slesp3-java-1_4_2-ibmSecurity update for IBM Java
This update brings IBM Java 1.4.2 to SR13 FP5, fixing various bugs and
security issues:
*
CVE-2010-0084: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.
*
CVE-2010-0085: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, 1.4.225, and 1.3.127 allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors.
*
CVE-2010-0087: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, 1.4.225, and 1.3.127 allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors.
*
CVE-2010-0088: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, 1.4.225, and 1.3.127 allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors.
*
CVE-2010-0089: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
availability via unknown vectors.
*
CVE-2010-0091: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.
*
CVE-2010-0095: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors.
*
CVE-2010-0839: Unspecified vulnerability in the Sound component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
*
CVE-2010-0840: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors. NOTE: the previous information was obtained from the March
2010 CPU. Oracle has not commented on claims from a reliable
researcher that this is related to improper checks when executing
privileged methods in the Java Runtime Environment (JRE), which
allows attackers to execute arbitrary code via (1) an untrusted
object that extends the trusted class but has not modified a certain
method, or (2) "a similar trust issue with interfaces," aka "Trusted
Methods Chaining Remote Code Execution Vulnerability."
*
CVE-2010-0841: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and
1.4.2_25 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors. NOTE: the previous
information was obtained from the March 2010 CPU. Oracle has not
commented on claims from a reliable researcher that this is an
integer overflow in the Java Runtime Environment that allows remote
attackers to execute arbitrary code via a JPEG image that contains
subsample dimensions with large values, related to JPEGImageReader
and "stepX".
*
CVE-2010-0842: Unspecified vulnerability in the Sound component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is an uncontrolled array index that allows remote attackers to
execute arbitrary code via a MIDI file with a crafted MixerSequencer
object, related to the GM_Song structure.
*
CVE-2010-0843: Unspecified vulnerability in the Sound component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is related to XNewPtr and improper handling of an integer
parameter when allocating heap memory in the com.sun.media.sound
libraries, which allows remote attackers to execute arbitrary code.
*
CVE-2010-0844: Unspecified vulnerability in the Sound component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is for improper parsing of a crafted MIDI stream when creating a
MixerSequencer object, which causes a pointer to be corrupted and
allows a NULL byte to be written to arbitrary memory.
*
CVE-2010-0846: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is a heap-based buffer overflow that allows remote attackers to
execute arbitrary code, related to an "invalid assignment" and
inconsistent length values in a JPEG image encoder
(JPEGImageEncoderImpl).
*
CVE-2010-0847: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is a heap-based buffer overflow that allows arbitrary code
execution via a crafted image.
*
CVE-2010-0848: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
*
CVE-2010-0849: Unspecified vulnerability in the Java 2D component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23,
1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.
NOTE: the previous information was obtained from the March 2010 CPU.
Oracle has not commented on claims from a reliable researcher that
this is a heap-based buffer overflow in a decoding routine used by
the JPEGImageDecoderImpl interface, which allows code execution via a
crafted JPEG image.
securityjava-1_4_2-ibmx86_6429c9f15f9808d6759109eb8c4b44faaa91cb843cjava-1_4_2-ibm-develx86_64697de2a13fce619b71916058849bf721a2843071