The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2013-1505 advisory.

    [1:1.6.0.0-1.68.1.11.14]
    - updated to icedtea6-1.11.14.tar.gz
    - added and applied 1.11.14-fixes.patch, patch10 to fix build issues
    - adapted patch8 java-1.6.0-openjdk-timezone-id.patch
    - Resolves: rhbz#1017618

    [1:1.6.0.1-1.67.1.13.0]
    - reverted previous update
    - Resolves: rhbz#1017618

    [1:1.6.0.1-1.66.1.13.0]
    - updated to icedtea 1.13
    - updated to openjdk-6-src-b28-04_oct_2013
    - added --disable-lcms2 configure switch to fix tck
    - removed upstreamed patch7,java-1.6.0-openjdk-jstack.patch
    - added patch7 1.13_fixes.patch to fix 1.13 build issues
    - adapted patch0 java-1.6.0-openjdk-optflags.patch
    - adapted patch3 java-1.6.0-openjdk-java-access-bridge-security.patch
    - adapted patch8 java-1.6.0-openjdk-timezone-id.patch
    - removed useless runtests parts
    - included also java.security.old files
    - Resolves: rhbz#1017618

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This release updates our OpenJDK 7 support in the 2.4.x series with a number of security fixes and synchronises it with upstream development. The security issues fixed (a long list) can be found in the following link :

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-October/025 087.html

Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. (CVE-2013-5782)

The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine. (CVE-2013-5830)

Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-5829 , CVE-2013-5814 , CVE-2013-5817 , CVE-2013-5842 , CVE-2013-5850 , CVE-2013-5838)

Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.
(CVE-2013-5809)

The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions. (CVE-2013-5802)

Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed. (CVE-2013-5825 , CVE-2013-4002 , CVE-2013-5823)

Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
(CVE-2013-3829 , CVE-2013-5840 , CVE-2013-5774 , CVE-2013-5783 , CVE-2013-5820 , CVE-2013-5851 , CVE-2013-5800 , CVE-2013-5849 , CVE-2013-5790 , CVE-2013-5784)

It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory. (CVE-2013-5778)

Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
(CVE-2013-5804 , CVE-2013-5797)

Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data. (CVE-2013-5780)

The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks. (CVE-2013-5772)

The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit. (CVE-2013-5803)

The remote host has a version of IBM Notes (formerly Lotus Notes) 8.0.x / 8.5.x / 9.0.x that is bundled with an IBM Java version prior to 1.6 SR15 FP1. It is, therefore, affected by the vulnerabilities mentioned in the Oracle Java Critical Patch Update advisories for October 2013 and January 2014.

Update to icedtea 2.4.3 (bnc#846999) synchronized OpenJDK 7 support with the upstream u45 b31 fixes the following issues :

  - S8006900, CVE-2013-3829: Add new date/time capability

  - S8008589: Better MBean permission validation

  - S8011071, CVE-2013-5780: Better crypto provider handling

  - S8011081, CVE-2013-5772: Improve jhat

  - S8011157, CVE-2013-5814: Improve CORBA portablility

  - S8012071, CVE-2013-5790: Better Building of Beans

  - S8012147: Improve tool support

  - S8012277: CVE-2013-5849: Improve AWT DataFlavor

  - S8012425, CVE-2013-5802: Transform TransformerFactory

  - S8013503, CVE-2013-5851: Improve stream factories

  - S8013506: Better Pack200 data handling

  - S8013510, CVE-2013-5809: Augment image writing code

  - S8013514: Improve stability of cmap class

  - S8013739, CVE-2013-5817: Better LDAP resource management

  - S8013744, CVE-2013-5783: Better tabling for AWT

  - S8014085: Better serialization support in JMX classes

  - S8014093, CVE-2013-5782: Improve parsing of images

  - S8014098: Better profile validation

  - S8014102, CVE-2013-5778: Improve image conversion

  - S8014341, CVE-2013-5803: Better service from Kerberos     servers

  - S8014349, CVE-2013-5840: (cl) Class.getDeclaredClass     problematic in some class loader configurations

