Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2013-0165

Опубликовано: 16 янв. 2013
Источник: oracle-oval
Платформа: Oracle Linux 5
Платформа: Oracle Linux 6

Описание

ELSA-2013-0165: java-1.7.0-openjdk security update (IMPORTANT)

[1.7.0.9-2.3.4.1.0.1.el6_3]

  • Update DISTRO_NAME in specfile

[1.7.0.9-2.3.4.1.el6]

  • Rewerted to IcedTea 2.3.4
    • rewerted patch105: java-1.7.0-openjdk-disable-system-lcms.patch
    • removed jxmd and idlj to alternatives
    • make NOT executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true
    • re-applied patch302 and restored systemtap.patch
    • buildver set to 9
    • icedtea_version set to 2.3.4
    • unapplied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch
    • restored tmp-patches source tarball
    • removed /lib/security/US_export_policy.jar and lib/security/local_policy.jar
    • java-1.7.0-openjdk-java-access-bridge-security.patch's path moved from java.security-linux back to java.security
  • Resolves: rhbz#895033

[1.7.0.11-2.4.0.1.el6]

  • Rewritten patch105: java-1.7.0-openjdk-disable-system-lcms.patch
  • Added jxmd and idlj to alternatives
  • make executed with DISABLE_INTREE_EC=true and UNLIMITED_CRYPTO=true
  • Unapplied patch302 and deleted systemtap.patch
  • buildver increased to 11
  • icedtea_version set to 2.4.0
  • Added and applied patch112 java-1.7.openjdk-doNotUseDisabledEcc.patch
  • removed tmp-patches source tarball
  • Added /lib/security/US_export_policy.jar and lib/security/local_policy.jar
  • Resolves: rhbz#895033

Обновленные пакеты

Oracle Linux 5

Oracle Linux x86_64

java-1.7.0-openjdk

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-demo

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-devel

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-javadoc

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-src

1.7.0.9-2.3.4.0.1.el5_9.1

Oracle Linux i386

java-1.7.0-openjdk

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-demo

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-devel

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-javadoc

1.7.0.9-2.3.4.0.1.el5_9.1

java-1.7.0-openjdk-src

1.7.0.9-2.3.4.0.1.el5_9.1

Oracle Linux 6

Oracle Linux x86_64

java-1.7.0-openjdk

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-demo

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-devel

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-javadoc

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-src

1.7.0.9-2.3.4.1.0.1.el6_3

Oracle Linux i686

java-1.7.0-openjdk

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-demo

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-devel

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-javadoc

1.7.0.9-2.3.4.1.0.1.el6_3

java-1.7.0-openjdk-src

1.7.0.9-2.3.4.1.0.1.el6_3

Связанные CVE

CVE-2013-0422
CVE-2012-3174

Ссылки на источники

Связанные уязвимости

ubuntu логотип

CVE-2012-3174

ubuntu
больше 12 лет назад

Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.

redhat логотип

CVE-2012-3174

redhat
больше 12 лет назад

Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.

nvd логотип

CVE-2012-3174

nvd
больше 12 лет назад

Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.

debian логотип

CVE-2012-3174

debian
больше 12 лет назад

Unspecified vulnerability in Oracle Java 7 before Update 11 allows rem ...

ubuntu логотип

CVE-2013-0422

CVSS3: 9.8
ubuntu
больше 12 лет назад

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection ...