Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 226981 - CVE-2006-6736 Multiple JRE flaws (CVE-2006-6737 CVE-2006-6745 CVE-2006-6731 CVE-2006-4339)
Summary: CVE-2006-6736 Multiple JRE flaws (CVE-2006-6737 CVE-2006-6745 CVE-2006-6731 C...
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: java-1.4.2-ibm
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Thomas Fitzsimmons
QA Contact:
Whiteboard: public=20060104,impact=critical
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-02 13:49 UTC by Mark J. Cox
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version: RHSA-2007-0062
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-07 19:30:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0062 normal SHIPPED_LIVE Critical: java-1.4.2-ibm security update 2007-02-07 19:57:47 UTC

Description Mark J. Cox 2007-02-02 13:49:03 UTC
IBM fixed a number of flaws in their Java Runtime Environment in 1.4.2 SR7.  A
security update is required for java-ibm-1.4.2 for RHEL4 Extras

        Two vulnerabilities in the Java Runtime Environment may
        independently allow an untrusted applet to access data in other
        applets. CVE-2006-6736 CVE-2006-6737 (sun#102732)

        Two vulnerabilities in the Java(TM) Runtime Environment with
        serialization may independently allow an untrusted applet or
        application to elevate its privileges. (sun#102731) CVE-2006-6745

        Two buffer overflow vulnerabilities in the Java(TM) Runtime
        Environment may independently allow an untrusted applet to
        elevate its privileges. For example, an applet may grant
        itself permissions to read and write local files or execute
        local applications that are accessible to the user running the
        untrusted applet.  (sun#102729) CVE-2006-6731

        An RSA(1) Signature Verification vulnerability allows
        unauthorized forged certificates to be validated. This may
        result in a number of different types of remote exploits.
        (20061012 sun#102646/8) CVE-2006-4339

Comment 3 Thomas Fitzsimmons 2007-02-02 21:18:41 UTC
I've requested new packages from IBM that will fix this issue.

Comment 4 Thomas Fitzsimmons 2007-02-06 20:48:24 UTC
I received the fixed tarballs from IBM this afternoon.  I built the fixed
package, java-1.4.2-ibm-, into dist-4E-lacd-errata-candidate.

Comment 7 Red Hat Bugzilla 2007-02-07 19:30:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.