IBM fixed a number of flaws in their Java Runtime Environment in 1.3.1 SR10a. A security update is required. http://www-128.ibm.com/developerworks/java/jdk/alerts/ Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets. CVE-2006-6736 CVE-2006-6737 (sun#102732) Two buffer overflow vulnerabilities in the Java(TM) Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. (sun#102729) CVE-2006-6731 public=20060104,impact=critical An RSA(1) Signature Verification vulnerability allows unauthorized forged certificates to be validated. This may result in a number of different types of remote exploits. (20061012 sun#102646/8) CVE-2006-4339
I've requested new packages from IBM that will fix this issue.
IBM sent me the latest IBM 1.3.1 JDK they have, but it is the same as what's currently shipping: $ java -version java version "1.3.1" Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1) Classic VM (build 1.3.1, J2RE 1.3.1 IBM build cxia32131ifx-20061109 (131SR10 + 110450 + 110188 + 111317) (JIT enabled: jitc)) I'm going to assume that 131SR10 + 110450 + 110188 + 111317 corresponds to "SR10a or later" as listed on this page: http://www-128.ibm.com/developerworks/java/jdk/alerts/ So the IBM 1.3.1 JRE and SDK update packages we shipped in January: IBMJava2-JRE-1.3.1-12 IBMJava2-SDK-1.3.1-11 already contain the fix for this problem. I'm going to CC David Edwards and close this as CURRENTRELEASE. David, please reopen the bug if these packages are not "SR10a or later".