  - S8014530, CVE-2013-5825: Better digital signature     processing

  - S8014534: Better profiling support

  - S8014987, CVE-2013-5842: Augment serialization handling

  - S8015614: Update build settings

  - S8015731: Subject java.security.auth.subject to     improvements

  - S8015743, CVE-2013-5774: Address internet addresses

  - S8016256: Make finalization final

  - S8016653, CVE-2013-5804: javadoc should ignore     ignoreable characters in names

  - S8016675, CVE-2013-5797: Make Javadoc pages more robust

  - S8017196, CVE-2013-5850: Ensure Proxies are handled     appropriately

  - S8017287, CVE-2013-5829: Better resource disposal

  - S8017291, CVE-2013-5830: Cast Proxies Aside

  - S8017298, CVE-2013-4002: Better XML support

  - S8017300, CVE-2013-5784: Improve Interface     Implementation

  - S8017505, CVE-2013-5820: Better Client Service

  - S8019292: Better Attribute Value Exceptions

  - S8019617: Better view of objects

  - S8020293: JVM crash

  - S8021275, CVE-2013-5805: Better screening for ScreenMenu

  - S8021282, CVE-2013-5806: Better recycling of object     instances

  - S8021286: Improve MacOS resourcing

  - S8021290, CVE-2013-5823: Better signature validation

  - S8022931, CVE-2013-5800: Enhance Kerberos exceptions

  - S8022940: Enhance CORBA translations

  - S8023683: Enhance class file parsing

  - Backports

  - S6614237: missing codepage Cp290 at java runtime

  - S8005932: Java 7 on mac os x only provides text     clipboard formats

  - S8014046: (process) Runtime.exec(String) fails if     command contains spaces [win]

  - S8015144: Performance regression in ICU OpenType Layout     library

  - S8015965: (process) Typo in name of property to allow     ambiguous commands

  - S8015978: Incorrect transformation of XPath expression     'string(-0)'

  - S8016357: Update hotspot diagnostic class

  - S8019584:
    javax/management/remote/mandatory/loading/MissingClassTe     st.java failed in nightly against jdk7u45:
    java.io.InvalidObjectException: Invalid notification:
    null

  - S8019969:
    nioNetworkChannelInet6/SetOptionGetOptionTestInet6 test     case crashes

  - S8020032: 7u fastdebug doesn't generate fastdebuginfo     file

  - S8020085: Linux ARM build failure for 7u45

  - S8020088: Increment minor version of HSx for 7u45 and     initialize the build number

  - S8020551: increment hsx build to b03 for 7u45-b03

  - S8020943: Memory leak when GCNotifier uses     create_from_platform_dependent_str()

  - S8021287: Improve MacOS resourcing

  - S8021355: REGRESSION: Five closed/java/awt/SplashScreen     tests fail since 7u45 b01 on Linux, Solaris

  - S8021360: object not exported' on start of     JMXConnectorServer for RMI-IIOP protocol with security     manager

  - S8021366:
    java_util/Properties/PropertiesWithOtherEncodings fails     during 7u45 nightly testing

  - S8021577: JCK test     api/javax_management/jmx_serial/modelmbean/ModelMBeanNot     ificationInfo/serial/index.html#Input has failed since     jdk 7u45 b01

  - S8021899: Re-adjust fix of # 8020498 in 7u45 after     mergeing 7u40

  - S8021901: Increment hsx build to b05 for 7u45-b05

  - S8021933: Add extra check for fix # JDK-8014530

  - S8021969: The index_AccessAllowed jnlp can not load     successfully with exception thrown in the log.

  - S8022066: Evaluation of method reference to signature     polymorphic method crashes VM

  - S8022086: Fixing licence of newly added files

  - S8022254: Remove incorrect jdk7u45-b05 tag from     jdk7u-cpu forest

  - S8022661: InetAddress.writeObject() performs flush() on     object output stream

  - S8022682: Supporting XOM

  - S8022808: Kitchensink hangs on macos

  - S8022856: 7u45 l10n resource file translation update

  - S8023323: Increment hsx build to b06 for 7u45-b08

  - S8023457: Event based tracing framework needs a mutex     for thread groups

  - S8023478: Test fails with HS crash in GCNotifier.

