SUSE Security Announcement: IBM Java 6 (SUSE-SA:2010:026)
Posted on: 07/01/2010 09:09 PM

A Java 6 security update is available for SUSE Linux Enterprise

______________________________________________________________________________

SUSE Security Announcement

Package: java-1_6_0-ibm
Announcement ID: SUSE-SA:2010:026
Date: Thu, 01 Jul 2010 18:00:00 +0000
Affected Products: SUSE Linux Enterprise Software Development Kit 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Software Development Kit 11 SP1
SUSE Linux Enterprise Server 11 SP1
Vulnerability Type: remote code execution
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2010-0084, CVE-2010-0085, CVE-2010-0087
CVE-2010-0088, CVE-2010-0089, CVE-2010-0090
CVE-2010-0091, CVE-2010-0092, CVE-2010-0094
CVE-2010-0095, CVE-2010-0837, CVE-2010-0838
CVE-2010-0839, CVE-2010-0840, CVE-2010-0841
CVE-2010-0842, CVE-2010-0843, CVE-2010-0844
CVE-2010-0846, CVE-2010-0847, CVE-2010-0848
CVE-2010-0849

Content of This Advisory:
1) Security Vulnerability Resolved:
IBM Java 6 security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

IBM Java 6 was updated to Service Release 8 to fix various security
issues.

Following security issues were fixed:
CVE-2010-0084: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.

CVE-2010-0085: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers
to affect confidentiality, integrity, and availability via unknown
vectors.

CVE-2010-0087: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update 18,
5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0088: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers
to affect confidentiality, integrity, and availability via unknown
vectors.

CVE-2010-0089: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
availability via unknown vectors.

CVE-2010-0090: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update
18 allows remote attackers to affect integrity and availability via
unknown vectors.

CVE-2010-0091: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.

CVE-2010-0092: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, and 5.0 Update 23 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0094: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18 and 5.0 Update 23 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors. NOTE: the previous
information was obtained from the March 2010 CPU. Oracle has not
commented on claims from a reliable researcher that this is due to
missing privilege checks during deserialization of RMIConnectionImpl
objects, which allows remote attackers to call system-level Java
functions via the ClassLoader of a constructor that is being
deserialized.

CVE-2010-0095: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0837: Unspecified vulnerability in the Pack200 component
in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update,
and 23 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors.

CVE-2010-0838: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update,
and 23 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on
claims from a reliable researcher that this is a stack-based buffer
overflow using an untrusted size value in the readMabCurveData function
in the CMM module in the JVM.

CVE-2010-0839: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0840: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
related to improper checks when executing privileged methods in the
Java Runtime Environment (JRE), which allows attackers to execute
arbitrary code via (1) an untrusted object that extends the trusted
class but has not modified a certain method, or (2) "a similar trust
issue with interfaces," aka "Trusted Methods Chaining Remote Code
Execution Vulnerability."

CVE-2010-0841: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and
1.4.2_25 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on
claims from a reliable researcher that this is an integer overflow in
the Java Runtime Environment that allows remote attackers to execute
arbitrary code via a JPEG image that contains subsample dimensions
with large values, related to JPEGImageReader and "stepX".

CVE-2010-0842: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
an uncontrolled array index that allows remote attackers to execute
arbitrary code via a MIDI file with a crafted MixerSequencer object,
related to the GM_Song structure.

CVE-2010-0843: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
related to XNewPtr and improper handling of an integer parameter
when allocating heap memory in the com.sun.media.sound libraries,
which allows remote attackers to execute arbitrary code.

CVE-2010-0844: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this
is for improper parsing of a crafted MIDI stream when creating a
MixerSequencer object, which causes a pointer to be corrupted and
allows a NULL byte to be written to arbitrary memory.

CVE-2010-0846: Unspecified vulnerability in the ImageIO component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
a heap-based buffer overflow that allows remote attackers to execute
arbitrary code, related to an "invalid assignment" and inconsistent
length values in a JPEG image encoder (JPEGImageEncoderImpl).

CVE-2010-0847: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
a heap-based buffer overflow that allows arbitrary code execution
via a crafted image.

CVE-2010-0848: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0849: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this
is a heap-based buffer overflow in a decoding routine used by the
JPEGImageDecoderImpl interface, which allows code execution via a
crafted JPEG image.


Please also see
http://www.ibm.com/developerworks/java/jdk/alerts/
for a up to date list on what was fixed.

2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

Please restart applications using Java after installing this update.

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command

rpm -Fhv

to apply the update, replacing with the filename of the
downloaded RPM package.

Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:

SUSE Linux Enterprise Server 11 SP1
http://download.novell.com/patch/finder/?keywords=22b7b43ee38cfc5dac6ddc1fad1d45e5

SUSE Linux Enterprise Java 11 SP1
http://download.novell.com/patch/finder/?keywords=22b7b43ee38cfc5dac6ddc1fad1d45e5

SUSE Linux Enterprise Software Development Kit 11 SP1
http://download.novell.com/patch/finder/?keywords=22b7b43ee38cfc5dac6ddc1fad1d45e5

SUSE Linux Enterprise Server 11
http://download.novell.com/patch/finder/?keywords=a1c03b73aa6d1ead4ac038bf35d86be9

SUSE Linux Enterprise Software Development Kit 11
http://download.novell.com/patch/finder/?keywords=a1c03b73aa6d1ead4ac038bf35d86be9

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg --verify

replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "

where is replaced by the date the document was signed.

If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.

The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v --checksig

to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/suse_security_announcement_ibm_java_6_suse_sa2010026.html)