rhsa-2010_0408
Vulnerability from csaf_redhat
Published
2010-05-12 16:21
Modified
2024-11-14 10:49
Summary
Red Hat Security Advisory: java-1.4.2-ibm security update
Notes
Topic
Updated java-1.4.2-ibm packages that fix various security issues are now
available for Red Hat Enterprise Linux 4 and 5 for SAP.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Details
The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit.
This update fixes various vulnerabilities in the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit. These
vulnerabilities are summarized on the IBM "Security alerts" page listed in
the References section. (CVE-2009-3555, CVE-2009-3867, CVE-2009-3869,
CVE-2009-3871, CVE-2009-3874, CVE-2009-3875)
For the CVE-2009-3555 issue, this update disables renegotiation in the
non-default IBM JSSE2 provider for the Java Secure Socket Extension (JSSE)
component. The default JSSE provider is not updated with this fix. Refer to
the IBMJSSE2 Provider Reference Guide, linked to in the References, for
instructions on how to configure the IBM Java 2 Runtime Environment to use
the JSSE2 provider by default.
When using the JSSE2 provider, unsafe renegotiation can be re-enabled using
the com.ibm.jsse2.renegotiate property. Refer to the following
Knowledgebase article for details:
http://kbase.redhat.com/faq/docs/DOC-20491
Warning: Do not install these java-1.4.2-ibm packages for SAP alongside the
java-1.4.2-ibm packages from the Red Hat Enterprise Linux Extras or
Supplementary channels on the Red Hat Network. Doing so could cause your
system to fail to update cleanly, among other possible problems.
All users of java-1.4.2-ibm for Red Hat Enterprise Linux 4 and 5 for SAP
are advised to upgrade to these updated packages, which contain the IBM
1.4.2 SR13-FP4 Java release. All running instances of IBM Java must be
restarted for this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated java-1.4.2-ibm packages that fix various security issues are now\navailable for Red Hat Enterprise Linux 4 and 5 for SAP.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit.\n\nThis update fixes various vulnerabilities in the IBM Java 2 Runtime\nEnvironment and the IBM Java 2 Software Development Kit. These\nvulnerabilities are summarized on the IBM \"Security alerts\" page listed in\nthe References section. (CVE-2009-3555, CVE-2009-3867, CVE-2009-3869,\nCVE-2009-3871, CVE-2009-3874, CVE-2009-3875)\n\nFor the CVE-2009-3555 issue, this update disables renegotiation in the\nnon-default IBM JSSE2 provider for the Java Secure Socket Extension (JSSE)\ncomponent. The default JSSE provider is not updated with this fix. Refer to\nthe IBMJSSE2 Provider Reference Guide, linked to in the References, for\ninstructions on how to configure the IBM Java 2 Runtime Environment to use\nthe JSSE2 provider by default.\n\nWhen using the JSSE2 provider, unsafe renegotiation can be re-enabled using\nthe com.ibm.jsse2.renegotiate property. Refer to the following\nKnowledgebase article for details:\nhttp://kbase.redhat.com/faq/docs/DOC-20491\n\nWarning: Do not install these java-1.4.2-ibm packages for SAP alongside the\njava-1.4.2-ibm packages from the Red Hat Enterprise Linux Extras or\nSupplementary channels on the Red Hat Network. Doing so could cause your\nsystem to fail to update cleanly, among other possible problems.\n\nAll users of java-1.4.2-ibm for Red Hat Enterprise Linux 4 and 5 for SAP\nare advised to upgrade to these updated packages, which contain the IBM\n1.4.2 SR13-FP4 Java release. All running instances of IBM Java must be\nrestarted for this update to take effect.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2010:0408", "url": "https://access.redhat.com/errata/RHSA-2010:0408" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "http://kbase.redhat.com/faq/docs/DOC-20491", "url": "http://kbase.redhat.com/faq/docs/DOC-20491" }, { "category": "external", "summary": "http://www.ibm.com/developerworks/java/jdk/alerts/", "url": "http://www.ibm.com/developerworks/java/jdk/alerts/" }, { "category": "external", "summary": "http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html", "url": "http://www.ibm.com/developerworks/java/jdk/security/142/secguides/jsse2docs/JSSE2RefGuide.html" }, { "category": "external", "summary": "530057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530057" }, { "category": "external", "summary": "530062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530062" }, { "category": "external", "summary": "530063", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530063" }, { "category": "external", "summary": "530067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530067" }, { "category": "external", "summary": "533125", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=533125" }, { "category": "external", "summary": "533214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=533214" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2010/rhsa-2010_0408.json" } ], "title": "Red Hat Security Advisory: java-1.4.2-ibm security update", "tracking": { "current_release_date": "2024-11-14T10:49:22+00:00", "generator": { "date": "2024-11-14T10:49:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.0" } }, "id": "RHSA-2010:0408", "initial_release_date": "2010-05-12T16:21:00+00:00", "revision_history": [ { "date": "2010-05-12T16:21:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2010-05-12T12:21:43+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-14T10:49:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHEL 4 AS for SAP", "product": { "name": "RHEL 4 AS for SAP", "product_id": "4AS-SAP", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_extras_sap:4" } } }, { "category": "product_name", "name": "RHEL 5 Server for SAP", "product": { "name": "RHEL 5 Server for SAP", "product_id": "5Server-SAP", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhel_extras_sap:5" } } } ], "category": "product_family", "name": "RHEL for SAP" }, { "branches": [ { "category": "product_version", "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product": { "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_id": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-demo@1.4.2.13.4.sap-1jpp.1.el4_8?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product": { "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_id": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-src@1.4.2.13.4.sap-1jpp.1.el4_8?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product": { "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_id": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-javacomm@1.4.2.13.4.sap-1jpp.1.el4_8?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product": { "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_id": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-devel@1.4.2.13.4.sap-1jpp.1.el4_8?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product": { "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_id": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm@1.4.2.13.4.sap-1jpp.1.el4_8?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product": { "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_id": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-devel@1.4.2.13.4.sap-1jpp.1.el5?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product": { "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_id": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-src@1.4.2.13.4.sap-1jpp.1.el5?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product": { "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_id": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-javacomm@1.4.2.13.4.sap-1jpp.1.el5?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product": { "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_id": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm@1.4.2.13.4.sap-1jpp.1.el5?arch=x86_64" } } }, { "category": "product_version", "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product": { "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_id": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/java-1.4.2-ibm-demo@1.4.2.13.4.sap-1jpp.1.el5?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64 as a component of RHEL 4 AS for SAP", "product_id": "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64" }, "product_reference": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "relates_to_product_reference": "4AS-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64 as a component of RHEL 4 AS for SAP", "product_id": "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64" }, "product_reference": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "relates_to_product_reference": "4AS-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64 as a component of RHEL 4 AS for SAP", "product_id": "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64" }, "product_reference": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "relates_to_product_reference": "4AS-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64 as a component of RHEL 4 AS for SAP", "product_id": "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64" }, "product_reference": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "relates_to_product_reference": "4AS-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64 as a component of RHEL 4 AS for SAP", "product_id": "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64" }, "product_reference": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "relates_to_product_reference": "4AS-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64 as a component of RHEL 5 Server for SAP", "product_id": "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" }, "product_reference": "java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "relates_to_product_reference": "5Server-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64 as a component of RHEL 5 Server for SAP", "product_id": "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" }, "product_reference": "java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "relates_to_product_reference": "5Server-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64 as a component of RHEL 5 Server for SAP", "product_id": "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" }, "product_reference": "java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "relates_to_product_reference": "5Server-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64 as a component of RHEL 5 Server for SAP", "product_id": "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" }, "product_reference": "java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "relates_to_product_reference": "5Server-SAP" }, { "category": "default_component_of", "full_product_name": { "name": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64 as a component of RHEL 5 Server for SAP", "product_id": "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" }, "product_reference": "java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "relates_to_product_reference": "5Server-SAP" } ] }, "vulnerabilities": [ { "cve": "CVE-2009-3555", "cwe": { "id": "CWE-300", "name": "Channel Accessible by Non-Endpoint" }, "discovery_date": "2009-10-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "533125" } ], "notes": [ { "category": "description", "text": "The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a \"plaintext injection\" attack, aka the \"Project Mogul\" issue.", "title": "Vulnerability description" }, { "category": "summary", "text": "TLS: MITM attacks via session renegotiation", "title": "Vulnerability summary" }, { "category": "other", "text": "Additional information can be found in the Red Hat