Red Hat Product Errata RHSA-2008:0245 - Security Advisory
Issued:
2008-04-28
Updated:
2008-04-28

RHSA-2008:0245 - Security Advisory

Synopsis

Moderate: java-1.6.0-bea security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated java-1.6.0-bea packages that correct several security issues are
now available for Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

The BEA WebLogic JRockit 1.6.0_03 JRE and SDK contain BEA WebLogic JRockit
Virtual Machine 1.6.0_03, and are certified for the Java 6 Platform,
Standard Edition, v1.6.0.

The Java XML parsing code processed external entity references even when
the "external general entities" property was set to "FALSE". This allowed
remote attackers to conduct XML External Entity (XXE) attacks, possibly
causing a denial of service, or gaining access to restricted resources.
(CVE-2008-0628)

A flaw was found in the Java XSLT processing classes. An untrusted
application or applet could cause a denial of service, or execute arbitrary
code with the permissions of the user running the JRE. (CVE-2008-1187)

A flaw was found in the JRE image parsing libraries. An untrusted
application or applet could cause a denial of service, or possible execute
arbitrary code with the permissions of the user running the JRE.
(CVE-2008-1193)

A flaw was found in the JRE color management library. An untrusted
application or applet could trigger a denial of service (JVM crash).
(CVE-2008-1194)

The vulnerabilities concerning applets listed above can only be triggered
in java-1.6.0-bea, by calling the "appletviewer" application.

Users of java-1.6.0-bea are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 431416 - CVE-2008-0628 java-1.6.0 default external entity processing
  • BZ - 436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation
  • BZ - 436296 - CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194)

Red Hat Enterprise Linux Server 5

SRPM
x86_64
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 1aa575d273f41faf350d71a20036c7a0dc420541e2104ddf73dc3a733628d8fb
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 41bad7e221415669e3a3f95639a18fb925933b3fbc9470712fdb2770e4030d41
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: cb5235b9477a63774ac5263a9d5784c09feca4e87a7ff69dfb55466dc31e879c
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 9735505546ce5dc203708cc8a50691aae294a4ead95457779453aae08b3fd829
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: befcdf74e46cf85c8bc313b2075e439465a3863ca253dc2e4cc5c7b09b84a183
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: b97ac414fd199aef5fd5a0fb08dd0827f9f0a099b75a4d90e1d7d839ff951cae
i386
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: d0ccadf8f50a5d84ed6f651b9eb838480ebbecf97894c99dd3a4191eba8c3e20
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 5b0fbe52b4e47f2359cc71b4991754a3139143dcf12ebd0190011ba2fa791ef8
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 454693cf54631804cf40009016ac4d47d74106073d7545f1af71a99ccc03de09
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: c4c8f21b2967f7480c01031e0723f3460c07641f202b63ce721c4d980117feb6
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 51a2461436accbc6dddda26ea1ac9a1cc3f8a920b6b4f3c5710c9f2c7e883bab
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 35dd3b08cb2b593bf6bcd67d3ca4b128663ea4f8358562e07bca9ced646c53cd

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.1

SRPM
x86_64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
x86_64
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 1aa575d273f41faf350d71a20036c7a0dc420541e2104ddf73dc3a733628d8fb
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 41bad7e221415669e3a3f95639a18fb925933b3fbc9470712fdb2770e4030d41
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: cb5235b9477a63774ac5263a9d5784c09feca4e87a7ff69dfb55466dc31e879c
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 9735505546ce5dc203708cc8a50691aae294a4ead95457779453aae08b3fd829
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: befcdf74e46cf85c8bc313b2075e439465a3863ca253dc2e4cc5c7b09b84a183
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: b97ac414fd199aef5fd5a0fb08dd0827f9f0a099b75a4d90e1d7d839ff951cae
i386
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: d0ccadf8f50a5d84ed6f651b9eb838480ebbecf97894c99dd3a4191eba8c3e20
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 5b0fbe52b4e47f2359cc71b4991754a3139143dcf12ebd0190011ba2fa791ef8
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 454693cf54631804cf40009016ac4d47d74106073d7545f1af71a99ccc03de09
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: c4c8f21b2967f7480c01031e0723f3460c07641f202b63ce721c4d980117feb6
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 51a2461436accbc6dddda26ea1ac9a1cc3f8a920b6b4f3c5710c9f2c7e883bab
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 35dd3b08cb2b593bf6bcd67d3ca4b128663ea4f8358562e07bca9ced646c53cd

Red Hat Enterprise Linux Desktop 5

SRPM
x86_64
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 1aa575d273f41faf350d71a20036c7a0dc420541e2104ddf73dc3a733628d8fb
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 41bad7e221415669e3a3f95639a18fb925933b3fbc9470712fdb2770e4030d41
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: cb5235b9477a63774ac5263a9d5784c09feca4e87a7ff69dfb55466dc31e879c
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 9735505546ce5dc203708cc8a50691aae294a4ead95457779453aae08b3fd829
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: befcdf74e46cf85c8bc313b2075e439465a3863ca253dc2e4cc5c7b09b84a183
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: b97ac414fd199aef5fd5a0fb08dd0827f9f0a099b75a4d90e1d7d839ff951cae
i386
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: d0ccadf8f50a5d84ed6f651b9eb838480ebbecf97894c99dd3a4191eba8c3e20
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 5b0fbe52b4e47f2359cc71b4991754a3139143dcf12ebd0190011ba2fa791ef8
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 454693cf54631804cf40009016ac4d47d74106073d7545f1af71a99ccc03de09
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: c4c8f21b2967f7480c01031e0723f3460c07641f202b63ce721c4d980117feb6
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 51a2461436accbc6dddda26ea1ac9a1cc3f8a920b6b4f3c5710c9f2c7e883bab
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 35dd3b08cb2b593bf6bcd67d3ca4b128663ea4f8358562e07bca9ced646c53cd

Red Hat Enterprise Linux Server from RHUI 5

SRPM
x86_64
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 1aa575d273f41faf350d71a20036c7a0dc420541e2104ddf73dc3a733628d8fb
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 41bad7e221415669e3a3f95639a18fb925933b3fbc9470712fdb2770e4030d41
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: cb5235b9477a63774ac5263a9d5784c09feca4e87a7ff69dfb55466dc31e879c
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: 9735505546ce5dc203708cc8a50691aae294a4ead95457779453aae08b3fd829
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: befcdf74e46cf85c8bc313b2075e439465a3863ca253dc2e4cc5c7b09b84a183
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.x86_64.rpm SHA-256: b97ac414fd199aef5fd5a0fb08dd0827f9f0a099b75a4d90e1d7d839ff951cae
i386
java-1.6.0-bea-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: d0ccadf8f50a5d84ed6f651b9eb838480ebbecf97894c99dd3a4191eba8c3e20
java-1.6.0-bea-demo-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 5b0fbe52b4e47f2359cc71b4991754a3139143dcf12ebd0190011ba2fa791ef8
java-1.6.0-bea-devel-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 454693cf54631804cf40009016ac4d47d74106073d7545f1af71a99ccc03de09
java-1.6.0-bea-jdbc-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: c4c8f21b2967f7480c01031e0723f3460c07641f202b63ce721c4d980117feb6
java-1.6.0-bea-missioncontrol-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 51a2461436accbc6dddda26ea1ac9a1cc3f8a920b6b4f3c5710c9f2c7e883bab
java-1.6.0-bea-src-1.6.0.03-1jpp.2.el5.i686.rpm SHA-256: 35dd3b08cb2b593bf6bcd67d3ca4b128663ea4f8358562e07bca9ced646c53cd

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.