Updated java-1.7.0-openjdk packages that fix multiple security issues arenow available for Red Hat Enterprise Linux 5.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java RuntimeEnvironment and the OpenJDK 7 Java Software Development Kit.A flaw was found in the way the Hotspot component in OpenJDK verifiedbytecode from the class files. An untrusted Java application or appletcould possibly use this flaw to bypass Java sandbox restrictions.(CVE-2014-6601)Multiple improper permission check issues were discovered in the JAX-WS,and RMI components in OpenJDK. An untrusted Java application or appletcould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,CVE-2015-0408)A flaw was found in the way the Hotspot garbage collector handled phantomreferences. An untrusted Java application or applet could use this flaw tocorrupt the Java Virtual Machine memory and, possibly, execute arbitrarycode, bypassing Java sandbox restrictions. (CVE-2015-0395)A flaw was found in the way the DER (Distinguished Encoding Rules) decoderin the Security component in OpenJDK handled negative length values. Aspecially crafted, DER-encoded input could cause a Java application toenter an infinite loop when decoded. (CVE-2015-0410)A flaw was found in the way the SSL 3.0 protocol handled padding bytes whendecrypting messages that were encrypted using block ciphers in cipher blockchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle(MITM) attacker to decrypt portions of the cipher text using a paddingoracle attack. (CVE-2014-3566)Note: This update disables SSL 3.0 by default to address this issue.The jdk.tls.disabledAlgorithms security property can be used to re-enableSSL 3.0 support if needed. For additional information, refer to the Red HatBugzilla bug linked to in the References section.It was discovered that the SSL/TLS implementation in the JSSE component inOpenJDK failed to properly check whether the ChangeCipherSpec was receivedduring the SSL/TLS connection handshake. An MITM attacker could possiblyuse this flaw to force a connection to be established without encryptionbeing enabled. (CVE-2014-6593)An information leak flaw was found in the Swing component in OpenJDK. Anuntrusted Java application or applet could use this flaw to bypass certainJava sandbox restrictions. (CVE-2015-0407)A NULL pointer dereference flaw was found in the MulticastSocketimplementation in the Libraries component of OpenJDK. An untrusted Javaapplication or applet could possibly use this flaw to bypass certain Javasandbox restrictions. (CVE-2014-6587)Multiple boundary check flaws were found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could allow anuntrusted Java application or applet to disclose portions of the JavaVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)Multiple insecure temporary file use issues were found in the way theHotspot component in OpenJDK created performance statistics and error logfiles. A local attacker could possibly make a victim using OpenJDKoverwrite arbitrary files using a symlink attack. (CVE-2015-0383)The CVE-2015-0383 issue was discovered by Red Hat.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/articles/11258Red Hat Enterprise Linux (v. 5 server)

SRPMS:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.src.rpm
    MD5: 2db94908c389f8099044c6c44c378e7eSHA-256: 764b2f9e57da0b4e5ce66a660effe597e09f58637a0a86903a066ca1e73ee57f
 
IA-32:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 26c937c03c166db17dc07efcf36c08f4SHA-256: 53780301c3acdbe6413dc75e6671b35a23bc235047fc091493b3676b2c542620
java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 506bda5b9d53c6754a801e816dd2f610SHA-256: 8faf10e635ada50c4b89ac4a2f151d382da6df15a55d8f6074e6e94e3fa04c10
java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: df1be79b373a3dbcf1c90414fb3104e2SHA-256: 569fc9068f848d761c563445c501115b3586cee9215a0b9f929d0d40347c9588
java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: ffc319d24a7a85b935d51c59f28f1584SHA-256: bc44f2e058a807f140f2b495276aa4466ace807caa2aa6d2bec981a77f5ff877
java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 6bb07ebb583f28f517b33c5fe5889ee4SHA-256: 9de8fbb57e84f12bf28e9fa7b5d34a2f4525195a4a4a95064b25923c263bc5f5
java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: eee418a7d2186db8dca9b939e4eb30f2SHA-256: 1076b8fcc1d73754034f2bee35f265fe343dce7488a31406e9caf401ab1f18b1
 
