sdkp2-java-1_4_2-ibmSecurity update for IBM Java 1.4.2Security update for IBM Java 1.4.2This update brings the IBM Java 1.4.2 JDK and JRE to
Service Release 13. It fixes lots of bugs and various
security issues:
CVE-2008-5350: A security vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted applet or
application to list the contents of the home directory of
the user running the applet or application.
CVE-2008-5346: A security vulnerability in the Java Runtime
Environment (JRE) with parsing zip files may allow an
untrusted applet or application to read arbitrary memory
locations in the process that the applet or application is
running in.
CVE-2008-5343: A vulnerability in Java Web Start and Java
Plug-in may allow hidden code on a host to make network
connections to that host and to hijack HTTP sessions using
cookies stored in the browser.
CVE-2008-5344: A vulnerability in the Java Runtime
Environment (JRE) with applet classloading may allow an
untrusted applet to read arbitrary files on a system that
the applet runs on and make network connections to hosts
other than the host it was loaded from.
CVE-2008-5359: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) image processing code may allow
an untrusted applet or application to escalate privileges.
For example, an untrusted applet may grant itself
permissions to read and write local files or execute local
applications that are accessible to the user running the
untrusted applet.
CVE-2008-5339: A vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted Java Web Start
application to make network connections to hosts other than
the host that the application is downloaded from.
CVE-2008-5340: A vulnerability in the Java Runtime
Environment with launching Java Web Start applications may
allow an untrusted Java Web Start application to escalate
privileges. For example, an untrusted application may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted application.
CVE-2008-5348: A security vulnerability in the Java Runtime
Environment (JRE) with authenticating users through
Kerberos may lead to a Denial of Service (DoS) to the
system as a whole, due to excessive consumption of
operating system resources.
CVE-2008-2086: A vulnerability in Java Web Start may allow
certain trusted operations to be performed, such as
modifying system properties.
CVE-2008-5345: The Java Runtime Environment (JRE) allows
code loaded from the local filesystem to access localhost.
This may allow code that is maliciously placed on the local
filesystem and then subsequently run, to have network
access to localhost that would not otherwise be allowed if
the code were loaded from a remote host. This may be
leveraged to steal cookies and hijack sessions (for domains
that map a name to the localhost).
CVE-2008-5351: The UTF-8 (Unicode Transformation Format-8)
decoder in the Java Runtime Environment (JRE) accepts
encodings that are longer than the "shortest" form. This
behavior is not a vulnerability in Java SE. However, it may
be leveraged to exploit systems running software that
relies on the JRE UTF-8 decoder to reject non-shortest form
sequences. For example, non-shortest form sequences may be
decoded into illegal URIs, which may then allow files that
are not otherwise accessible to be read, if the URIs are
not checked following UTF-8 decoding.
CVE-2008-5360: The Java Runtime Environment creates
temporary files with insufficiently random names. This may
be leveraged to write JAR files which may then be loaded as
untrusted applets and Java Web Start applications to access
and provide services from localhost and hence steal cookies.
CVE-2008-5353: A security vulnerability in the Java Runtime
Environment (JRE) related to deserializing calendar objects
may allow an untrusted applet or application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5356: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5354: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) may allow an untrusted Java
application that is launched through the command line to
escalate privileges. For example, the untrusted Java
application may grant itself permissions to read and write
local files or execute local applications that are
accessible to the user running the untrusted Java
application.
This vulnerability cannot be exploited by an applet or
Java Web Start application.
CVE-2008-5357: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5342: A security vulnerability in the the Java Web
Start BasicService allows untrusted applications that are
downloaded from another system to request local files to be
displayed by the browser of the user running the untrusted
application.
This update brings the IBM Java 1.4.2 JDK and JRE to
Service Release 13. It fixes lots of bugs and various
security issues:
CVE-2008-5350: A security vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted applet or
application to list the contents of the home directory of
the user running the applet or application.
