安全公告详情

NS-SA-2019-0105

2019-07-17 15:01:06

简介

critical: java-1.7.0-openjdk/nss security update

严重级别

critical

主题

An update for java-1.7.0-openjdk/nss is now available for NewStart CGSL MAIN 4.05.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

java-1.7.0-openjdk: The OpenJDK runtime environment.
nss: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.


Security Fix(es):
java-1.7.0-openjdk: It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory(CVE-2017-3526)
java-1.7.0-openjdk: An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges(CVE-2017-3511)
java-1.7.0-openjdk: It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user(CVE-2017-3509)
java-1.7.0-openjdk: A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate SMTP connections established by a Java applicati(CVE-2017-3544)
java-1.7.0-openjdk: It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm(CVE-2017-3539)
java-1.7.0-openjdk: A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate FTP connections established by a Java applicati(CVE-2017-3533)
java-1.7.0-openjdk: bugfix
nss: An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library.(CVE-2017-5461)
nss: A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library.(CVE-2017-7502)
nss: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.05.F5.

影响组件

  • java-1.7.0-openjdk
  • nss

影响产品

  • CGSL MAIN 4.05

更新包

{"fix":[{"product":"CGSL MAIN 4.05","pkgs":[{"binary":["java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm","java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.el6_9.x86_64.rpm"],"source":"java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el6_9.src.rpm"},{"binary":["nss-3.28.4-3.el6_9.x86_64.rpm","nss-devel-3.28.4-3.el6_9.x86_64.rpm","nss-sysinit-3.28.4-3.el6_9.x86_64.rpm","nss-tools-3.28.4-3.el6_9.x86_64.rpm"],"source":"nss-3.28.4-3.el6_9.src.rpm"}]}]}

CVE

参考