767132 – java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-5]

Bug 767132 - java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-5]

Summary: java-1.6.0-openjdk: CVE-2011-3389/7064341 fix regression [rhel-5]

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	java-1.6.0-openjdk
Sub Component:
Version:	5.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Deepak Bhole
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-13 10:52 UTC by Tomas Hoger
Modified:	2012-02-24 18:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	767129
Environment:
Last Closed:	2012-02-24 18:43:15 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tomas Hoger 2011-12-13 10:52:03 UTC

+++ This bug was initially created as a clone of Bug #767129 +++

Description of problem:
A regression was found in the fix for CVE-2011-3389/7064341 that was applied to Oracle JDK 6u29 and matching OpenJDK update.  This causes connections to certain SSL servers to hang:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725

In our case, this problem was reported for JBoss products using JDBC to connect to Microsoft SQL server.  Some workarounds were identified:
- use non-CBC cipher (e.g. one of RC4 cipher suites)
- disable CVE-2011-3389 mitigation using -Djsse.enableCBCProtection=false

Related Support Essentials article:
https://access.redhat.com/kb/docs/DOC-67350

Comment 1 Tomas Hoger 2012-02-24 18:43:15 UTC

This was fixed upstream in IcedTea 1.10.5.  We have updated to 1.10.6 in
RHSA-2012:0322, hence this issue is fixed.

https://rhn.redhat.com/errata/RHSA-2012-0322.html

Note You need to log in before you can comment on or make changes to this bug.