ID

VAR-201110-0383

CVE

CVE-2011-3552

TITLE

Oracle ‘ Java Runtime Environment ’ Component security vulnerability

DESCRIPTION

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking. Oracle Java SE is prone to a remote vulnerability in Java Runtime Environment. Exploiting this vulnerability could allow an attacker to exhaust all ephemeral ports on the system. This could impact the availability of networking and system resources on the computer. Other attacks are also possible. This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27, 5.0 Update 31, 1.4.2_33. ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Hitachi Cosminexus Products Java Multiple Vulnerabilities SECUNIA ADVISORY ID: SA46694 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46694/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46694 RELEASE DATE: 2011-11-08 DISCUSS ADVISORY: http://secunia.com/advisories/46694/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46694/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46694 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged multiple vulnerabilities in Hitachi Cosminexus products, which can be exploited by malicious users to disclose certain information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. The vulnerabilities are caused due to vulnerabilities in the bundled version of Cosminexus Developer's Kit for Java. For more information: SA46512 Please see the vendor's advisory for a list of affected products. Please see the vendor's advisory for details. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-024/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. This combines the two previous openjdk-6 advisories, DSA-2311-1 and DSA-2356-1. CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges. CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine. CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact. CVE-2011-0867 Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.) CVE-2011-0868 A float-to-long conversion could overflow, , allowing untrusted code (including applets) to crash the virtual machine. CVE-2011-0869 Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection. CVE-2011-0871 Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code. CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code. CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges. CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information. CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions. For the oldstable distribution (lenny), these problems have been fixed in version 6b18-1.8.10-0~lenny1. ========================================================================== Ubuntu Security Notice USN-1263-1 November 16, 2011 icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed. Software Description: - icedtea-web: A web browser plugin to execute Java applets - openjdk-6: Open Source Java implementation - openjdk-6b18: Open Source Java implementation Details: Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377) Juliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389) It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) It was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544) It was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547) It was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548) It was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551) It was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552) It was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553) It was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554) It was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557) It was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558) It was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-jre-cacao 6b23~pre11-0ubuntu1.11.10 icedtea-6-jre-jamvm 6b23~pre11-0ubuntu1.11.10 icedtea-netx 1.1.3-1ubuntu1.1 icedtea-plugin 1.1.3-1ubuntu1.1 openjdk-6-jre 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-headless 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-lib 6b23~pre11-0ubuntu1.11.10 openjdk-6-jre-zero 6b23~pre11-0ubuntu1.11.10 Ubuntu 11.04: icedtea-6-jre-cacao 6b22-1.10.4-0ubuntu1~11.04.1 icedtea-6-jre-jamvm 6b22-1.10.4-0ubuntu1~11.04.1 icedtea-netx 1.1.1-0ubuntu1~11.04.2 icedtea-plugin 1.1.1-0ubuntu1~11.04.2 openjdk-6-jre 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-headless 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-lib 6b22-1.10.4-0ubuntu1~11.04.1 openjdk-6-jre-zero 6b22-1.10.4-0ubuntu1~11.04.1 Ubuntu 10.10: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jdk 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.10.2 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.10.2 Ubuntu 10.04 LTS: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~10.04.2 icedtea6-plugin 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-demo 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~10.04.2 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~10.04.2 After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1263-1 CVE-2011-3377, CVE-2011-3389, CVE-2011-3521, CVE-2011-3544, CVE-2011-3547, CVE-2011-3548, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560 Package Information: https://launchpad.net/ubuntu/+source/icedtea-web/1.1.3-1ubuntu1.1 https://launchpad.net/ubuntu/+source/openjdk-6/6b23~pre11-0ubuntu1.11.10 https://launchpad.net/ubuntu/+source/icedtea-web/1.1.1-0ubuntu1~11.04.2 https://launchpad.net/ubuntu/+source/openjdk-6/6b22-1.10.4-0ubuntu1~11.04.1 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~11.04.1 https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.10-0ubuntu1~10.10.2 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~10.10.2 https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.10-0ubuntu1~10.04.2 https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.10-0ubuntu1~10.04.2 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:170 http://www.mandriva.com/security/ _______________________________________________________________________ Package : java-1.6.0-openjdk Date : November 11, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Security issues were identified and fixed in openjdk (icedtea6) and icedtea-web: IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking (CVE-2011-3547). IcedTea6 prior to 1.10.4 allows remote authenticated users to affect confidentiality, related to JAXWS (CVE-2011-3553). A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection (CVE-2011-3389). Note: This update mitigates the CVE-2011-3389 issue by splitting the first application data record byte to a separate SSL/TLS protocol record. This mitigation may cause compatibility issues with some SSL/TLS implementations and can be disabled using the jsse.enableCBCProtection boolean property. This can be done on the command line by appending the flag -Djsse.enableCBCProtection=false to the java command. IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3556). IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability, related to RMI (CVE-2011-3557). IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE (CVE-2011-3560). A malicious applet could use this flaw to bypass SOP protection and open connections to any sub-domain of the second-level domain of the applet&#039;s origin, as well as any sub-domain of the domain that is the suffix of the origin second-level domain. For example, IcedTea-Web plugin allowed applet from some.host.example.com to connect to other.host.example.com, www.example.com, and example.com, as well as www.ample.com or ample.com. (CVE-2011-3377). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3377 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 2881c71d1da084f6c7a136335f5383d6 2010.1/i586/icedtea-web-1.0.6-0.1mdv2010.2.i586.rpm 415d7598363639aecbafd380827b7ab2 2010.1/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.i586.rpm 27d2d84f2a00e4d18cb68e8c8ecd1626 2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.i586.rpm 8b4b727a2139d866d0e88ff720de9b57 2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.i586.rpm 8084b3aaeac98db2ddf89913db805725 2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.i586.rpm f5c32405224455a5065d85ecbba6f1f2 2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.i586.rpm 45fd80b86f46b8e9ca3711c47d4fbb40 2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm 6bbb0d8c0e0ce847b86d9145ca12e211 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 899e54445bf4ad65ea254e835006ce27 2010.1/x86_64/icedtea-web-1.0.6-0.1mdv2010.2.x86_64.rpm 7da63e6b6d83974f32f6580c4de53929 2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 859e838ff8583b814f1270c36d0bf248 2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 8da61ef538893c8b7766e868e369f400 2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 3b56e8612ba71e92e728e3e1a9fef319 2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 23eea5b9bf1a2ee3db0ebf0c6927234a 2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm 45fd80b86f46b8e9ca3711c47d4fbb40 2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm 6bbb0d8c0e0ce847b86d9145ca12e211 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm Mandriva Linux 2011: b585d6580568d064d9e99ab2d8898dbb 2011/i586/icedtea-web-1.0.6-0.1-mdv2011.0.i586.rpm 17ea4db995836efdb63f62370adc21f3 2011/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm b5b625dd4b96e479ce532f2d578650bb 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm 3bc34e225ec9e6b38dd1876a5c5ffe6d 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm 050f5c111f9e65c0ea06f80e4ffff35d 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm 3d5eed0e210b9d4e38a6dcd74929f0dd 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm 0579fb909e08a0f420183284ba7061e9 2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm 128cec9fdd9fd0e0d921341f178be9a1 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm Mandriva Linux 2011/X86_64: aa77ab19c7746723530e3a696fd4355a 2011/x86_64/icedtea-web-1.0.6-0.1-mdv2011.0.x86_64.rpm 467cc14261ed055450afbf1a2a5fe483 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 2850bfa26b1f992dff3c2c1ac3f1326b 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 50053850cfdd573a9469aa0b5783cc82 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 04ba44e392bf335e86fdc2c66d03bdf3 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 678776c021e19498a6e201c9b0ef6513 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm 0579fb909e08a0f420183284ba7061e9 2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm 128cec9fdd9fd0e0d921341f178be9a1 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm Mandriva Enterprise Server 5: c6af60f8fac7b8fb91a79983e4c68364 mes5/i586/icedtea-web-1.0.6-0.1mdvmes5.2.i586.rpm 00295911ed1610030bd0b39680c2fb20 mes5/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm bdcd904e1e04d57f8205904b84dd5971 mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm 960da26357c48af97ca8e9cdb4245692 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm 8cf1ac9ad06eddba1916d8e4e2b3cedf mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm f0a00b845915e25e7b4bc9802914aee4 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm 3860e9d27e8bc15ea72a57deb811c961 mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm b0701aff2a8ffdcc27a6cd7560d0d099 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 765023a21377d664c2ba05e98147dd1b mes5/x86_64/icedtea-web-1.0.6-0.1mdvmes5.2.x86_64.rpm f0b699b476a124eb0a1b2f5187101de9 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm 249ffd15ed12d64798ff39431e402d69 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm d747f2b1361c0a67d4d85824a94d0a69 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm d50d63017beb08a2f23d08138a17c992 mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm dd36ff4d9b91a541dfa86bb46288bbe0 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm 3860e9d27e8bc15ea72a57deb811c961 mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm b0701aff2a8ffdcc27a6cd7560d0d099 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOvSWxmqjQ0CJFipgRAnk1AKDUddZYCqwkfhoUpLxEL0BT3mDf0ACfbuTI aaF2JGTyfceBABs92un/yVA= =yPsD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64 3. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. (CVE-2011-3389, CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560) All users of java-1.4.2-ibm are advised to upgrade to these updated packages, which contain the IBM Java 1.4.2 SR13-FP11 release. All running instances of IBM Java must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) 745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936) 745387 - CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600) 745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417) 745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466) 745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012) 745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773) 747191 - CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound) 747198 - CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing) 6. Package List: Red Hat Enterprise Linux AS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.ppc64.rpm s390: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.s390.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.s390.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.s390.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.s390.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.s390.rpm s390x: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.s390x.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.x86_64.rpm Red Hat Desktop version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.i386.rpm x86_64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4 Extras: i386: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el4.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.ia64.rpm x86_64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el4.x86_64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el4.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.i386.rpm ia64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.ia64.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.ia64.rpm ppc: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el5.ppc64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.ppc.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.ppc64.rpm s390x: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.s390.rpm java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.s390.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.s390.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.s390x.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.s390.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.s390x.rpm x86_64: java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-1.4.2.13.11-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-demo-1.4.2.13.11-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-devel-1.4.2.13.11-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-javacomm-1.4.2.13.11-1jpp.1.el5.x86_64.rpm java-1.4.2-ibm-jdbc-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-plugin-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.i386.rpm java-1.4.2-ibm-src-1.4.2.13.11-1jpp.1.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPC0nZXlSAg2UNWIIRAv1RAKCl92qrTYYU1hbGCfxx4pg/qqVM2gCcDbOP 1GEavw104zEMlVmzCOrcfx4= =j7JJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-11-08-1 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 are now available and address the following: Java Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, Mac OS X v10.7.2, Mac OS X Server v10.7.2 Impact: Multiple vulnerabilities in Java 1.6.0_26 Description: Multiple vulnerabilities exist in Java 1.6.0_26, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. These issues are addressed by updating to Java version 1.6.0_29. Further information is available via the Java website at http://java.sun.com/javase/6/webnotes/ReleaseNotes.html CVE-ID CVE-2011-3389 CVE-2011-3521 CVE-2011-3544 CVE-2011-3545 CVE-2011-3546 CVE-2011-3547 CVE-2011-3548 CVE-2011-3549 CVE-2011-3551 CVE-2011-3552 CVE-2011-3553 CVE-2011-3554 CVE-2011-3556 CVE-2011-3557 CVE-2011-3558 CVE-2011-3560 CVE-2011-3561 Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ For Mac OS X v10.6 systems The download file is named: JavaForMacOSX10.6.dmg Its SHA-1 digest is: be0ac75b8bac967f1d39a94ebf9482a61fb7d70b For Mac OS X v10.7 systems The download file is named: JavaForMacOSX10.7.dmg Its SHA-1 digest is: 7768e6aeb5adaa638c74d4c04150517ed99fed20 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQEcBAEBAgAGBQJOuZNKAAoJEGnF2JsdZQeece8H/1I98YQ1LF4iDD442zB+WjZP 2Vxd3euXYwySD6qDCYNLJ0hUKu90c/4nr5d5rRH3xYdBzAHuZG39m069lpN1UZIW t5ube+j9zjiejnXlPbAgq+vIAg22nu0EdxhOOZZeQOoEYqyoKhXNCt3fR+tzo3o4 mN/LWMO1NwrM0sGDPuUGs2TWdPZbC4QJJz4Z4S+FsTlujYh9MRd3dyxLBIg7BKCL wgnFdpFW8bPmVdiTj91pC0Gb3XtolQxexXGHsdI15KeFMbQ06nKV/AyvxMF8O5jS D089GEHE52NAQCZ0YJ6TJsisrGqTZZ77js55cPU259FogxEKKBuwfdFbn4qVeD8= =4KBF -----END PGP SIGNATURE----- . Release Date: 2012-05-15 Last Updated: 2012-05-15 - ----------------------------------------------------------------------------- Potential Security Impact: Remote Denial of service, unauthorized modification and disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities may allow remote Denial of Service (DoS), unauthorized modification and disclosure of information. References: CVE-2010-4447, CVE-2010-4448, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0871, CVE-2011-3389, CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0499, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-4447 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2010-4448 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2010-4454 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4462 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4465 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4469 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4473 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-4475 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-0802 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0814 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0815 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0862 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0864 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-0865 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2011-0867 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-0871 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3389 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2011-3545 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3547 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2011-3548 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3549 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2011-3552 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2011-3556 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-3557 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2011-3560 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4 CVE-2011-3563 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4 CVE-2012-0499 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-0502 (AV:N/AC:L/Au:N/C:P/I:N/A:P) 6.4 CVE-2012-0503 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-0505 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2012-0506 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP is providing the following Java updates to resolve the vulnerabilities. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 HP-UX B.11.23 HP-UX B.11.31 =========== Jpi14.JPI14-COM Jpi14.JPI14-COM-DOC Jpi14.JPI14-IPF32 Jpi14.JPI14-PA11 Jdk14.JDK14-COM Jdk14.JDK14-DEMO Jdk14.JDK14-IPF32 Jdk14.JDK14-IPF64 Jdk14.JDK14-PA11 Jdk14.JDK14-PA20 Jdk14.JDK14-PA20W Jdk14.JDK14-PNV2 Jdk14.JDK14-PWV2 Jre14.JRE14-COM Jre14.JRE14-COM-DOC Jre14.JRE14-IPF32 Jre14.JRE14-IPF32-HS Jre14.JRE14-IPF64 Jre14.JRE14-IPF64-HS Jre14.JRE14-PA11 Jre14.JRE14-PA11-HS Jre14.JRE14-PA20 Jre14.JRE14-PA20-HS Jre14.JRE14-PA20W Jre14.JRE14-PA20W-HS Jre14.JRE14-PNV2 Jre14.JRE14-PNV2-H Jre14.JRE14-PWV2 Jre14.JRE14-PWV2-H action: install revision 1.4.2.28.00 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 15 May 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

AFFECTED PRODUCTS