CVE-2008-5346: A security vulnerability in the Java Runtime
Environment (JRE) with parsing zip files may allow an
untrusted applet or application to read arbitrary memory
locations in the process that the applet or application is
running in.
CVE-2008-5343: A vulnerability in Java Web Start and Java
Plug-in may allow hidden code on a host to make network
connections to that host and to hijack HTTP sessions using
cookies stored in the browser.
CVE-2008-5344: A vulnerability in the Java Runtime
Environment (JRE) with applet classloading may allow an
untrusted applet to read arbitrary files on a system that
the applet runs on and make network connections to hosts
other than the host it was loaded from.
CVE-2008-5359: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) image processing code may allow
an untrusted applet or application to escalate privileges.
For example, an untrusted applet may grant itself
permissions to read and write local files or execute local
applications that are accessible to the user running the
untrusted applet.
CVE-2008-5339: A vulnerability in the Java Runtime
Environment (JRE) may allow an untrusted Java Web Start
application to make network connections to hosts other than
the host that the application is downloaded from.
CVE-2008-5340: A vulnerability in the Java Runtime
Environment with launching Java Web Start applications may
allow an untrusted Java Web Start application to escalate
privileges. For example, an untrusted application may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted application.
CVE-2008-5348: A security vulnerability in the Java Runtime
Environment (JRE) with authenticating users through
Kerberos may lead to a Denial of Service (DoS) to the
system as a whole, due to excessive consumption of
operating system resources.
CVE-2008-2086: A vulnerability in Java Web Start may allow
certain trusted operations to be performed, such as
modifying system properties.
CVE-2008-5345: The Java Runtime Environment (JRE) allows
code loaded from the local filesystem to access localhost.
This may allow code that is maliciously placed on the local
filesystem and then subsequently run, to have network
access to localhost that would not otherwise be allowed if
the code were loaded from a remote host. This may be
leveraged to steal cookies and hijack sessions (for domains
that map a name to the localhost).
CVE-2008-5351: The UTF-8 (Unicode Transformation Format-8)
decoder in the Java Runtime Environment (JRE) accepts
encodings that are longer than the "shortest" form. This
behavior is not a vulnerability in Java SE. However, it may
be leveraged to exploit systems running software that
relies on the JRE UTF-8 decoder to reject non-shortest form
sequences. For example, non-shortest form sequences may be
decoded into illegal URIs, which may then allow files that
are not otherwise accessible to be read, if the URIs are
not checked following UTF-8 decoding.
CVE-2008-5360: The Java Runtime Environment creates
temporary files with insufficiently random names. This may
be leveraged to write JAR files which may then be loaded as
untrusted applets and Java Web Start applications to access
and provide services from localhost and hence steal cookies.
CVE-2008-5353: A security vulnerability in the Java Runtime
Environment (JRE) related to deserializing calendar objects
may allow an untrusted applet or application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5356: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5354: A buffer overflow vulnerability in the Java
Runtime Environment (JRE) may allow an untrusted Java
application that is launched through the command line to
escalate privileges. For example, the untrusted Java
application may grant itself permissions to read and write
local files or execute local applications that are
accessible to the user running the untrusted Java
application.
This vulnerability cannot be exploited by an applet or
Java Web Start application.
CVE-2008-5357: A buffer vulnerability in the Java Runtime
Environment (JRE) with processing fonts may allow an
untrusted applet or Java Web Start application to escalate
privileges. For example, an untrusted applet may grant
itself permissions to read and write local files or execute
local applications that are accessible to the user running
the untrusted applet.
CVE-2008-5342: A security vulnerability in the the Java Web
Start BasicService allows untrusted applications that are
downloaded from another system to request local files to be
displayed by the browser of the user running the untrusted
application.
securityjava-1_4_2-ibmx86_64ecdf522c72cd3826b5bf9b4de4e99d41f8df690bjava-1_4_2-ibm-develx86_64235e4341dfbecfd48d9ed0348a16e5fa5a2e82e8