SUSE-SU-2016:0399

SUSE-SU-2016:0401

SUSE-SU-2016:0428

SUSE-SU-2016:0431

82451

IV72872

http://www-01.ibm.com/support/docview.wss?uid=swg21974194

RHSA-2016:1430

This update for java-1_6_0-ibm fixes the following issues by updating to 6.0-16.20 (bsc#963937)

  - CVE-2015-5041: Could could have invoked non-public     interface methods under certain circumstances

  - CVE-2015-7575: The TLS protocol could allow weaker than     expected security caused by a collision attack when     using the MD5 hash function for signing a     ServerKeyExchange message during a TLS handshake. An     attacker could exploit this vulnerability using     man-in-the-middle techniques to impersonate a TLS server     and obtain credentials

  - CVE-2015-7981: libpng could allow a remote attacker to     obtain sensitive information, caused by an out-of-bounds     read in the png_convert_to_rfc1123 function. An attacker     could exploit this vulnerability to obtain sensitive     information

  - CVE-2015-8126: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2015-8472: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2015-8540: libpng is vulnerable to a buffer     overflow, caused by a read underflow in     png_check_keyword in pngwutil.c. By sending an overly     long argument, a remote attacker could overflow a buffer     and execute arbitrary code on the system or cause the     application to crash.

  - CVE-2016-0402: An unspecified vulnerability related to     the Networking component has no confidentiality impact,     partial integrity impact, and no availability impact

  - CVE-2016-0448: An unspecified vulnerability related to     the JMX component could allow a remote attacker to     obtain sensitive information

  - CVE-2016-0466: An unspecified vulnerability related to     the JAXP component could allow a remote attacker to     cause a denial of service

  - CVE-2016-0483: An unspecified vulnerability related to     the AWT component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

  - CVE-2016-0494: An unspecified vulnerability related to     the 2D component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

The following bugs were fixed :

  - bsc#960402: resolve package conflicts in devel package

  - bsc#960286: resolve package conflicts in the fonts     subpackage

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for java-1.7.0-ibm and java-1.7.1-ibm is now available for Red Hat Satellite 5.7 and Red Hat Satellite 5.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to versions 7 SR9-FP40 and 7R1 SR3-FP40.

Security Fix(es) :

* This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006, CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0264, CVE-2016-0363, CVE-2016-0376, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494, CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449)

Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.

IBM Java was updated to version 6.0-16.20, fixing various security issues.

More information can be found on <a href='http://www.ibm.com/developerworks/java/jdk/alerts/'>http://www.i bm.com/developerworks/java/jdk/alerts/</a>.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for java-1_7_0-ibm fixes the following issues by updating to 7.0-9.30 (bsc#963937) :

  - CVE-2015-5041: Could could have invoked non-public     interface methods under certain circumstances

  - CVE-2015-7575: The TLS protocol could allow weaker than     expected security caused by a collision attack when     using the MD5 hash function for signing a     ServerKeyExchange message during a TLS handshake. An     attacker could exploit this vulnerability using     man-in-the-middle techniques to impersonate a TLS server     and obtain credentials

  - CVE-2015-7981: libpng could allow a remote attacker to     obtain sensitive information, caused by an out-of-bounds     read in the png_convert_to_rfc1123 function. An attacker     could exploit this vulnerability to obtain sensitive     information

  - CVE-2015-8126: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2015-8472: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2015-8540: libpng is vulnerable to a buffer     overflow, caused by a read underflow in     png_check_keyword in pngwutil.c. By sending an overly     long argument, a remote attacker could overflow a buffer     and execute arbitrary code on the system or cause the     application to crash.

  - CVE-2016-0402: An unspecified vulnerability related to     the Networking component has no confidentiality impact,     partial integrity impact, and no availability impact

  - CVE-2016-0448: An unspecified vulnerability related to     the JMX component could allow a remote attacker to     obtain sensitive information

  - CVE-2016-0466: An unspecified vulnerability related to     the JAXP component could allow a remote attacker to     cause a denial of service

  - CVE-2016-0483: An unspecified vulnerability related to     the AWT component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

  - CVE-2016-0494: An unspecified vulnerability related to     the 2D component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

The following bugs were fixed :

  - bsc#960402: resolve package conflicts in devel package

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following components :

  - 2D
  - AWT
  - IBM J9 JVM
  - JAXP
  - JMX
  - Libraries
  - Networking
  - Security

This update for java-1_8_0-ibm fixes the following security issues by updating to 8.0-2.10 (bsc#963937) :

  - CVE-2015-5041: Could could have invoked non-public     interface methods under certain circumstances

  - CVE-2015-7575: The TLS protocol could allow weaker than     expected security caused by a collision attack when     using the MD5 hash function for signing a     ServerKeyExchange message during a TLS handshake. An     attacker could exploit this vulnerability using     man-in-the-middle techniques to impersonate a TLS server     and obtain credentials

  - CVE-2015-8126: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2015-8472: buffer overflow in libpng caused by     improper bounds checking by the png_set_PLTE() and     png_get_PLTE() functions

  - CVE-2016-0402: An unspecified vulnerability related to     the Networking component has no confidentiality impact,     partial integrity impact, and no availability impact

  - CVE-2016-0448: An unspecified vulnerability related to     the JMX component could allow a remote attacker to     obtain sensitive information

  - CVE-2016-0466: An unspecified vulnerability related to     the JAXP component could allow a remote attacker to     cause a denial of service

  - CVE-2016-0475: An unspecified vulnerability related to     the Libraries component has partial confidentiality     impact, partial integrity impact, and no availability     impact

  - CVE-2016-0483: An unspecified vulnerability related to     the AWT component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

  - CVE-2016-0494: An unspecified vulnerability related to     the 2D component has complete confidentiality impact,     complete integrity impact, and complete availability     impact

The following bugs were fixed :

  - bsc#960402: resolve package conflicts in devel package

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494)

Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file.

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP20 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494)

Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file.

All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR9-FP30 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494)

Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file.

All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP30 release. All running instances of IBM Java must be restarted for the update to take effect.

Updated java-1.8.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-5041, CVE-2015-7575, CVE-2015-8126, CVE-2015-8472, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0475, CVE-2016-0483, CVE-2016-0494)

Note: This update also disallows the use of the MD5 hash algorithm in the certification path processing. The use of MD5 can be re-enabled by removing MD5 from the jdk.certpath.disabledAlgorithms security property defined in the java.security file.

All users of java-1.8.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 8 SR2-FP10 release. All running instances of IBM Java must be restarted for the update to take effect.

ID	Name	Product	Family	Severity
119974	SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0428-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
92400	RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH)	Nessus	Red Hat Local Security Checks	critical
89989	SUSE SLES10 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0776-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
89961	SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0770-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
89657	SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0636-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
89053	AIX Java Advisory : java_jan2016_advisory.asc (January 2016 CPU) (SLOTH)	Nessus	AIX Local Security Checks	critical
88710	SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0433-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
88709	SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0431-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
88692	SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2016:0390-1) (SLOTH)	Nessus	SuSE Local Security Checks	critical
88557	RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:0101) (SLOTH)	Nessus	Red Hat Local Security Checks	critical
88556	RHEL 5 : java-1.7.0-ibm (RHSA-2016:0100) (SLOTH)	Nessus	Red Hat Local Security Checks	critical
88555	RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:0099) (SLOTH)	Nessus	Red Hat Local Security Checks	critical
88554	RHEL 7 : java-1.8.0-ibm (RHSA-2016:0098) (SLOTH)	Nessus	Red Hat Local Security Checks	critical

CVE-2015-5041

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins