Issued:
2007-02-09
Updated:
2007-02-09

RHSA-2007:0073 - Critical: java-1.5.0-ibm security update

Synopsis

Critical: java-1.5.0-ibm security update

Type/Severity

Security Advisory Critical

Topic

java-1.5.0-ibm packages that correct several security issues are available for Red Hat Enterprise Linux 4 Extras.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Description

IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

Vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these vulnerabilities to access data from other applets. (CVE-2006-6736, CVE-2006-6737)

Serialization flaws were discovered in the Java Runtime Environment. An untrusted applet or application could use these flaws to elevate its privileges. (CVE-2006-6745)

Buffer overflow vulnerabilities were discovered in the Java Runtime Environment. An untrusted applet could use these flaws to elevate its privileges, possibly reading and writing local files or executing local applications. (CVE-2006-6731)

Daniel Bleichenbacher discovered an attack on PKCS #1 v1.5 signatures. Where an RSA key with exponent 3 is used it may be possible for an attacker to forge a PKCS #1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. (CVE-2006-4339)

All users of java-ibm-1.5.0 should upgrade to these packages, which contain IBM's 1.5.0 SR3 Java release which resolves these issues.

Please note that the packages in this erratum are identical to those we released on January 24th 2007 in advisory RHEA-2007:0027. We have issued this security update because when we released RHEA-2007:0027 we were not aware that it contained fixes for security issues. If you have already updated to those packages you will not need to apply this update.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Power, big endian4ppc
Red Hat Enterprise Linux for IBM z Systems4s390x
Red Hat Enterprise Linux for IBM z Systems4s390
Red Hat Enterprise Linux Workstation4x86_64
Red Hat Enterprise Linux Workstation4i386
Red Hat Enterprise Linux Server4x86_64
Red Hat Enterprise Linux Server4i386
Red Hat Enterprise Linux Desktop4x86_64
Red Hat Enterprise Linux Desktop4i386

Updated Packages

  • java-1.5.0-ibm-javacomm-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-plugin-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-src-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-jdbc-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-devel-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-demo-1.5.0.3-1jpp.3.el4.i386.rpm
  • java-1.5.0-ibm-1.5.0.3-1jpp.3.el4.i386.rpm

Fixes

CVEs

References

Additional information