Bug 767129 - java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-6]
java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-6]
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: java-1.6.0-openjdk (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Deepak Bhole
BaseOS QE - Apps
: Regression
Depends On:
  Show dependency treegraph
Reported: 2011-12-13 05:37 EST by Tomas Hoger
Modified: 2012-02-16 04:40 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 767132 (view as bug list)
Last Closed: 2012-02-16 04:40:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2011-12-13 05:37:41 EST
Description of problem:
A regression was found in the fix for CVE-2011-3389/7064341 that was applied to Oracle JDK 6u29 and matching OpenJDK update.  This causes connections to certain SSL servers to hang:


In our case, this problem was reported for JBoss products using JDBC to connect to Microsoft SQL server.  Some workarounds were identified:
- use non-CBC cipher (e.g. one of RC4 cipher suites)
- disable CVE-2011-3389 mitigation using -Djsse.enableCBCProtection=false

Related Support Essentials article:
Comment 4 Tomas Hoger 2011-12-19 08:33:38 EST
Oracle 6u30 was released to address this issue:

Comment 8 Deepak Bhole 2011-12-21 21:08:22 EST
Fixed in upstream OpenJDK:

Comment 10 Andrew John Hughes 2011-12-22 20:02:26 EST
Fix is in IcedTea6 HEAD:


Needs backporting to branches.
Comment 11 Andrew John Hughes 2012-01-12 08:38:49 EST
This is fixed in the latest upstream release:


I'll leave others to comment on when this will be packaged for RHEL.
Comment 15 Tomas Hoger 2012-02-16 04:40:27 EST
This was fixed upstream in IcedTea 1.10.5.  We have updated to 1.10.6 in RHSA-2012:0135, hence this issue is fixed.


Note You need to log in before you can comment on or make changes to this bug.