java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4
エラータID: AXSA:2013-486:05
以下項目について対処しました。
[Security Fix]
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには 2D に関連する要因によって,ローカルのユーザが機密性と整合性に影響を与える詳細不明な脆弱性があります。
(CVE-2013-1500)
- Oracle Java SE の Javadoc コンポーネントには,Javadoc に関連する要因によって,リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1571)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連する要因によって,リモートの攻撃者が機密性と可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2407)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Serviceability に関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2412)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。
なお,これらの脆弱性はそれぞれ異なる脆弱性です。(CVE-2013-2443, CVE-2013-2452, CVE-2013-2455)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,AWT に関連する要因によって,リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2444)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Hotspot に関連する要因によって,リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2445)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,CORBA に関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2446)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ネットワーキングに関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2447)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,サウンドに関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2448)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2449)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Serialization に関連する要因によって,リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2450)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JMX に関連する要因によって,リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2453)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JDBC に関連する要因によって,リモートの攻撃者が機密性と整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2454)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Serialization に関連する要因によって,リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2456)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,JMX に関連する要因によって,リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2457)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連する要因によって,リモートの攻撃者が機密性と整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2458)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,AWT に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2459)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,Serviceability に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2460)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,ライブラリに関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2461)
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには,2D に関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える詳細不明な脆弱性があります。
なお,これらの脆弱性はそれぞれ異なる脆弱性です。 (CVE-2013-2463 , CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
パッケージをアップデートしてください。
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality and integrity via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to weak permissions for shared memory.
Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "XML security and the class loader."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient indication of an SSL connection failure by JConsole, related to RMI connection dialog box.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect "checking order" within the AccessControlContext class.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not "properly manage and restrict certain resources related to the processing of fonts," possibly involving temporary files.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Hotspot. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "handling of memory allocation errors."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly enforce access restrictions for CORBA output streams.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to obtain a socket's local address via vectors involving inconsistencies between Socket.getLocalAddress and InetAddress.getLocalHost.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to insufficient "access restrictions" and "robustness of sound classes."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to GnomeFileTypeDetector and a missing check for read permissions for a path.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper handling of circular references in ObjectStreamClass.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "network address handling in virtual machine identifiers" and the lack of "unique and unpredictable IDs" in the java.rmi.dgc.VMID class.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to a missing check for "package access" by the MBeanServer Introspector.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly restrict access to certain class packages in the SerialJavaObject class, which allows remote attackers to bypass the Java sandbox.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect access checks by the (1) getEnclosingClass, (2) getEnclosingMethod, and (3) getEnclosingConstructor methods.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper access checks for subclasses in the ObjectOutputStream class.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect implementation of "certain class checks" that allows remote attackers to bypass intended class restrictions.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via "an error related to method handles."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "integer overflow checks."
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472">CVE-2013-24...
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473">CVE-2013-24...
SRPMS
- java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.src.rpm
MD5: e20d12a5e574686bdb5d8c362bef3524
SHA-256: 88e4c5feeee2a5fc0736a09fc27b8da049332188715812e5dfc7b2ddaf98a1d8
Size: 65.13 MB
Asianux Server 4 for x86
- java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.i686.rpm
MD5: 4c7480db651d753c795ff61e502b2aa6
SHA-256: 57645ae0dcf1c9e6b9acac7a0e1c9b385b39e6af5d07816d2c72a9bd657f80df
Size: 26.76 MB - java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.AXS4.i686.rpm
MD5: 0b37f2c0846d0f137f9654f1103f1cc2
SHA-256: edbecbc0c1dd06ce9554a95db5924c20fe59f586f534ae137c5c7cfe5017fbf8
Size: 9.38 MB
Asianux Server 4 for x86_64
- java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.x86_64.rpm
MD5: 71962ff9da45a7b9e596547a4c680d79
SHA-256: 4480deab8a0670011515fca8532499431db3570d5a81b75552d87b4424635290
Size: 25.58 MB - java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.AXS4.x86_64.rpm
MD5: 604c8f3a4e8c0f90e86ae7dcdb16b6d8
SHA-256: 3b8493c356444262e2511927c6b7698ef4b531f52724bc9d94c43f19e5657ade
Size: 9.38 MB