desktop version 4 Extras:

i386:
f03a0b949023f7af674cb6123d8c0b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpm
514ba2cdf984fe905023ef3137f8c694 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.i386.rpm
abf1d7c47b0269002233598509526f4f java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.i386.rpm
cc42fb902725004893ef74afb34ad2ed java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.i386.rpm
48e501d6ee684fda5dc086edbf7f39d0 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.i386.rpm
7422f1586b4aa396ae356d975c7b4d07 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.i386.rpm
f103cbcb03961bd51227162d9b43add0 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.i386.rpm

x86_64:
ad554406f3343e89a702612300fe3b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.x86_64.rpm
ea0d3cce9cb1b4e58e61f8838bef44af java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.x86_64.rpm
571af0ab215861528cd04c43f2277a80 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.x86_64.rpm
c27c5adbbbcf66b718868bae7dfa71c2 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.x86_64.rpm
f41a2d5ce9916b8d9c34eb13b6ed799e java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.x86_64.rpm

Red Hat Enterprise Linux ES version 4 Extras:

i386:
f03a0b949023f7af674cb6123d8c0b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpm
514ba2cdf984fe905023ef3137f8c694 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.i386.rpm
abf1d7c47b0269002233598509526f4f java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.i386.rpm
cc42fb902725004893ef74afb34ad2ed java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.i386.rpm
48e501d6ee684fda5dc086edbf7f39d0 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.i386.rpm
7422f1586b4aa396ae356d975c7b4d07 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.i386.rpm
f103cbcb03961bd51227162d9b43add0 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.i386.rpm

x86_64:
ad554406f3343e89a702612300fe3b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.x86_64.rpm
ea0d3cce9cb1b4e58e61f8838bef44af java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.x86_64.rpm
571af0ab215861528cd04c43f2277a80 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.x86_64.rpm
c27c5adbbbcf66b718868bae7dfa71c2 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.x86_64.rpm
f41a2d5ce9916b8d9c34eb13b6ed799e java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.x86_64.rpm

Red Hat Enterprise Linux WS version 4 Extras:

i386:
f03a0b949023f7af674cb6123d8c0b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.i386.rpm
514ba2cdf984fe905023ef3137f8c694 java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.i386.rpm
abf1d7c47b0269002233598509526f4f java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.i386.rpm
cc42fb902725004893ef74afb34ad2ed java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.i386.rpm
48e501d6ee684fda5dc086edbf7f39d0 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.2.el4.i386.rpm
7422f1586b4aa396ae356d975c7b4d07 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.2.el4.i386.rpm
f103cbcb03961bd51227162d9b43add0 java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.i386.rpm

x86_64:
ad554406f3343e89a702612300fe3b91 java-1.5.0-ibm-1.5.0.5-1jpp.2.el4.x86_64.rpm
ea0d3cce9cb1b4e58e61f8838bef44af java-1.5.0-ibm-demo-1.5.0.5-1jpp.2.el4.x86_64.rpm
571af0ab215861528cd04c43f2277a80 java-1.5.0-ibm-devel-1.5.0.5-1jpp.2.el4.x86_64.rpm
c27c5adbbbcf66b718868bae7dfa71c2 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.2.el4.x86_64.rpm
f41a2d5ce9916b8d9c34eb13b6ed799e java-1.5.0-ibm-src-1.5.0.5-1jpp.2.el4.x86_64.rpm

RHEL Desktop Supplementary (v. 5 client):

i386:
cdd0cbabd95ecc48e24240ddb991d286 java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
5752527094c77e5d5e9bdedc6827ff8c java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
9106590bd9595ef15f7f0a64ceaf8e7d java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
cd23a583b39f53bd2a3450ae3adae1c1 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
8f85f3c0f2752a686f297ca4f7da61d8 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
0f4d9d82d394b0dc00655879c51f8732 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
bac96ce8cbf810f93e2af0bcc2cc4bad java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm

x86_64:
cdd0cbabd95ecc48e24240ddb991d286 java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
0a4968e760ba7272597a0bf0c42b095f java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
5752527094c77e5d5e9bdedc6827ff8c java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
698b1eb5c9cc70be15f4ee9ccd072b21 java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
9106590bd9595ef15f7f0a64ceaf8e7d java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
3a1b3589e3bf480bb3930df6202d771a java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
cd23a583b39f53bd2a3450ae3adae1c1 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
cf3eff9be6cade6bf7a388f060540e83 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
8f85f3c0f2752a686f297ca4f7da61d8 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
0f4d9d82d394b0dc00655879c51f8732 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
bac96ce8cbf810f93e2af0bcc2cc4bad java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
c3d7f811eb870d2ebe2b46148956a944 java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.x86_64.rpm

RHEL Supplementary (v. 5 server):

i386:
cdd0cbabd95ecc48e24240ddb991d286 java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
5752527094c77e5d5e9bdedc6827ff8c java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
9106590bd9595ef15f7f0a64ceaf8e7d java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
cd23a583b39f53bd2a3450ae3adae1c1 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
8f85f3c0f2752a686f297ca4f7da61d8 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
0f4d9d82d394b0dc00655879c51f8732 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
bac96ce8cbf810f93e2af0bcc2cc4bad java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm

ppc:
c6cc6cf4f57c44d121ad93272de6dc5a java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.ppc.rpm
30e5e1278aca42c926bc3e50bfb21368 java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.ppc.rpm
b37db5b339256fcc55a1205beb2b5db7 java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.ppc.rpm
ce4abb9ab6a81d4d42a5a5b7e36c3165 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.ppc.rpm
420bad7eaeaa10e7889732694995e221 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.ppc.rpm
51386ab2985df10400a16802216aa059 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.ppc.rpm
2aff0d96d2f6133efba5139ac0ecbc4c java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.ppc.rpm

s390x:
4013abecb9cd69ce9c93cab4dafb60f5 java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.s390.rpm
2508d126568c77b569ce85685ddb28de java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.s390x.rpm
974fa192b305764ddd4ea0bd0c343a35 java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.s390.rpm
606b47fa3eb5a0ad82ab4d95997b0884 java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.s390x.rpm
2b6dab693b4b38348de47abbd971e595 java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.s390.rpm
8922fc932b1a8bd2c0cbc5886bec1427 java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.s390x.rpm
ab68a26dd60e2e6756319230f59e8b66 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.s390.rpm
0741e98e9500e66113503bc5229bb139 java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.s390.rpm
a069f10f50098a6de2251ac99006f030 java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.s390x.rpm

x86_64:
cdd0cbabd95ecc48e24240ddb991d286 java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.i386.rpm
0a4968e760ba7272597a0bf0c42b095f java-1.5.0-ibm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
5752527094c77e5d5e9bdedc6827ff8c java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.i386.rpm
698b1eb5c9cc70be15f4ee9ccd072b21 java-1.5.0-ibm-demo-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
9106590bd9595ef15f7f0a64ceaf8e7d java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.i386.rpm
3a1b3589e3bf480bb3930df6202d771a java-1.5.0-ibm-devel-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
cd23a583b39f53bd2a3450ae3adae1c1 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.i386.rpm
cf3eff9be6cade6bf7a388f060540e83 java-1.5.0-ibm-javacomm-1.5.0.5-1jpp.0.1.el5.x86_64.rpm
8f85f3c0f2752a686f297ca4f7da61d8 java-1.5.0-ibm-jdbc-1.5.0.5-1jpp.0.1.el5.i386.rpm
0f4d9d82d394b0dc00655879c51f8732 java-1.5.0-ibm-plugin-1.5.0.5-1jpp.0.1.el5.i386.rpm
bac96ce8cbf810f93e2af0bcc2cc4bad java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.i386.rpm
c3d7f811eb870d2ebe2b46148956a944 java-1.5.0-ibm-src-1.5.0.5-1jpp.0.1.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3922
http://www.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.

 

TOP