RHSA-2014:0408: Important: java-1.6.0-openjdk security and bug fix update

First published: Wed Apr 16 2014(Updated: )

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime<br>Environment and the OpenJDK 6 Java Software Development Kit.<br>An input validation flaw was discovered in the medialib library in the 2D<br>component. A specially crafted image could trigger Java Virtual Machine<br>memory corruption when processed. A remote attacker, or an untrusted Java<br>application or applet, could possibly use this flaw to execute arbitrary<br>code with the privileges of the user running the Java Virtual Machine.<br>(CVE-2014-0429)<br>Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK.<br>An untrusted Java application or applet could use these flaws to trigger<br>Java Virtual Machine memory corruption and possibly bypass Java sandbox<br>restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)<br>Multiple improper permission check issues were discovered in the Libraries<br>component in OpenJDK. An untrusted Java application or applet could use<br>these flaws to bypass Java sandbox restrictions. (CVE-2014-0457,<br>CVE-2014-0461)<br>Multiple improper permission check issues were discovered in the AWT,<br>JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java<br>application or applet could use these flaws to bypass certain Java sandbox<br>restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423,<br>CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427)<br>Multiple flaws were identified in the Java Naming and Directory Interface<br>(JNDI) DNS client. These flaws could make it easier for a remote attacker<br>to perform DNS spoofing attacks. (CVE-2014-0460)<br>It was discovered that the JAXP component did not properly prevent access<br>to arbitrary files when a SecurityManager was present. This flaw could<br>cause a Java application using JAXP to leak sensitive information, or<br>affect application availability. (CVE-2014-2403)<br>It was discovered that the Security component in OpenJDK could leak some<br>timing information when performing PKCS#1 unpadding. This could possibly<br>lead to the disclosure of some information that was meant to be protected<br>by encryption. (CVE-2014-0453)<br>It was discovered that the fix for CVE-2013-5797 did not properly resolve<br>input sanitization flaws in javadoc. When javadoc documentation was<br>generated from an untrusted Java source code and hosted on a domain not<br>controlled by the code author, these issues could make it easier to perform<br>cross-site scripting (XSS) attacks. (CVE-2014-2398)<br>An insecure temporary file use flaw was found in the way the unpack200<br>utility created log files. A local attacker could possibly use this flaw to<br>perform a symbolic link attack and overwrite arbitrary files with the<br>privileges of the user running unpack200. (CVE-2014-1876)<br>This update also fixes the following bug:<br><li> The OpenJDK update to IcedTea version 1.13 introduced a regression</li> related to the handling of the jdk_version_info variable. This variable was<br>not properly zeroed out before being passed to the Java Virtual Machine,<br>resulting in a memory leak in the java.lang.ref.Finalizer class.<br>This update fixes this issue, and memory leaks no longer occur.<br>(BZ#1085373)<br>All users of java-1.6.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2014:0408
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• package-manager/redhat