java-1.8.0-openjdk-1.8.0.71-1.b15.AXS4
エラータID: AXSA:2016-040:01
リリース日:
2016/01/21 Thursday - 11:06
題名:
java-1.8.0-openjdk-1.8.0.71-1.b15.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Mozilla Firefox で使用されている NSS は,TLS 1.2 ハンドシェークプロ
トコルのトラフィックでの Server Key Exchange メッセージにおける MD5 シ
グネチャを拒否しておらず,コリジョンを引き起こすことによって,中間者攻撃
を行う攻撃者がサーバになりすましやすくする脆弱性があります。
(CVE-2015-7575)
- Oracle Java SE には,Networking に関連する要因によって,リモートの攻
撃者が完全性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0402)
- Oracle Java SE には,JAXP に関連する要因によって,リモートの攻撃者が
可用性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0466)
- Oracle Java SE には,Libraries に関連する要因によって,リモートの攻
撃者が機密性と完全性に影響を与える詳細不明な脆弱性があります。
(CVE-2016-0475)
- Oracle Java SE には,AWT に関連する要因によって,機密性,完全性,可
用性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0483)
- Oracle JavaSE には,2D に関連する要因によって,機密性,完全性,可用
性に影響を与える詳細不明な脆弱性があります。(CVE-2016-0494)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2015-7575
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.
CVE-2016-0402
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
CVE-2016-0448
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
CVE-2016-0466
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect availability via vectors related to JAXP.
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect availability via vectors related to JAXP.
CVE-2016-0475
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
Unspecified vulnerability in the Java SE, Java SE Embedded, and JRockit components in Oracle Java SE 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries.
CVE-2016-0483
Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a heap-based buffer overflow in the readImage function, which allows remote attackers to execute arbitrary code via crafted image data.
Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that this is a heap-based buffer overflow in the readImage function, which allows remote attackers to execute arbitrary code via crafted image data.
CVE-2016-0494
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.8.0-openjdk-1.8.0.71-1.b15.AXS4.src.rpm
MD5: 1ab1b09debdf28a01c23dc38d4b39718
SHA-256: 17b3e351e162bf459e5e3ab0966c874ac0a0ace65dcf93b5cf7a51f9ae91c3cb
Size: 52.40 MB
Asianux Server 4 for x86
- java-1.8.0-openjdk-1.8.0.71-1.b15.AXS4.i686.rpm
MD5: 6dbc6e7f28cee18f5d4e187cdf3eebcd
SHA-256: c48c271c3a730b043ec0e95a827958d863517e1dcd1d6e5c37831b895b73f52c
Size: 175.32 kB - java-1.8.0-openjdk-devel-1.8.0.71-1.b15.AXS4.i686.rpm
MD5: 192eba8bee7b315451c1eac7fc8e5526
SHA-256: 6d9cdfb78eebe3f8ca98b8817b4102b038ca3a4cbb7f36783bd3e75aeb62bd41
Size: 10.03 MB - java-1.8.0-openjdk-headless-1.8.0.71-1.b15.AXS4.i686.rpm
MD5: 1449fabbfeb6a908af37299d2947be5a
SHA-256: fb4f321e84099483bb0083354a883371cbff8ab16b5f819ec12d330eb7753e22
Size: 31.06 MB
Asianux Server 4 for x86_64
- java-1.8.0-openjdk-1.8.0.71-1.b15.AXS4.x86_64.rpm
MD5: 7ecbf1cf2426979e009ee1ea85561998
SHA-256: 720265d0222932999f5e28550fda2f3d8f4dc48e5e4251cadc1c7bdc87e37e6d
Size: 189.27 kB - java-1.8.0-openjdk-devel-1.8.0.71-1.b15.AXS4.x86_64.rpm
MD5: bb73671a11d50ca4f2db21602d13d8d0
SHA-256: b6f2426b665a75352c43974ed192e35ae55a73fc9b2c378634bcd9c09b49633d
Size: 10.03 MB - java-1.8.0-openjdk-headless-1.8.0.71-1.b15.AXS4.x86_64.rpm
MD5: bcfcda1673b48c74b89bf119739af796
SHA-256: 306935b519603f0057595826d02a3618f0a6aa9e29fa088f3ddfc12d3ef78b38
Size: 31.71 MB