x86_64:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: f37f7733da1f474c48e5bdcc26cc0546SHA-256: 321cf097669456ee6efd181b8179915773cad4c926429379d3928e36e4808af9
java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 696b5b604b2b1aec3a3abeb98698a78fSHA-256: 2f9159d2bed4cceb3dbec41d9139aae6fcd9e6da1e09094711b1421462445185
java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 2e4e40e4e46b9c562163b962470a5cdfSHA-256: 11bb7c107aad870007460273c0e36cc93d1504fe2bc3e15d197d1a1dddde8b8b
java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: d64f28de44a84c394133aff0c52a3405SHA-256: 15e5ebcdc716f5276f6ff70fd57fbec4a6600a54cbe9da49056aa9d46bd33fd5
java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 5d033d28c1aba221a050d8fa3733b14aSHA-256: 406bd56bc0012f2902b20de4148bf3041a52df9bcd5f761ab30aed4ccd1f6607
java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 2b0f6dbe0dbeeff9b2f9bf06ecee9329SHA-256: 4d24638a037082c9ad5b01d005b408dd4940f5141ff47067aa926233ba72b34c
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.src.rpm
    MD5: 2db94908c389f8099044c6c44c378e7eSHA-256: 764b2f9e57da0b4e5ce66a660effe597e09f58637a0a86903a066ca1e73ee57f
 
IA-32:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 26c937c03c166db17dc07efcf36c08f4SHA-256: 53780301c3acdbe6413dc75e6671b35a23bc235047fc091493b3676b2c542620
java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 506bda5b9d53c6754a801e816dd2f610SHA-256: 8faf10e635ada50c4b89ac4a2f151d382da6df15a55d8f6074e6e94e3fa04c10
java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: df1be79b373a3dbcf1c90414fb3104e2SHA-256: 569fc9068f848d761c563445c501115b3586cee9215a0b9f929d0d40347c9588
java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: ffc319d24a7a85b935d51c59f28f1584SHA-256: bc44f2e058a807f140f2b495276aa4466ace807caa2aa6d2bec981a77f5ff877
java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: 6bb07ebb583f28f517b33c5fe5889ee4SHA-256: 9de8fbb57e84f12bf28e9fa7b5d34a2f4525195a4a4a95064b25923c263bc5f5
java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.i386.rpm
    MD5: eee418a7d2186db8dca9b939e4eb30f2SHA-256: 1076b8fcc1d73754034f2bee35f265fe343dce7488a31406e9caf401ab1f18b1
 
x86_64:
java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: f37f7733da1f474c48e5bdcc26cc0546SHA-256: 321cf097669456ee6efd181b8179915773cad4c926429379d3928e36e4808af9
java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 696b5b604b2b1aec3a3abeb98698a78fSHA-256: 2f9159d2bed4cceb3dbec41d9139aae6fcd9e6da1e09094711b1421462445185
java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 2e4e40e4e46b9c562163b962470a5cdfSHA-256: 11bb7c107aad870007460273c0e36cc93d1504fe2bc3e15d197d1a1dddde8b8b
java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: d64f28de44a84c394133aff0c52a3405SHA-256: 15e5ebcdc716f5276f6ff70fd57fbec4a6600a54cbe9da49056aa9d46bd33fd5
java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 5d033d28c1aba221a050d8fa3733b14aSHA-256: 406bd56bc0012f2902b20de4148bf3041a52df9bcd5f761ab30aed4ccd1f6607
java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm
    MD5: 2b0f6dbe0dbeeff9b2f9bf06ecee9329SHA-256: 4d24638a037082c9ad5b01d005b408dd4940f5141ff47067aa926233ba72b34c
 
(The unlinked packages above are only available from the Red Hat Network)
1123870 – CVE-2015-0383 OpenJDK: insecure hsperfdata temporary file handling (Hotspot, 8050807)1152789 – CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack1183020 – CVE-2014-6601 OpenJDK: class verifier insufficient invokespecial calls verification (Hotspot, 8058982)1183021 – CVE-2015-0412 OpenJDK: insufficient code privileges checks (JAX-WS, 8054367)1183023 – CVE-2015-0408 OpenJDK: incorrect context class loader use in RMI transport (RMI, 8055309)1183031 – CVE-2015-0395 OpenJDK: phantom references handling issue in garbage collector (Hotspot, 8047125)1183043 – CVE-2015-0407 OpenJDK: directory information leak via file chooser (Swing, 8055304)1183044 – CVE-2015-0410 OpenJDK: DER decoder infinite loop (Security, 8059485)1183049 – CVE-2014-6593 OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555)1183645 – CVE-2014-6585 ICU: font parsing OOB read (OpenJDK 2D, 8055489)1183646 – CVE-2014-6591 ICU: font parsing OOB read (OpenJDK 2D, 8056276)1183715 – CVE-2014-6587 OpenJDK: MulticastSocket NULL pointer dereference (Libraries, 8056264)

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply