Security update for java-1_6_0-ibm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:1458-1 Final 1 1 2016-05-31T16:39:38Z current 2016-05-31T16:39:38Z 2016-05-31T16:39:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for java-1_6_0-ibm This update for java-1_6_0-ibm fixes the following issues: - Update to sr16 fp26 to fix a regression in TLS connections. (bsc#981087) - IBM Java 1.6.0 SR16 FP25 released (bsc#977646 bsc#977648 bsc#977650 bsc#979252) CVE-2016-0376 CVE-2016-0264 CVE-2016-0363 CVE-2016-3443 CVE-2016-0687 CVE-2016-0686 CVE-2016-3427 CVE-2016-3449 CVE-2016-3422 CVE-2016-3426 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Legacy-12-2016-865 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ Link for SUSE-SU-2016:1458-1 https://lists.suse.com/pipermail/sle-security-updates/2016-May/002086.html E-Mail link for SUSE-SU-2016:1458-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/977646 SUSE Bug 977646 https://bugzilla.suse.com/977648 SUSE Bug 977648 https://bugzilla.suse.com/977650 SUSE Bug 977650 https://bugzilla.suse.com/979252 SUSE Bug 979252 https://bugzilla.suse.com/981087 SUSE Bug 981087 https://www.suse.com/security/cve/CVE-2016-0264/ SUSE CVE CVE-2016-0264 page https://www.suse.com/security/cve/CVE-2016-0363/ SUSE CVE CVE-2016-0363 page https://www.suse.com/security/cve/CVE-2016-0376/ SUSE CVE CVE-2016-0376 page https://www.suse.com/security/cve/CVE-2016-0686/ SUSE CVE CVE-2016-0686 page https://www.suse.com/security/cve/CVE-2016-0687/ SUSE CVE CVE-2016-0687 page https://www.suse.com/security/cve/CVE-2016-3422/ SUSE CVE CVE-2016-3422 page https://www.suse.com/security/cve/CVE-2016-3426/ SUSE CVE CVE-2016-3426 page https://www.suse.com/security/cve/CVE-2016-3427/ SUSE CVE CVE-2016-3427 page https://www.suse.com/security/cve/CVE-2016-3443/ SUSE CVE CVE-2016-3443 page https://www.suse.com/security/cve/CVE-2016-3449/ SUSE CVE CVE-2016-3449 page SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-1.6.0_sr16.26-37.1 java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 java-1_6_0-ibm-1.6.0_sr16.26-37.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 as a component of SUSE Linux Enterprise Module for Legacy 12 java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 as a component of SUSE Linux Enterprise Module for Legacy 12 Buffer overflow in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2016-0264 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-0264.html CVE-2016-0264 https://bugzilla.suse.com/977648 SUSE Bug 977648 https://bugzilla.suse.com/979252 SUSE Bug 979252 The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) uses the invoke method of the java.lang.reflect.Method class in an AccessController doPrivileged block, which allows remote attackers to call setSecurityManager and bypass a sandbox protection mechanism via vectors related to a Proxy object instance implementing the java.lang.reflect.InvocationHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3009. CVE-2016-0363 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 moderate 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-0363.html CVE-2016-0363 https://bugzilla.suse.com/977650 SUSE Bug 977650 https://bugzilla.suse.com/979252 SUSE Bug 979252 The com.ibm.rmi.io.SunSerializableFactory class in IBM SDK, Java Technology Edition 6 before SR16 FP25 (6.0.16.25), 6 R1 before SR8 FP25 (6.1.8.25), 7 before SR9 FP40 (7.0.9.40), 7 R1 before SR3 FP40 (7.1.3.40), and 8 before SR3 (8.0.3.0) does not properly deserialize classes in an AccessController doPrivileged block, which allows remote attackers to bypass a sandbox protection mechanism and execute arbitrary code as demonstrated by the readValue method of the com.ibm.rmi.io.ValueHandlerPool.ValueHandlerSingleton class, which implements the javax.rmi.CORBA.ValueHandler interface. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-5456. CVE-2016-0376 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 moderate 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-0376.html CVE-2016-0376 https://bugzilla.suse.com/977646 SUSE Bug 977646 https://bugzilla.suse.com/977650 SUSE Bug 977650 https://bugzilla.suse.com/979252 SUSE Bug 979252 https://bugzilla.suse.com/981057 SUSE Bug 981057 https://bugzilla.suse.com/981060 SUSE Bug 981060 https://bugzilla.suse.com/981087 SUSE Bug 981087 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. CVE-2016-0686 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-0686.html CVE-2016-0686 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component. CVE-2016-0687 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-0687.html CVE-2016-0687 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. CVE-2016-3422 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-3422.html CVE-2016-3422 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. CVE-2016-3426 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-3426.html CVE-2016-3426 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. CVE-2016-3427 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-3427.html CVE-2016-3427 https://bugzilla.suse.com/1011805 SUSE Bug 1011805 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. NOTE: the previous information is from the April 2016 CPU. Oracle has not commented on third-party claims that this issue allows remote attackers to obtain sensitive information via crafted font data, which triggers an out-of-bounds read. CVE-2016-3443 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-3443.html CVE-2016-3443 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252 Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment. CVE-2016-3449 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-fonts-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-jdbc-1.6.0_sr16.26-37.1 SUSE Linux Enterprise Module for Legacy 12:java-1_6_0-ibm-plugin-1.6.0_sr16.26-37.1 important 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20161458-1/ https://www.suse.com/security/cve/CVE-2016-3449.html CVE-2016-3449 https://bugzilla.suse.com/976340 SUSE Bug 976340 https://bugzilla.suse.com/979252 SUSE Bug 979252