java-1.8.0-openjdk-1.8.0.71-2.b15.el7
エラータID: AXSA:2016-039:01
リリース日:
2016/01/21 Thursday - 10:40
題名:
java-1.8.0-openjdk-1.8.0.71-2.b15.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Mozilla Firefox で使用されている NSS は,TLS 1.2 ハンドシェークプロ
トコルのトラフィックでの Server Key Exchange メッセージにおける MD5 シ
グネチャを拒否しておらず,コリジョンを引き起こすことによって,中間者攻撃
を行う攻撃者がサーバになりすましやすくする脆弱性があります。
(CVE-2015-7575)
- Oracle Java SE には,Networking に関連する要因によって,リモートの攻撃
者が完全性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0402)
- Oracle Java SE には,Libraries に関連する要因によって,リモートの攻
撃者が機密性と完全性に影響を与える詳細不明な脆弱性があります。
(CVE-2016-0475)
- Oracle Java SE には,AWT に関連する要因によって,機密性,完全性,可
用性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0483)
- Oracle JavaSE には,2D に関連する要因によって,機密性,完全性,可用
性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0494)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2015-7575
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVE-2016-0402
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
CVE-2016-0448
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
CVE-2016-0466
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect availability via vectors related to JAXP.
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect availability via vectors related to JAXP.
CVE-2016-0475
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
CVE-2016-0483
Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a heap-based buffer overflow in the readImage function, which allows remote attackers to execute arbitrary code via crafted image data.
Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a heap-based buffer overflow in the readImage function, which allows remote attackers to execute arbitrary code via crafted image data.
CVE-2016-0494
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.8.0-openjdk-1.8.0.71-2.b15.el7.src.rpm
MD5: 3b2b86f4eaa7c602b764eefa639a408d
SHA-256: 57c55063ce46d24a92cda3ca2d1f7cc97b845dfc72e677e43ac683db8548a8fc
Size: 52.41 MB
Asianux Server 7 for x86_64
- java-1.8.0-openjdk-1.8.0.71-2.b15.el7.x86_64.rpm
MD5: b059a95a6d97ff9af9461331eecf730a
SHA-256: aa86dc913bba91a6a21ec80692548f16de2824a118d12ce9c224ff2df9d97ee7
Size: 215.62 kB - java-1.8.0-openjdk-debug-1.8.0.71-2.b15.el7.x86_64.rpm
MD5: d06adb46c96405202a31f10c32b85005
SHA-256: cf5ed8a625a178d63ccdd829cc0d06bb29a3b1eb864ec6558760272d66dc2957
Size: 220.16 kB - java-1.8.0-openjdk-devel-1.8.0.71-2.b15.el7.x86_64.rpm
MD5: f02a69785561166c6296428496a6ffda
SHA-256: b610241b7882d84063fb838a4d4601ccd101ed17eba0104563235c512dd7b1c8
Size: 9.64 MB - java-1.8.0-openjdk-headless-1.8.0.71-2.b15.el7.x86_64.rpm
MD5: d64f797a9afee97105d5f210b9203668
SHA-256: 16da52dacf3716619373d374865bed0637c8442cc60fc4d7f18b2e174711127d
Size: 31.25 MB - java-1.8.0-openjdk-headless-debug-1.8.0.71-2.b15.el7.x86_64.rpm
MD5: 670fc290187539e91319800bf12d9087
SHA-256: af9e0d4da04c211ac354b09552525fdd165c7424873ea28292b27bf15280c301
Size: 32.21 MB