Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64

This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)

CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)

CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack
vulnerabilities (6863503)

CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service
(6864911) CVE-2009-3877

CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)

CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)

CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643)

CVE-2009-3728 OpenJDK ICC_Profile file existence detection information
leak (6631533)

CVE-2009-3881 OpenJDK resurrected classloaders can still have children
(6636650)

CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable
variables (6657026,6657138)

CVE-2009-3880 OpenJDK UI logging information leakage(6664512)

CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)

CVE-2009-3884 OpenJDK zoneinfo file existence information leak
(6824265)

CVE-2009-3729 JRE TrueType font parsing crash (6815780)

CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969)

CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets
with signed Jar files (6870531)

CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752)

CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web
Start Installer (6872824)

CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer
overflow via a long file: URL argument (6854303)

CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via
crafted image file due improper color profiles parsing (6862970)

This update fixes several vulnerabilities in the Sun Java 6 Runtime
Environment and the Sun Java 6 Software Development Kit. These
vulnerabilities are summarized on the 'Advance notification of
Security Updates for Java SE' page from Sun Microsystems, listed in
the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729,

CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,

CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,

CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,

CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,

CVE-2009-3883, CVE-2009-3884, CVE-2009-3886)

All running instances of Sun Java must be restarted for the update to
take effect.

See also :

http://www.nessus.org/u?c7181e46

Solution :

Update the affected java-1.6.0-sun-compat and / or jdk packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
Public Exploit Available : true