RHSA-2010:0155: Moderate: java-1.4.2-ibm security and bug fix update

First published: Wed Mar 17 2010(Updated: )

The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime<br>Environment and the IBM Java 2 Software Development Kit.<br>A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure<br>Sockets Layer) protocols handle session renegotiation. A man-in-the-middle<br>attacker could use this flaw to prefix arbitrary plain text to a client's<br>session (for example, an HTTPS connection to a website). This could force<br>the server to process an attacker's request as if authenticated using the<br>victim's credentials. (CVE-2009-3555)<br>This update disables renegotiation in the non-default IBM JSSE2 provider<br>for the Java Secure Socket Extension (JSSE) component. The default JSSE<br>provider is not updated with this fix. Refer to the IBMJSSE2 Provider<br>Reference Guide, linked to in the References, for instructions on how to<br>configure the IBM Java 2 Runtime Environment to use the JSSE2 provider by<br>default.<br>When using the JSSE2 provider, unsafe renegotiation can be re-enabled using<br>the com.ibm.jsse2.renegotiate property. Refer to the following<br>Knowledgebase article for details:<br><a href="http://kbase.redhat.com/faq/docs/DOC-20491" target="_blank">http://kbase.redhat.com/faq/docs/DOC-20491</a> This update also fixes the following bug:<br><li> the libjaasauth.so file was missing from the java-1.4.2-ibm packages for</li> the Intel Itanium architecture (.ia64.rpm). This update adds the file to<br>the packages for the Itanium architecture, which resolves this issue.<br>(BZ#572577)<br>All users of java-1.4.2-ibm are advised to upgrade to these updated<br>packages, which contain the IBM 1.4.2 SR13-FP4 Java release. All running<br>instances of IBM Java must be restarted for this update to take effect.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/type
• agent/last-modified-date
• agent/softwarecombine
• agent/first-publish-date
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2010:0155
• agent/software-canonical-lookup
• agent/remedy
• agent/title
• agent/references
• agent/description
• agent/event
• agent/trending
• agent/tags
• agent/source
• package-manager/redhat