openjdk-6 - security update

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts of
the Java sandbox, information disclosure, denial of service and insecure
cryptography.

• CVE-2015-7575
  A flaw was found in the way TLS 1.2 could use the MD5 hash
  function for signing ServerKeyExchange and Client
  Authentication packets during a TLS handshake.
• CVE-2015-8126
  Multiple buffer overflows in the (1) png_set_PLTE and (2)
  png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x
  before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before
  1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause
  a denial of service (application crash) or possibly have
  unspecified other impact via a small bit-depth value in an IHDR
  (aka image header) chunk in a PNG image.
• CVE-2015-8472
  Buffer overflow in the png_set_PLTE function in libpng before
  1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before
  1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows
  remote attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a small
  bit-depth value in an IHDR (aka image header) chunk in a PNG
  image. NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2015-8126.
• CVE-2016-0402
  Unspecified vulnerability in the Java SE and Java SE Embedded
  components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE
  Embedded 8u65 allows remote attackers to affect integrity via
  unknown vectors related to Networking.
• CVE-2016-0448
  Unspecified vulnerability in the Java SE and Java SE Embedded
  components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE
  Embedded 8u65 allows remote authenticated users to affect
  confidentiality via vectors related to JMX.
• CVE-2016-0466
  It was discovered that the JAXP component in OpenJDK did not
  properly enforce the totalEntitySizeLimit limit. An attacker
  able to make a Java application process a specially crafted XML
  file could use this flaw to make the application consume an
  excessive amount of memory.
• CVE-2016-0483
  Unspecified vulnerability in the Java SE, Java SE Embedded, and
  JRockit components in Oracle Java SE 6u105, 7u91, and 8u66;
  Java SE Embedded 8u65; and JRockit R28.3.8 allows remote
  attackers to affect confidentiality, integrity, and
  availability via vectors related to AWT.
• CVE-2016-0494
  Unspecified vulnerability in the Java SE and Java SE Embedded
  components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE
  Embedded 8u65 allows remote attackers to affect
  confidentiality, integrity, and availability via
  unknown vectors related to 2D.

For Debian 6 Squeeze, these problems have been fixed in version
6b38-1.13.10-1~deb6u1.

We recommend that you upgrade your openjdk-6 packages.