Knowledgebase article:\nhttps://access.redhat.com/articles/20490", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3555" }, { "category": "external", "summary": "RHBZ#533125", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=533125" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3555", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3555" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3555" } ], "release_date": "2009-11-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "TLS: MITM attacks via session renegotiation" }, { "cve": "CVE-2009-3867", "cwe": { "id": "CWE-121", "name": "Stack-based Buffer Overflow" }, "discovery_date": "2009-11-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "533214" } ], "notes": [ { "category": "description", "text": "Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a long file: URL in an argument, aka Bug Id 6854303.", "title": "Vulnerability description" }, { "category": "summary", "text": "java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3867" }, { "category": "external", "summary": "RHBZ#533214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=533214" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3867", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3867" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3867", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3867" } ], "release_date": "2009-11-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303)" }, { "cve": "CVE-2009-3869", "discovery_date": "2009-10-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "530062" } ], "notes": [ { "category": "description", "text": "Stack-based buffer overflow in the setDiffICM function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via a crafted argument, aka Bug Id 6872357.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK JRE AWT setDifflCM stack overflow (6872357)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3869" }, { "category": "external", "summary": "RHBZ#530062", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530062" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3869", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3869" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3869", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3869" } ], "release_date": "2009-11-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK JRE AWT setDifflCM stack overflow (6872357)" }, { "cve": "CVE-2009-3871", "discovery_date": "2009-10-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "530063" } ], "notes": [ { "category": "description", "text": "Heap-based buffer overflow in the setBytePixels function in the Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via crafted arguments, aka Bug Id 6872358.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK JRE AWT setBytePixels heap overflow (6872358)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3871" }, { "category": "external", "summary": "RHBZ#530063", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530063" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3871", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3871" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3871", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3871" } ], "release_date": "2009-11-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK JRE AWT setBytePixels heap overflow (6872358)" }, { "cve": "CVE-2009-3874", "discovery_date": "2009-10-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "530067" } ], "notes": [ { "category": "description", "text": "Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary code via large subsample dimensions in a JPEG file that triggers a heap-based buffer overflow, aka Bug Id 6874643.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK ImageI/O JPEG heap overflow (6874643)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3874" }, { "category": "external", "summary": "RHBZ#530067", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530067" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3874", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3874" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3874", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3874" } ], "release_date": "2009-11-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "OpenJDK ImageI/O JPEG heap overflow (6874643)" }, { "cve": "CVE-2009-3875", "discovery_date": "2009-10-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "530057" } ], "notes": [ { "category": "description", "text": "The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to \"timing attack vulnerabilities,\" aka Bug Id 6863503.", "title": "Vulnerability description" }, { "category": "summary", "text": "OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-3875" }, { "category": "external", "summary": "RHBZ#530057", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=530057" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-3875", "url": "https://www.cve.org/CVERecord?id=CVE-2009-3875" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-3875", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-3875" } ], "release_date": "2009-11-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2010-05-12T16:21:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2010:0408" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "products": [ "4AS-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "4AS-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el4_8.x86_64", "5Server-SAP:java-1.4.2-ibm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-demo-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-devel-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-javacomm-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64", "5Server-SAP:java-1.4.2-ibm-src-0:1.4.2.13.4.sap-1jpp.1.el5.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.