java security update

2016-08-26T14:36:52
ID CESA-2016:1776
Type centos
Reporter CentOS Project
Modified 2016-08-26T15:40:17

Description

CentOS Errata and Security Advisory CESA-2016:1776

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit.

Security Fix(es):

  • An insufficient bytecode verification flaw was discovered in the Hotspot component in OpenJDK. An untrusted Java application or applet could use this flaw to completely bypass Java sandbox restrictions. (CVE-2016-3606)

  • Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2016-3500, CVE-2016-3508)

  • Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2016-3458, CVE-2016-3550)

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2016-August/022054.html http://lists.centos.org/pipermail/centos-announce/2016-August/022055.html http://lists.centos.org/pipermail/centos-announce/2016-August/022056.html

Affected packages: java-1.6.0-openjdk java-1.6.0-openjdk-demo java-1.6.0-openjdk-devel java-1.6.0-openjdk-javadoc java-1.6.0-openjdk-src

Upstream details at: https://rhn.redhat.com/errata/RHSA-2016-1776.html