[RHSA-2016:0053] java-1.7.0-openjdk security update
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
An out-of-bounds write flaw was found in the JPEG image format decoder in
the AWT component in OpenJDK. A specially crafted JPEG image could cause
a Java application to crash or, possibly execute arbitrary code. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2016-0483)
An integer signedness issue was found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could possibly cause
the Java Virtual Machine to execute arbitrary code, allowing an untrusted
Java application or applet to bypass Java sandbox restrictions.
(CVE-2016-0494)
It was discovered that the JAXP component in OpenJDK did not properly
enforce the totalEntitySizeLimit limit. An attacker able to make a Java
application process a specially crafted XML file could use this flaw to
make the application consume an excessive amount of memory. (CVE-2016-0466)
A flaw was found in the way TLS 1.2 could use the MD5 hash function for
signing ServerKeyExchange and Client Authentication packets during a TLS
handshake. A man-in-the-middle attacker able to force a TLS connection to
use the MD5 hash function could use this flaw to conduct collision attacks
to impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)
Multiple flaws were discovered in the Libraries, Networking, and JMX
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871,
CVE-2016-0402, CVE-2016-0448)
Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.
Note: This update also disallows the use of the MD5 hash algorithm in the
certification path processing. The use of MD5 can be re-enabled by removing
MD5 from the jdk.certpath.disabledAlgorithms security property defined in
the java.security file.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.
Package | Affected Version |
---|---|
pkg:rpm/redhat/java-1.7.0-openjdk?arch=x86_64&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk?arch=i686&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-src?arch=x86_64&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-src?arch=i686&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-javadoc?distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-devel?arch=x86_64&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-devel?arch=i686&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-demo?arch=x86_64&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
pkg:rpm/redhat/java-1.7.0-openjdk-demo?arch=i686&distro=redhat-6.7 | < 1.7.0.95-2.6.4.0.el6_7 |
- ID
- RHSA-2016:0053
- Severity
- critical
- URL
- https://access.redhat.com/errata/RHSA-2016:0053
- Published
-
2016-01-21T00:00:00
(8 years ago) - Modified
-
2016-01-21T00:00:00
(8 years ago) - Rights
- Copyright 2016 Red Hat, Inc.
- Other Advisories
-
- ALAS-2016-643
- ALAS-2016-645
- ALAS-2016-647
- ALAS-2016-651
- ALAS-2016-654
- ALAS-2016-661
- DSA-3401-1
- DSA-3436-1
- DSA-3437-1
- DSA-3457-1
- DSA-3458-1
- DSA-3465-1
- DSA-3491-1
- DSA-3688-1
- DSA-3725-1
- ELSA-2016-0007
- ELSA-2016-0008
- ELSA-2016-0012
- ELSA-2016-0049
- ELSA-2016-0050
- ELSA-2016-0053
- ELSA-2016-0054
- ELSA-2016-0067
- FREEBSD:10F7BC76-0335-4A88-B391-0B05B3A8CE1C
- FREEBSD:A5934BA8-A376-11E5-85E9-14DAE9D210B8
- GLSA-201603-11
- GLSA-201603-14
- GLSA-201605-06
- GLSA-201610-08
- GLSA-201701-46
- GLSA-201706-18
- GLSA-201801-15
- RHSA-2015:2506
- RHSA-2015:2509
- RHSA-2016:0007
- RHSA-2016:0008
- RHSA-2016:0012
- RHSA-2016:0049
- RHSA-2016:0050
- RHSA-2016:0054
- RHSA-2016:0067
- RHSA-2016:0098
- RHSA-2016:0099
- RHSA-2016:0101
- SUSE-SU-2015:2166-1
- SUSE-SU-2015:2168-1
- SUSE-SU-2015:2168-2
- SUSE-SU-2015:2182-1
- SUSE-SU-2015:2192-1
- SUSE-SU-2015:2216-1
- SUSE-SU-2015:2268-1
- SUSE-SU-2016:0149-1
- SUSE-SU-2016:0189-1
- SUSE-SU-2016:0256-1
- SUSE-SU-2016:0265-1
- SUSE-SU-2016:0269-1
- SUSE-SU-2016:0390-1
- SUSE-SU-2016:0399-1
- SUSE-SU-2016:0401-1
- SUSE-SU-2016:0428-1
- SUSE-SU-2016:0431-1
- SUSE-SU-2016:0433-1
- SUSE-SU-2016:0584-1
- SUSE-SU-2016:0636-1
- SUSE-SU-2016:0770-1
- USN-2818-1
- USN-2863-1
- USN-2864-1
- USN-2865-1
- USN-2866-1
- USN-2884-1
- USN-2885-1
- USN-2904-1
- USN-3227-1
Source | # ID | Name | URL |
---|---|---|---|
Bugzilla | 1273859 | https://bugzilla.redhat.com/1273859 | |
Bugzilla | 1289841 | https://bugzilla.redhat.com/1289841 | |
Bugzilla | 1298906 | https://bugzilla.redhat.com/1298906 | |
Bugzilla | 1298957 | https://bugzilla.redhat.com/1298957 | |
Bugzilla | 1299073 | https://bugzilla.redhat.com/1299073 | |
Bugzilla | 1299385 | https://bugzilla.redhat.com/1299385 | |
Bugzilla | 1299441 | https://bugzilla.redhat.com/1299441 | |
RHSA | RHSA-2016:0053 | https://access.redhat.com/errata/RHSA-2016:0053 | |
CVE | CVE-2015-4871 | https://access.redhat.com/security/cve/CVE-2015-4871 | |
CVE | CVE-2015-7575 | https://access.redhat.com/security/cve/CVE-2015-7575 | |
CVE | CVE-2016-0402 | https://access.redhat.com/security/cve/CVE-2016-0402 | |
CVE | CVE-2016-0448 | https://access.redhat.com/security/cve/CVE-2016-0448 | |
CVE | CVE-2016-0466 | https://access.redhat.com/security/cve/CVE-2016-0466 | |
CVE | CVE-2016-0483 | https://access.redhat.com/security/cve/CVE-2016-0483 | |
CVE | CVE-2016-0494 | https://access.redhat.com/security/cve/CVE-2016-0494 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/redhat/java-1.7.0-openjdk?arch=x86_64&distro=redhat-6.7 | redhat | java-1.7.0-openjdk | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | x86_64 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk?arch=i686&distro=redhat-6.7 | redhat | java-1.7.0-openjdk | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | i686 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-src?arch=x86_64&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-src | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | x86_64 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-src?arch=i686&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-src | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | i686 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-javadoc?distro=redhat-6.7 | redhat | java-1.7.0-openjdk-javadoc | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | ||
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-devel?arch=x86_64&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-devel | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | x86_64 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-devel?arch=i686&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-devel | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | i686 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-demo?arch=x86_64&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-demo | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | x86_64 | |
Affected | pkg:rpm/redhat/java-1.7.0-openjdk-demo?arch=i686&distro=redhat-6.7 | redhat | java-1.7.0-openjdk-demo | < 1.7.0.95-2.6.4.0.el6_7 | redhat-6.7 | i686 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |