IBM fixed a number of flaws in their Java Runtime Environment in 1.4.2 SR7. A security update is required for java-ibm-1.4.2 for RHEL4 Extras http://www-128.ibm.com/developerworks/java/jdk/alerts/ Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets. CVE-2006-6736 CVE-2006-6737 (sun#102732) Two vulnerabilities in the Java(TM) Runtime Environment with serialization may independently allow an untrusted applet or application to elevate its privileges. (sun#102731) CVE-2006-6745 Two buffer overflow vulnerabilities in the Java(TM) Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. (sun#102729) CVE-2006-6731 public=20060104,impact=critical An RSA(1) Signature Verification vulnerability allows unauthorized forged certificates to be validated. This may result in a number of different types of remote exploits. (20061012 sun#102646/8) CVE-2006-4339
I've requested new packages from IBM that will fix this issue.
I received the fixed tarballs from IBM this afternoon. I built the fixed package, java-1.4.2-ibm-1.4.2.7-1jpp.4.el4, into dist-4E-lacd-errata-candidate.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0062.html