First published: Tue Jun 10 2014(Updated: )
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime<br>Environment and the OpenJDK 6 Java Software Development Kit.<br>An input validation flaw was discovered in the medialib library in the 2D<br>component. A specially crafted image could trigger Java Virtual Machine<br>memory corruption when processed. A remote attacker, or an untrusted Java<br>application or applet, could possibly use this flaw to execute arbitrary<br>code with the privileges of the user running the Java Virtual Machine.<br>(CVE-2014-0429)<br>Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK.<br>An untrusted Java application or applet could use these flaws to trigger<br>Java Virtual Machine memory corruption and possibly bypass Java sandbox<br>restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)<br>Multiple improper permission check issues were discovered in the Libraries<br>component in OpenJDK. An untrusted Java application or applet could use<br>these flaws to bypass Java sandbox restrictions. (CVE-2014-0457,<br>CVE-2014-0461)<br>Multiple improper permission check issues were discovered in the AWT,<br>JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java<br>application or applet could use these flaws to bypass certain Java sandbox<br>restrictions. (CVE-2014-2412, CVE-2014-0451, CVE-2014-0458, CVE-2014-2423,<br>CVE-2014-0452, CVE-2014-2414, CVE-2014-0446, CVE-2014-2427)<br>Multiple flaws were identified in the Java Naming and Directory Interface<br>(JNDI) DNS client. These flaws could make it easier for a remote attacker<br>to perform DNS spoofing attacks. (CVE-2014-0460)<br>It was discovered that the JAXP component did not properly prevent access<br>to arbitrary files when a SecurityManager was present. This flaw could<br>cause a Java application using JAXP to leak sensitive information, or<br>affect application availability. (CVE-2014-2403)<br>It was discovered that the Security component in OpenJDK could leak some<br>timing information when performing PKCS#1 unpadding. This could possibly<br>lead to the disclosure of some information that was meant to be protected<br>by encryption. (CVE-2014-0453)<br>It was discovered that the fix for CVE-2013-5797 did not properly resolve<br>input sanitization flaws in javadoc. When javadoc documentation was<br>generated from an untrusted Java source code and hosted on a domain not<br>controlled by the code author, these issues could make it easier to perform<br>cross-site scripting (XSS) attacks. (CVE-2014-2398)<br>An insecure temporary file use flaw was found in the way the unpack200<br>utility created log files. A local attacker could possibly use this flaw to<br>perform a symbolic link attack and overwrite arbitrary files with the<br>privileges of the user running unpack200. (CVE-2014-1876)<br>All users of java-1.6.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.6.0-openjdk-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-debuginfo-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-debuginfo-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-demo-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-demo-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-devel-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-devel-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-javadoc-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-javadoc-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-src-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-src-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-debuginfo-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-debuginfo-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-demo-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-demo-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-devel-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-devel-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-javadoc-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-javadoc-1.6.0.0-6.1.13.3.el7_0 |
redhat/java | <1.6.0-openjdk-src-1.6.0.0-6.1.13.3.el7_0 | 1.6.0-openjdk-src-1.6.0.0-6.1.13.3.el7_0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.