Описание
Security update for java-1_7_0-ibm
This IBM Java 1.7.0 SR9 FP40 release fixes the following issues:
Security issues fixed:
- CVE-2016-0264: buffer overflow vulnerability in the IBM JVM (bsc#977648)
- CVE-2016-0363: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix (bsc#977650)
- CVE-2016-0376: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix (bsc#977646)
- The following CVEs got also fixed during this update. (bsc#979252) CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3449, CVE-2016-3422, CVE-2016-3426
Список пакетов
SUSE Linux Enterprise Server 11 SP2-LTSS
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Manager 2.1
SUSE Manager Proxy 2.1
SUSE OpenStack Cloud 5
Ссылки
- Link for SUSE-SU-2016:1378-1
- E-Mail link for SUSE-SU-2016:1378-1
- SUSE Security Ratings
- SUSE Bug 977646
- SUSE Bug 977648
- SUSE Bug 977650
- SUSE Bug 979252
- SUSE CVE CVE-2016-0264 page
- SUSE CVE CVE-2016-0363 page
- SUSE CVE CVE-2016-0376 page
- SUSE CVE CVE-2016-0686 page
- SUSE CVE CVE-2016-0687 page
- SUSE CVE CVE-2016-3422 page
- SUSE CVE CVE-2016-3426 page
- SUSE CVE CVE-2016-3427 page
- SUSE CVE CVE-2016-3443 page
- SUSE CVE CVE-2016-3449 page
Описание
Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) allows remote attackers to execute arbitrary code via unspecified vectors.
Затронутые продукты
Ссылки
- CVE-2016-0264
- SUSE Bug 977648
- SUSE Bug 979252
Описание
The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009.
Затронутые продукты
Ссылки
- CVE-2016-0363
- SUSE Bug 977650
- SUSE Bug 979252
Описание
The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) does not properly deserialize classes in an AccessController doPrivileged block, which allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code as demonstrated by the readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-5456.
Затронутые продукты
Ссылки
- CVE-2016-0376
- SUSE Bug 977646
- SUSE Bug 977650
- SUSE Bug 979252
- SUSE Bug 981057
- SUSE Bug 981060
- SUSE Bug 981087
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization.
Затронутые продукты
Ссылки
- CVE-2016-0686
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component.
Затронутые продукты
Ссылки
- CVE-2016-0687
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D.
Затронутые продукты
Ссылки
- CVE-2016-3422
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE.
Затронутые продукты
Ссылки
- CVE-2016-3426
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
Затронутые продукты
Ссылки
- CVE-2016-3427
- SUSE Bug 1011805
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information via crafted font data, which triggers an out-of-bounds read.
Затронутые продукты
Ссылки
- CVE-2016-3443
- SUSE Bug 976340
- SUSE Bug 979252
Описание
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment.
Затронутые продукты
Ссылки
- CVE-2016-3449
- SUSE Bug 976340
- SUSE Bug 979252