(RHSA-2018:1812) Important: java-1.7.1-ibm security update

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to version 7R1 SR4-FP20.

Security Fix(es):

• OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606) (CVE-2018-2633)

• OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600) (CVE-2018-2634)

• OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998) (CVE-2018-2637)

• OpenJDK: GTK library loading use-after-free (AWT, 8185325) (CVE-2018-2641)

• Oracle JDK: unspecified vulnerability fixed in 7u171, 8u161, and 9.0.4 (JavaFX) (CVE-2018-2581)

• OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449) (CVE-2018-2588)

• OpenJDK: DnsClient missing source port randomization (JNDI, 8182125) (CVE-2018-2599)

• OpenJDK: loading of classes from untrusted locations (I18n, 8182601) (CVE-2018-2602)

• OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387) (CVE-2018-2603)

• OpenJDK: insufficient strength of key agreement (JCE, 8185292) (CVE-2018-2618)

• OpenJDK: GSS context use-after-free (JGSS, 8186212) (CVE-2018-2629)

• Oracle JDK: unspecified vulnerability fixed in 6u181 and 7u171 (Serialization) (CVE-2018-2657)

• OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284) (CVE-2018-2663)

• OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289) (CVE-2018-2677)

• OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142) (CVE-2018-2678)

• OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525) (CVE-2018-2579)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.