Synopsis

Moderate: java-1.6.0-openjdk security update

Type/Severity

Security Advisory: Moderate

Topic

Updated java-1.6.0-openjdk packages that fix two security issues are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit. The javaws command can be used to
launch Java Web Start applications.

A public static field declaration allowed untrusted JNLP (Java Network
Launching Protocol) applications to read privileged data. A remote attacker
could directly or indirectly read the values of restricted system
properties, such as "user.name", "user.home", and "java.home", which
untrusted applications should not be allowed to read. (CVE-2010-3860)

It was found that JNLPSecurityManager could silently return without
throwing an exception when permission was denied. If the javaws command was
used to launch a Java Web Start application that relies on this exception
being thrown, it could result in that application being run with elevated
privileges, allowing it to bypass security manager restrictions and gain
access to privileged functionality. (CVE-2010-4351)

Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws by
mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, this
update removes javaws.

Red Hat would like to thank the TippingPoint Zero Day Initiative project
for reporting CVE-2010-4351. The original issue reporter wishes to stay
anonymous.

This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Server - Extended Update Support 5.6 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 5.6 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6 i386
• Red Hat Enterprise Linux Server - AUS 5.6 x86_64
• Red Hat Enterprise Linux Server - AUS 5.6 i386

Fixes

• BZ - 645843 - CVE-2010-3860 IcedTea System property information leak via public static
• BZ - 663680 - CVE-2010-4351 IcedTea jnlp security manager bypass

CVEs

• CVE-2010-4351
• CVE-2010-3860

References

• https://access.redhat.com/security/updates/classification/#moderate
• http://icedtea.classpath.org/hg/release/icedtea6-1.7/file/af20d64bc8b9/NEWS

Red Hat Enterprise Linux Server 5

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Server - Extended Update Support 5.6

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Workstation 5

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Desktop 5

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Server from RHUI 5

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 5.6

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a

Red Hat Enterprise Linux Server - AUS 5.6

SRPM
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.src.rpm	SHA-256: 12fd1486ccd878f95225a0e9404460f9656a900a73d251cce98df8ba47f49238
x86_64
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 4a5e702e3e39aa1e0cf7454213aab7c1f2ca2ab37790883a36900137bd065c94
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 709a4efdc0e262dfe6d8a8089111563edac2668d605185cc4f5dad4fe3eb956f
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 5d8a24464cf5b604cfa27539a02df9e52a4c3f7c10e7fde9b31f5a2c9de2e3fc
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0c4c1831ae51921d5948e085f8a959deb653e2c7dfb0249b6f7dadcd63b21ff2
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.x86_64.rpm	SHA-256: 0231d7543e12044ac69dfa868ce1824f2bed5b8f4c93b6d364f0ff63a2d125cb
i386
java-1.6.0-openjdk-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: e7dfba6287727e0371fbed8e091f924d6fb801b190ec9e470fade46a1a0927fc
java-1.6.0-openjdk-demo-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 39ed6f527491e3d5c6a3b17775f7b5d80f1df30227397fec4c1e87ae29e423ed
java-1.6.0-openjdk-devel-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 24aefed0ea8ccfe28b91e3c5baefd40a7d168a9fadbb03a7af88fb588dd46ef8
java-1.6.0-openjdk-javadoc-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 2a4663ed91f38fd58b3ceee1d3ff62a8a948c89c7b92da7c825da13fda97fda9
java-1.6.0-openjdk-src-1.6.0.0-1.17.b17.el5.i386.rpm	SHA-256: 19aea4d02dacf433dd4e4934db55bd4ef55475a085106cb49b6c7f0da5a6752a