java-1.7.0-openjdk-1.7.0.85-2.6.1.3.AXS4

エラータID: AXSA:2015-185:04

Release date: 
Friday, July 17, 2015 - 17:51
Subject: 
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

The OpenJDK runtime environment.

Security issues fixed with this release:

CVE-2015-2590
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2601
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2621
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2625
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2628
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2632
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-2808
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does
not properly combine state data with key data during the
initialization phase, which makes it easier for remote attackers to
conduct plaintext-recovery attacks against the initial bytes of a
stream by sniffing network traffic that occasionally relies on keys
affected by the Invariance Weakness, and then using a brute-force
approach involving LSB values, aka the "Bar Mitzvah" issue.
CVE-2015-4000
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is
enabled on a server but not on a client, does not properly convey a
DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct
cipher-downgrade attacks by rewriting a ClientHello with DHE replaced
by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT
replaced by DHE, aka the "Logjam" issue.
CVE-2015-4731
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4732
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4733
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4748
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4749
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-4760
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Version-Release number of selected component (if applicable):

Solution: 

Update packages.

CVEs: 
CVE-2015-2590
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
CVE-2015-2601
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, JRockit R28.3.6, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JCE.
CVE-2015-2621
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33, allows remote attackers to affect confidentiality via vectors related to JMX.
CVE-2015-2625
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JSSE.
CVE-2015-2628
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA.
CVE-2015-2632
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D.
CVE-2015-2808
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
CVE-2015-4000
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVE-2015-4731
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; Java SE Embedded 7u75; and Java SE Embedded 8u33 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.
CVE-2015-4732
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-2590.
CVE-2015-4733
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI.
CVE-2015-4748
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and Embedded 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security.
CVE-2015-4749
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect availability via vectors related to JNDI.
CVE-2015-4760
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.7.0-openjdk-1.7.0.85-2.6.1.3.AXS4.src.rpm
    MD5: ff6fedc640aba0e7207433327e5393fa
    SHA-256: 4cbbf862e25e1d58665eb9a8ea42e57133ffdc58b167e038698b5fa9d4927981
    Size: 39.22 MB

Asianux Server 4 for x86
  1. java-1.7.0-openjdk-1.7.0.85-2.6.1.3.AXS4.i686.rpm
    MD5: ff8387d065f816f1fe126753dbeac1d3
    SHA-256: 3289eb496f80ee78dd4b0e27c79a5240e46c4b85fe8d705da36cdf7dc306617b
    Size: 27.07 MB
  2. java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.AXS4.i686.rpm
    MD5: b8513653711c3a343a36ae8e12d408df
    SHA-256: ad37a64ad6150ef02a736ce0a78fb497219b40eea199ee8d842e209dd3d24a21
    Size: 9.45 MB

Asianux Server 4 for x86_64
  1. java-1.7.0-openjdk-1.7.0.85-2.6.1.3.AXS4.x86_64.rpm
    MD5: 19bbb8648c781bebbb458e3826d9ab8f
    SHA-256: c6e98cf227119112c933a3c7f5de9f96c04f8e8a00b8c2525b6fe1828ab0aa69
    Size: 25.86 MB
  2. java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.AXS4.x86_64.rpm
    MD5: b9da637afdf62dd4a7d4472d37fafc67
    SHA-256: 53d26fc7f92e212366d0a60324cab4d888050c0eafbe403c3b0f0d725344b453
    Size: 9.45 MB