- Home
- CVEs with nessus.description==Updated+java-1.6.0-openjdk+packages+that+fix+several+security+issues+are+now+available+for+Red+Hat+Enterprise+Linux+6.%0A%0AThe+Red+Hat+Security+Response+Team+has+rated+this+update+as+having+critical+security+impact.+Common+Vulnerability+Scoring+System+%28CVSS%29+base+scores%2C+which+give+detailed+severity+ratings%2C+are+available+for+each+vulnerability+from+the+CVE+links+in+the+References+section.%0A%0AThese+packages+provide+the+OpenJDK+6+Java+Runtime+Environment+and+the+OpenJDK+6+Software+Development+Kit.%0A%0AIt+was+discovered+that+Java2D+did+not+properly+check+graphics+rendering+objects+before+passing+them+to+the+native+renderer.%0AMalicious+input%2C+or+an+untrusted+Java+application+or+applet+could+use+this+flaw+to+crash+the+Java+Virtual+Machine+%28JVM%29%2C+or+bypass+Java+sandbox+restrictions.+%28CVE-2012-0497%29%0A%0AIt+was+discovered+that+the+exception+thrown+on+deserialization+failure+did+not+always+contain+a+proper+identification+of+the+cause+of+the+failure.+An+untrusted+Java+application+or+applet+could+use+this+flaw+to+bypass+Java+sandbox+restrictions.+%28CVE-2012-0505%29%0A%0AThe+AtomicReferenceArray+class+implementation+did+not+properly+check+if+the+array+was+of+the+expected+Object%5B%5D+type.+A+malicious+Java+application+or+applet+could+use+this+flaw+to+bypass+Java+sandbox+restrictions.+%28CVE-2011-3571%29%0A%0AIt+was+discovered+that+the+use+of+TimeZone.setDefault%28%29+was+not+restricted+by+the+SecurityManager%2C+allowing+an+untrusted+Java+application+or+applet+to+set+a+new+default+time+zone%2C+and+hence+bypass+Java+sandbox+restrictions.+%28CVE-2012-0503%29%0A%0AThe+HttpServer+class+did+not+limit+the+number+of+headers+read+from+HTTP+requests.+A+remote+attacker+could+use+this+flaw+to+make+an+application+using+HttpServer+use+an+excessive+amount+of+CPU+time+via+a+specially+crafted+request.+This+update+introduces+a+header+count+limit+controlled+using+the+sun.net.httpserver.maxReqHeaders+property.+The+default+value+is+200.+%28CVE-2011-5035%29%0A%0AThe+Java+Sound+component+did+not+properly+check+buffer+boundaries.%0AMalicious+input%2C+or+an+untrusted+Java+application+or+applet+could+use+this+flaw+to+cause+the+Java+Virtual+Machine+%28JVM%29+to+crash+or+disclose+a+portion+of+its+memory.+%28CVE-2011-3563%29%0A%0AA+flaw+was+found+in+the+AWT+KeyboardFocusManager+that+could+allow+an+untrusted+Java+application+or+applet+to+acquire+keyboard+focus+and+possibly+steal+sensitive+information.+%28CVE-2012-0502%29%0A%0AIt+was+discovered+that+the+CORBA+%28Common+Object+Request+Broker+Architecture%29+implementation+in+Java+did+not+properly+protect+repository+identifiers+on+certain+CORBA+objects.+This+could+have+been+used+to+modify+immutable+object+data.+%28CVE-2012-0506%29%0A%0AAn+off-by-one+flaw%2C+causing+a+stack+overflow%2C+was+found+in+the+unpacker+for+ZIP+files.+A+specially+crafted+ZIP+archive+could+cause+the+Java+Virtual+Machine+%28JVM%29+to+crash+when+opened.+%28CVE-2012-0501%29%0A%0ANote%3A+If+the+web+browser+plug-in+provided+by+the+icedtea-web+package+was+installed%2C+the+issues+exposed+via+Java+applets+could+have+been+exploited+without+user+interaction+if+a+user+visited+a+malicious+website.%0A%0AThis+erratum+also+upgrades+the+OpenJDK+package+to+IcedTea6+1.10.6.%0ARefer+to+the+NEWS+file%2C+linked+to+in+the+References%2C+for+further+information.%0A%0AAll+users+of+java-1.6.0-openjdk+are+advised+to+upgrade+to+these+updated+packages%2C+which+resolve+these+issues.+All+running+instances+of+OpenJDK+Java+must+be+restarted+for+the+update+to+take+effect
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top