Red Hat Security Advisory: java-1.7.0-openjdk security update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2013:0165 Final 1 1 2013-01-16T17:53:00Z Current version 2013-01-16T17:53:00Z 2013-01-16T17:53:00Z Red Hat rhsa-to-cvrf 1.0.1484 2013-01-16T18:28:02Z Updated java-1.7.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422) This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2013 Red Hat, Inc. All rights reserved. Important https://rhn.redhat.com/errata/RHSA-2013-0165.html https://rhn.redhat.com/errata/RHSA-2013-0165.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/security/updates/classification/#important http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.4/NEWS http://icedtea.classpath.org/hg/release/icedtea7-2.3/file/icedtea-2.3.4/NEWS Red Hat Enterprise Linux HPC Node Optional (v. 6) Red Hat Enterprise Linux Server (v. 6) Red Hat Enterprise Linux Workstation (v. 6) Red Hat Enterprise Linux Desktop Optional (v. 6) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux Workstation Optional (v. 6) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux HPC Node (v. 6) Red Hat Enterprise Linux Desktop (v. 6) Red Hat Enterprise Linux Server Optional (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3.src.rpm java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1.src.rpm java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Server (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Workstation (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 as a component of Red Hat Enterprise Linux Desktop (v. 5 client) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 as a component of Red Hat Enterprise Linux (v. 5 server) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux HPC Node (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Desktop (v. 6) java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 as a component of Red Hat Enterprise Linux Server Optional (v. 6) Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2013-01-13T00:00:00Z 2013-01-13T00:00:00Z CVE-2012-3174 5Client-5.9.Z:java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 5Server-5.9.Z:java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 6Client-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Client-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6ComputeNode-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6ComputeNode-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Server-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Server-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Workstation-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Workstation-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0165.html https://www.redhat.com/security/data/cve/CVE-2012-3174.html CVE-2012-3174 https://bugzilla.redhat.com/show_bug.cgi?id=894934 bz#894934: CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933) Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. 2013-01-10T00:00:00Z 2013-01-10T00:00:00Z CVE-2013-0422 5Client-5.9.Z:java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 5Server-5.9.Z:java-1.7.0-openjdk-1.7.0.9-2.3.4.el5_9.1 6Client-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Client-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6ComputeNode-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6ComputeNode-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Server-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Server-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Workstation-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 6Workstation-optional-6.3.z:java-1.7.0-openjdk-1.7.0.9-2.3.4.1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2013-0165.html https://www.redhat.com/security/data/cve/CVE-2013-0422.html CVE-2013-0422 https://bugzilla.redhat.com/show_bug.cgi?id=894172 bz#894172: CVE-2013-0422 OpenJDK: MethodHandles.Lookup incorrect permission checks, Java 7 0day (Libraries, 8006017)