Описание
Security update for java-1_7_0-ibm
This update for java-1_7_0-ibm fixes the following issues:
Update to Java 7.0 Service Refresh 10 Fix Pack 50 (bsc#1147021).
Security issues fixed:
- CVE-2019-2762: Fixed issue inside Component Utilities (bsc#1141782).
- CVE-2019-2766: Fixed issue inside Component Networking (bsc#1141789).
- CVE-2019-2769: Fixed issue inside Component Utilities (bsc#1141783).
- CVE-2019-2816: Fixed issue inside Component Networking (bsc#1147021).
- CVE-2019-4473: Fixed insecure RPATH in multiple binaries on AIX (bsc#1147021).
- CVE-2019-7317: Fixed use-after-free in libpng, affecting client-libs/java.awt (bsc#1147021).
- CVE-2019-11771: Fixed insecure RPATH in OpenJ9 on AIX (bsc#1147021).
- CVE-2019-11775: Fixed failure to privatize a value pulled out of the loop by versioning (bsc#1147021).
Список пакетов
SUSE Linux Enterprise Point of Sale 11 SP3
Ссылки
- Link for SUSE-SU-2019:14188-1
- E-Mail link for SUSE-SU-2019:14188-1
- SUSE Security Ratings
- SUSE Bug 1141782
- SUSE Bug 1141783
- SUSE Bug 1141789
- SUSE Bug 1147021
- SUSE CVE CVE-2019-11771 page
- SUSE CVE CVE-2019-11775 page
- SUSE CVE CVE-2019-2762 page
- SUSE CVE CVE-2019-2766 page
- SUSE CVE CVE-2019-2769 page
- SUSE CVE CVE-2019-2816 page
- SUSE CVE CVE-2019-4473 page
- SUSE CVE CVE-2019-7317 page
Описание
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
Затронутые продукты
Ссылки
- CVE-2019-11771
- SUSE Bug 1147021
Описание
All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loop versioner may fail to privatize a value that is pulled out of the loop by versioning - for example if there is a condition that is moved out of the loop that reads a field we may not privatize the value of that field in the modified copy of the loop allowing the test to see one value of the field and subsequently the loop to see a modified field value without retesting the condition moved out of the loop. This can lead to a variety of different issues but read out of array bounds is one major consequence of these problems.
Затронутые продукты
Ссылки
- CVE-2019-11775
- SUSE Bug 1147021
Описание
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Затронутые продукты
Ссылки
- CVE-2019-2762
- SUSE Bug 1141782
- SUSE Bug 1147021
Описание
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
Затронутые продукты
Ссылки
- CVE-2019-2766
- SUSE Bug 1141789
- SUSE Bug 1147021
Описание
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Затронутые продукты
Ссылки
- CVE-2019-2769
- SUSE Bug 1141783
- SUSE Bug 1147021
Описание
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Затронутые продукты
Ссылки
- CVE-2019-2816
- SUSE Bug 1141785
- SUSE Bug 1147021
Описание
Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and 8 on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users. IBM X-Force ID: 163984.
Затронутые продукты
Ссылки
- CVE-2019-4473
- SUSE Bug 1147021
Описание
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Затронутые продукты
Ссылки
- CVE-2019-7317
- SUSE Bug 1124211
- SUSE Bug 1135824
- SUSE Bug 1141780
- SUSE Bug 1147021
- SUSE Bug 1165297