Bug 226996 - CVE-2006-6736 Multiple JRE flaws (CVE-2006-6737 CVE-2006-6731 CVE-2006-4339)
Summary: CVE-2006-6736 Multiple JRE flaws (CVE-2006-6737 CVE-2006-6731 CVE-2006-4339)
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: IBMJava2-JRE   
(Show other bugs)
Version: 2.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Fitzsimmons
QA Contact:
URL:
Whiteboard: public=20060104,impact=critical
Keywords: Security
Depends On:
Blocks: 143573
TreeView+ depends on / blocked
 
Reported: 2007-02-02 15:40 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version: 1.3.1-12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 18:56:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0072 normal SHIPPED_LIVE Critical: IBMJava2 security update 2007-02-08 17:01:00 UTC

Description Mark J. Cox 2007-02-02 15:40:37 UTC
IBM fixed a number of flaws in their Java Runtime Environment in 1.3.1 SR10a.  A
security update is required.

        http://www-128.ibm.com/developerworks/java/jdk/alerts/

        Two vulnerabilities in the Java Runtime Environment may
        independently allow an untrusted applet to access data in other
        applets. CVE-2006-6736 CVE-2006-6737 (sun#102732)

        Two buffer overflow vulnerabilities in the Java(TM) Runtime
        Environment may independently allow an untrusted applet to
        elevate its privileges. For example, an applet may grant
        itself permissions to read and write local files or execute
        local applications that are accessible to the user running the
        untrusted applet.  (sun#102729) CVE-2006-6731
        public=20060104,impact=critical

        An RSA(1) Signature Verification vulnerability allows
        unauthorized forged certificates to be validated. This may
        result in a number of different types of remote exploits.
        (20061012 sun#102646/8) CVE-2006-4339

Comment 1 Thomas Fitzsimmons 2007-02-02 21:16:44 UTC
I've requested new packages from IBM that will fix this issue.


Comment 4 Thomas Fitzsimmons 2007-02-07 18:56:05 UTC
IBM sent me the latest IBM 1.3.1 JDK they have, but it is the same as what's
currently shipping:

$ java -version
java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1)
Classic VM (build 1.3.1, J2RE 1.3.1 IBM build cxia32131ifx-20061109 (131SR10 +
110450 + 110188 + 111317) (JIT enabled: jitc))

I'm going to assume that 131SR10 + 110450 + 110188 + 111317 corresponds to
"SR10a or later" as listed on this page:

http://www-128.ibm.com/developerworks/java/jdk/alerts/

So the IBM 1.3.1 JRE and SDK update packages we shipped in January:

IBMJava2-JRE-1.3.1-12
IBMJava2-SDK-1.3.1-11

already contain the fix for this problem.

I'm going to CC David Edwards and close this as CURRENTRELEASE.  David, please
reopen the bug if these packages are not "SR10a or later".



Note You need to log in before you can comment on or make changes to this bug.