[SECURITY] [DLA 410-1] openjdk-6 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : openjdk-6
Version : 6b38-1.13.10-1~deb6u1
CVE ID : CVE-2015-7575 CVE-2015-8126 CVE-2015-8472
CVE-2016-0402 CVE-2016-0448 CVE-2016-0466
CVE-2016-0483 CVE-2016-0494
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts of
the Java sandbox, information disclosure, denial of service and insecure
cryptography.
CVE-2015-7575
A flaw was found in the way TLS 1.2 could use the MD5 hash
function for signing ServerKeyExchange and Client
Authentication packets during a TLS handshake.
CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and (2)
png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x
before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before
1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause
a denial of service (application crash) or possibly have
unspecified other impact via a small bit-depth value in an IHDR
(aka image header) chunk in a PNG image.
CVE-2015-8472
Buffer overflow in the png_set_PLTE function in libpng before
1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before
1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows
remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a small
bit-depth value in an IHDR (aka image header) chunk in a PNG
image. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2015-8126.
CVE-2016-0402
Unspecified vulnerability in the Java SE and Java SE Embedded
components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE
Embedded 8u65 allows remote attackers to affect integrity via
unknown vectors related to Networking.
CVE-2016-0448
Unspecified vulnerability in the Java SE and Java SE Embedded
components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE
Embedded 8u65 allows remote authenticated users to affect
confidentiality via vectors related to JMX.
CVE-2016-0466
It was discovered that the JAXP component in OpenJDK did not
properly enforce the totalEntitySizeLimit limit. An attacker
able to make a Java application process a specially crafted XML
file could use this flaw to make the application consume an
excessive amount of memory.
CVE-2016-0483
Unspecified vulnerability in the Java SE, Java SE Embedded, and
JRockit components in Oracle Java SE 6u105, 7u91, and 8u66;
Java SE Embedded 8u65; and JRockit R28.3.8 allows remote
attackers to affect confidentiality, integrity, and
availability via vectors related to AWT.
CVE-2016-0494
Unspecified vulnerability in the Java SE and Java SE Embedded
components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE
Embedded 8u65 allows remote attackers to affect
confidentiality, integrity, and availability via
unknown vectors related to 2D.
For Debian 6 "Squeeze", these problems have been fixed in version
6b38-1.13.10-1~deb6u1.
We recommend that you upgrade your openjdk-6 packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQJ8BAEBCgBmBQJWs1pEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkxzkP/RbftqIzZANtL1S1GiLlolto
4UhFpeZlyn/zELvlTQN9ezV5TX7yQxuYWFHhfzBOAbfCNAuPTGBstqPdpy7rfqSz
pskq6W2P+m0XFgV0BWhN/ydBajB6X7ig5kE362s4Smgdy2e9hz4LwGci71YG7czS
PFfZht5IDyO6K+wIyCmHNHvcYnqlhJGo0+KaBT9YNUVPsOWbvJ+KGg2tus3DaRG0
BEfna20q4h6ufZ52pIZ3WqEfodbp2Qq7uiSpL21pOieilem++AgeoYsB6MOBzSOi
+lKkE/jVDRVjtxmwUJ4dy1Mprb0VLuPRicWDQ3bSINnL/53hKa6veEh4QU64bUTh
7fvWYfkDRTXD/uS/bIUEKjEN52y1vbIhKPN2OgFLeDGkEdQjpNqJvQQNlVgtdgEG
m15ZIXpNluEqISd4MUejAUZfBif7xIiv0nuBbitpby8AxCmvCAE4+8n+EZ/hNQQx
1f5ssSgRkm/NghlYdWapSTlY+TEl2GpCJaR5Qpk9corVu6o4DnNyou321TUD804g
pggWjHaurl7sExrvupft+A961Sj6/ySdtg7y5Q7re/TcoDLmyfeXjNfKRyR+2qbN
5tOPW5DIEImS7RMnv3fka+/qIasWn62+0qPyOC/nJnyEWcvAYCXiYMRZaNIBr4v7
DowleYYMmWSiv+yM9o8D
=AsJ5
-----END PGP SIGNATURE-----
Reply to: