Issued:
2008-04-28
Updated:
2008-04-28

RHSA-2008:0244 - Security Advisory

Synopsis

Moderate: java-1.5.0-bea security update

Type/Severity

Security Advisory: Moderate

Topic

Updated java-1.5.0-bea packages that correct several security issues are
now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockit
Virtual Machine 1.5.0_14, and are certified for the Java 5 Platform,
Standard Edition, v1.5.0.

A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)

A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possibly execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)

A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)

The vulnerabilities concerning applets listed above can only be triggered
in java-1.5.0-bea, by calling the "appletviewer" application.

Users of java-1.5.0-bea are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation
  • BZ - 436296 - CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194)

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
x86_64
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: c3dd9daae17b3c32419699fc8918534922f400e500a6e493ee5dc6fefecdf4a0
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: e21e9885f117075b5ea76d5b3ca69c2e57464bf74c34763f9ed939fbb489ef9d
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: bbbd23882e008d395819a92d327a2ab5d87c79c95ee9c72db2a014e831a3f3e6
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 39e27eb9ddbf3c97ee64ea4dabbde4453ba86b22aacff03fd7d8d9a4a00c7312
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 27fe9fb5f24cb815a8655ad7654be1460772eec8195bf7f988bb6627156d69a4
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 86997e16f25a2f0df7fc770a7b77f70f240df499bb89dd63443c1102f9484086
ia64
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.ia64.rpm SHA-256: 913fb9a3bab8b1f13a2b2d4e402468bd589af3270f50a08025baec1e10e08060
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.ia64.rpm SHA-256: a5dc1c8707a79a6a4b98465a6d6ae4d2c2c6ff747637393d03adcc6eadfe4061
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.ia64.rpm SHA-256: a2ad9ab10e152cb1bf7f1786e3a1b2b8823095830a62e913c599351b9e704828
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.ia64.rpm SHA-256: e0aa4f156e436cd4ce7555d7a11f26b85dd3312057b77d99803d53fe381d4c69
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.ia64.rpm SHA-256: 6343789efc5f2e2e9d5753841cced07550bd2eff4c75136a1f079eb61287ad4b
i386
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 977e60098038f7dacb8038d923c4e441d1207c8f361f00dad285a4c83b064ab9
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 5f2b0b000c7aa178894852583ce9e68c2b85889fb6c9b77f3c8992a85b7aaa50
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 74375cae2351b378a0627e0397854b854a0ab5673284cb4e74847229091ec160
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 7167b41c706e091a4bcafe3a094e370bb532f190b2365bc4634606b9752683a1
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 04ffc6fd375ed305dab9a6fe81ef351065fec581ae04747fdc4e2c44e6215106
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: ebeb4f205721e387bf564f750a791def2cce033615cf575e6b00c784b0fb36a8

Red Hat Enterprise Linux Server 4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 4

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Desktop 4

SRPM
x86_64
i386

Red Hat Enterprise Linux Server from RHUI 5

SRPM
x86_64
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: c3dd9daae17b3c32419699fc8918534922f400e500a6e493ee5dc6fefecdf4a0
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: e21e9885f117075b5ea76d5b3ca69c2e57464bf74c34763f9ed939fbb489ef9d
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: bbbd23882e008d395819a92d327a2ab5d87c79c95ee9c72db2a014e831a3f3e6
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 39e27eb9ddbf3c97ee64ea4dabbde4453ba86b22aacff03fd7d8d9a4a00c7312
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 27fe9fb5f24cb815a8655ad7654be1460772eec8195bf7f988bb6627156d69a4
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.x86_64.rpm SHA-256: 86997e16f25a2f0df7fc770a7b77f70f240df499bb89dd63443c1102f9484086
i386
java-1.5.0-bea-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 977e60098038f7dacb8038d923c4e441d1207c8f361f00dad285a4c83b064ab9
java-1.5.0-bea-demo-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 5f2b0b000c7aa178894852583ce9e68c2b85889fb6c9b77f3c8992a85b7aaa50
java-1.5.0-bea-devel-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 74375cae2351b378a0627e0397854b854a0ab5673284cb4e74847229091ec160
java-1.5.0-bea-jdbc-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 7167b41c706e091a4bcafe3a094e370bb532f190b2365bc4634606b9752683a1
java-1.5.0-bea-missioncontrol-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: 04ffc6fd375ed305dab9a6fe81ef351065fec581ae04747fdc4e2c44e6215106
java-1.5.0-bea-src-1.5.0.14-1jpp.2.el5.i686.rpm SHA-256: ebeb4f205721e387bf564f750a791def2cce033615cf575e6b00c784b0fb36a8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.