SuSE Update for IBM Java, Sun Java SUSE-SA:2007:045

Impact
remote code execution
Solution
Please Install the Updated Packages.
Insight
Both the IBM and Sun Java environments had several security issues which have been fixed by upgrading to their current patch levels. IBM Java JRE/SDK 1.3 was updated to 1.3.1 SR10. IBM Java JRE/SDK 1.4 was updated to 1.4.2 SR8. IBM Java JRE/SDK 5 was updated to 5.0 SR3. Sun Java JRE/SDK 1.3 was updated to 1.3.1_20. Sun Java JRE/SDK 1.4 was updated to 1.4.2_15. Sun Java JRE/SDK 1.5.0 was updated to 1.5.0_12. For IBM Java please also check the web page http://www-128.ibm.com/developerworks/java/jdk/alerts/ for more details. For Sun Java please also check the web page http://sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 for more details. Affecting both sets of JDKs: - CVE-2007-0243: A buffer overflow vulnerability in the Java(TM) Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. IBM Java specific (fixed already for Sun Java in SUSE-SA:2007:003) problems: - CVE-2006-6736: Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets. - CVE-2006-6745: Two vulnerabilities in the Java(TM) Runtime Environment with serialization may independently allow an untrusted applet or application to elevate its privileges. Sun Java specific (fixed for IBM Java in later versions): - CVE-2007-3004: Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK), allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file. - CVE-2007-3005: The BMP image parser in Sun Java Development Kit (JDK), on Unix/Linux systems, allows remote attackers to trigger the opening of arbitrary local files via a crafted BMP file, which causes a denial of service (system hang) in certain cases such as /dev/tty, and has other unspecified impact. - CVE-2007-0243: Buffer overflow in Sun JDK and Java Runtime Environment (JRE) allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption.
Affected
IBM Java, Sun Java on SUSE LINUX 10.1, openSUSE 10.2, SuSE Linux Enterprise Server 8, SUSE SLES 9, Novell Linux Desktop 9, Open Enterprise Server, Novell Linux POS 9, SUSE Linux Enterprise Desktop 10 SP1, SLE SDK 10 SP1, SUSE Linux Enterprise Server 10 SP1
References