Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2015:0392-1: important: Security update for java-1_6_0-ibm

Recommended Posts

SUSE Security Update: Security update for java-1_6_0-ibm

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2015:0392-1

Rating: important

References: #592934 #891700 #901223 #904889 #916265 #916266

 

Cross-References: CVE-2014-8891 CVE-2014-8892

Affected Products:

SUSE Linux Enterprise Server 11 SP2 LTSS

SUSE Linux Enterprise Server 11 SP1 LTSS

______________________________________________________________________________

 

An update that solves two vulnerabilities and has four

fixes is now available.

 

Description:

 

 

java-1_6_0-ibm has been updated to version 1.6.0_sr16.3 to fix 30 security

issues:

 

* CVE-2014-8891: Unspecified vulnerability (bnc#916266)

* CVE-2014-8892: Unspecified vulnerability (bnc#916265)

* CVE-2014-3065: Unspecified vulnerability in IBM Java Runtime

Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0),

6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and

before SR16 FP8 (5.0.16.8) allowed local users to execute arbitrary

code via vectors related to the shared classes cache (bnc#904889).

* CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through

1.0.1i and other products, used nondeterministic CBC padding, which

made it easier for man-in-the-middle attackers to obtain cleartext

data via a padding-oracle attack, aka the "POODLE" issue

(bnc#901223).

* CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20, and Java SE Embedded 7u60, allowed remote attackers

to affect confidentiality, integrity, and availability via vectors

related to AWT (bnc#904889).

* CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment, a different vulnerability than CVE-2014-4288,

CVE-2014-6493, and CVE-2014-6532 (bnc#904889).

* CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment, a different vulnerability than CVE-2014-4288,

CVE-2014-6493, and CVE-2014-6503 (bnc#904889).

* CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment, a different vulnerability than CVE-2014-6493,

CVE-2014-6503, and CVE-2014-6532 (bnc#904889).

* CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment, a different vulnerability than CVE-2014-4288,

CVE-2014-6503, and CVE-2014-6532 (bnc#904889).

* CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20, when running on Firefox, allowed remote attackers to

affect confidentiality, integrity, and availability via unknown

vectors related to Deployment (bnc#904889).

* CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed local users to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment (bnc#904889).

* CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20, when running on Internet Explorer, allowed local

users to affect confidentiality, integrity, and availability via

unknown vectors related to Deployment (bnc#904889).

* CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote

attackers to affect confidentiality, integrity, and availability via

unknown vectors related to Libraries (bnc#904889).

* CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81,

7u67, and 8u20 allowed remote attackers to affect integrity via

unknown vectors related to Deployment (bnc#904889).

* CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20 allowed remote attackers to affect

confidentiality via unknown vectors related to 2D (bnc#904889).

* CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote

attackers to affect confidentiality via unknown vectors related to

Libraries (bnc#904889).

* CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and

R28.3.3 allowed remote attackers to affect integrity via unknown

vectors related to Libraries (bnc#904889).

* CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3,

and R28.3.3 allowed remote attackers to affect confidentiality and

integrity via vectors related to JSSE (bnc#904889).

* CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allowed remote

attackers to affect integrity via unknown vectors related to

Libraries (bnc#904889).

* CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71,

6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and

JRockit R28.3.3 allowed remote attackers to affect integrity via

unknown vectors related to Security (bnc#904889).

* CVE-2014-4227: Unspecified vulnerability in Oracle Java SE 6u75,

7u60, and 8u5 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to

Deployment (bnc#891700).

* CVE-2014-4262: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5 allowed remote attackers to affect

confidentiality, integrity, and availability via unknown vectors

related to Libraries (bnc#891700).

* CVE-2014-4219: Unspecified vulnerability in Oracle Java SE 6u75,

7u60, and 8u5 allowed remote attackers to affect confidentiality,

integrity, and availability via unknown vectors related to Hotspot

(bnc#891700).

* CVE-2014-4209: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5 allowed remote attackers to affect

confidentiality and integrity via vectors related to JMX

(bnc#891700).

* CVE-2014-4268: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5 allowed remote attackers to affect

confidentiality via unknown vectors related to Swing (bnc#891700).

* CVE-2014-4218: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5 allowed remote attackers to affect integrity via

unknown vectors related to Libraries (bnc#891700).

* CVE-2014-4252: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5 allowed remote attackers to affect

confidentiality via unknown vectors related to Security (bnc#891700).

* CVE-2014-4265: Unspecified vulnerability in Oracle Java SE 6u75,

7u60, and 8u5 allowed remote attackers to affect integrity via

unknown vectors related to Deployment (bnc#891700).

* CVE-2014-4263: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allowed remote

attackers to affect confidentiality and integrity via unknown

vectors related to "Diffie-Hellman key agreement (bnc#891700).

* CVE-2014-4244: Unspecified vulnerability in Oracle Java SE 5.0u65,

6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2,

allowed remote attackers to affect confidentiality and integrity via

unknown vectors related to Security (bnc#891700).

 

This non-security bug has also been fixed:

 

* Fix update-alternatives list (bnc#592934)

 

Security Issues:

 

* CVE-2014-8892

 

* CVE-2014-8891

 

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 11 SP2 LTSS:

 

zypper in -t patch slessp2-java-1_6_0-ibm=10353

 

- SUSE Linux Enterprise Server 11 SP1 LTSS:

 

zypper in -t patch slessp1-java-1_6_0-ibm=10354

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64):

 

java-1_6_0-ibm-1.6.0_sr16.3-0.4.5

java-1_6_0-ibm-devel-1.6.0_sr16.3-0.4.5

java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5

java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5

 

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64):

 

java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5

 

- SUSE Linux Enterprise Server 11 SP2 LTSS (i586):

 

java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5

 

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 s390x x86_64):

 

java-1_6_0-ibm-1.6.0_sr16.3-0.4.5

java-1_6_0-ibm-fonts-1.6.0_sr16.3-0.4.5

java-1_6_0-ibm-jdbc-1.6.0_sr16.3-0.4.5

 

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586 x86_64):

 

java-1_6_0-ibm-plugin-1.6.0_sr16.3-0.4.5

 

- SUSE Linux Enterprise Server 11 SP1 LTSS (i586):

 

java-1_6_0-ibm-alsa-1.6.0_sr16.3-0.4.5

 

 

References:

 

http://support.novell.com/security/cve/CVE-2014-8891.html

http://support.novell.com/security/cve/CVE-2014-8892.html

https://bugzilla.suse.com/592934

https://bugzilla.suse.com/891700

https://bugzilla.suse.com/901223

https://bugzilla.suse.com/904889

https://bugzilla.suse.com/916265

https://bugzilla.suse.com/916266

http://download.suse.com/patch/finder/?keywords=96da2c614827c23087d5b86b253f5d98

http://download.suse.com/patch/finder/?keywords=cfef74a50dd3fd4a378c3d05db361851

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×