  - S8023741: Increment hsx 24.45 build to b07 for 7u45-b09

  - S8023771: when USER_RELEASE_SUFFIX is set in order to     add a string to java -version, build number in the     bundles names should not be changed to b00

  - S8023888: Increment hsx 24.45 build to b08 for 7u45-b10

  - S8023964: java/io/IOException/LastErrorString.java     should be @ignore-d

  - S8024369: Increment build # of hs24.0 to b57 for     7u40-b61 psu

  - S8024668:
    api/java_nio/charset/Charset/index.html#Methods     JCK-runtime test fails with 7u45 b11

  - S8024697: Fix for 8020983 causes Xcheck:jni warnings

  - S8024863: X11: Support GNOME Shell as mutter

  - S8024883: (se) SelectableChannel.register throws NPE if     fd >= 64k (lnx)

  - S8025128: File.createTempFile fails if prefix is     absolute path

  - S8025170: jdk7u51 7u-1-prebuild is failing since 9/19

  - Bug fixes

  - PR1400: Menu of maximized AWT window not working in Mate

  - Update to icedtea 2.4.2 

  - System LCMS 2 support again enabled by default,     requiring 2.5 or above.

  - OpenJDK

  - S7122222: GC log is limited to 2G for 32-bit

  - S7162400: Intermittent java.io.IOException: Bad file     number during HotSpotVirtualMachine.executeCommand

  - S7165807: Non optimized initialization of NSS crypto     library leads to scalability issues

  - S7199324: IPv6: JMXConnectorServer.getConnectionIDs()     return IDs contradicting to address grammar

  - S8001345: VM crashes with assert(n->outcnt() != 0 ||     C->top() == n || n->is_Proj()) failed: No dead     instructions after post-alloc

  - S8001424: G1: Rename certain G1-specific flags

  - S8001425: G1: Change the default values for certain G1     specific flags

  - S8004859: Graphics.getClipBounds/getClip return     difference nonequivalent bounds, depending from     transform

  - S8005019: JTable passes row index instead of length when     inserts selection interval

  - S8005194: [parfait] #353     sun/awt/image/jpeg/imageioJPEG.c Memory leak of pointer     'scale' allocated with calloc()

  - S8006941: [macosx] Deadlock in drag and drop

  - S8007898: Incorrect optimization of Memory Barriers in     Matcher::post_store_load_barrier()

  - S8009168: accessibility.properties syntax issue

  - S8009985: [parfait] Uninitialised variable at     jdk/src/solaris/native/com/sun/management/UnixOperatingS     ystem_md.c

  - S8011064: Some tests have failed with SIGSEGV on     arm-hflt on build b82

  - S8011569: ARM -- avoid native stack walking

  - S8011760: assert(delta != 0) failed: dup pointer in     MemBaseline::malloc_sort_by_addr

  - S8012144: multiple SIGSEGVs fails on staxf

  - S8012156: tools/javac/file/zip/T6865530.java fails for     win32/64

  - S8012241: NMT huge memory footprint, it usually leads to     OOME

  - S8012366: Fix for 8007815 breaks down when only building     OpenJDK (without deploy and install forests)

  - S8013546: compiler/8011901/Test8011901.java fails with     CompilationError: Compilation failed

  - S8013719: Increment build # of hs23.21 to b02

  - S8013791: G1: G1CollectorPolicy::initialize_flags() may     set min_alignment > max_alignment

  - S8014264: The applet pathguy_TimeDead throws     java.lang.NullPointerException in java console once     click drop-down check box.

  - S8014312: Fork hs23.25 hsx from hs23.21 for jdk7u25 and     reinitialize build number

  - S8014805: NPE is thrown during certpath validation if     certificate does not have AuthorityKeyIdentifier     extension

  - S8014850: Third-Party License Readme updates for 7u40

  - S8014925: Disable     sun.reflect.Reflection.getCallerClass(int) with a     temporary switch to re-enable it

  - S8015237: Parallelize string table scanning during     strong root processing

  - S8015411: Bump the hsx build number for 7u21-b50 for     customer

  - S8015441: runThese crashed with assert(opcode == Op_ConP     || opcode == Op_ThreadLocal || opcode == Op_CastX2P ..)     failed: sanity

  - S8015576: CMS: svc agent throws     java.lang.RuntimeException: No type named 'FreeList' in     database

  - S8015668: overload resolution: performance regression in     JDK 7

  - S8015884: runThese crashed with SIGSEGV, hs_err has an     error instead of stacktrace

  - S8016074: NMT: assertion failed:
    assert(thread->thread_state() == from) failed: coming     from wrong thread state

  - S8016102: Increment build # of hs23.25 to b02 for     7u25-b31 psu

  - S8016131: nsk/sysdict/vm/stress/chain tests crash the VM     in 'entry_frame_is_first()'

  - S8016133: Regression: diff. behavior with user-defined     SAXParser

  - S8016157: During CTW: C2:
    assert(!def_outside->member(r)) failed: Use of external     LRG overlaps the same LRG defined in this block

  - S8016331: Minor issues in event tracing metadata

  - S8016648: FEATURE_SECURE_PROCESSING set to true or false     causes SAXParseException to be thrown

  - S8016734: Remove extra code due to duplicated push

  - S8016737: After clicking on 'Print UNCOLLATED' button,     the print out come in order 'Page 1', 'Page 2', 'Page 1'

  - S8016740: assert in GC_locker from PSOldGen::expand with
    -XX:+PrintGCDetails and Verbose

  - S8016767: Provide man pages generated from DARB for     OpenJDK

  - S8017070: G1: assert(_card_counts[card_num] <=     G1ConcRSHotCardLimit) failed

  - S8017159: Unexclude sun/tools/JMAP/Basic.sh test

  - S8017173: XMLCipher with RSA_OAEP Key Transport     algorithm can't be instantiated

  - S8017174: NPE when using Logger.getAnonymousLogger or     LogManager.getLogManager().getLogger

  - S8017189: [macosx] AWT program menu disabled on Mac

  - S8017252: new hotspot build - hs24-b51

  - S8017478: Kitchensink crashed with SIGSEGV in     BaselineReporter::diff_callsites

  - S8017483: G1 tests fail with native OOME on Solaris x86     after HeapBaseMinAddress has been increased

  - S8017510: Add a regression test for 8005956

  - S8017566: Backout 8000450 - Cannot access to     com.sun.corba.se.impl.orb.ORBImpl

  - S8017588: SA: jstack -l throws UnalignedAddressException     while attaching to core file for java that was started     with CMS GC

  - S8019155: Update makefiles with correct jfr packages

  - S8019201: Regression: java.awt.image.ConvolveOp throws     java.awt.image.ImagingOpException

  - S8019236: [macosx] Add javadoc to the     handleWindowFocusEvent in CEmbeddedFrame

  - S8019265: [macosx] apple.laf.useScreenMenuBar regression     comparing with jdk6

  - S8019298: new hotspot build - hs24-b52

  - S8019381: HashMap.isEmpty is non-final, potential issues     for get/remove

  - S8019541: 7u40 l10n resource file translation update

  - S8019587: [macosx] Possibility to set the same frame for     the different screens

  - S8019625: Test compiler/8005956/PolynomialRoot.java     timeouts on Solaris SPARCs

  - S8019628: [macosx]     closed/java/awt/Modal/BlockedMouseInputTest/BlockedMouse     InputTest.html failed since 7u40b30 on MacOS

  - S8019826: Test     com/sun/management/HotSpotDiagnosticMXBean/SetVMOption.j     ava fails with NPE

  - S8019933: new hotspot build - hs24-b53

  - S8019979: Replace CheckPackageAccess test with better     one from closed repo

  - S8020038: [macosx] Incorrect usage of invokeLater() and     likes in callbacks called via JNI from AppKit thread

  - S8020054: (tz) Support tzdata2013d

  - S8020155: PSR:PERF G1 not collecting old regions when     humongous allocations interfer

  - S8020215: Different execution plan when using JIT vs     interpreter

  - S8020228: Restore the translated version of     logging_xx.properties

  - S8020298: [macosx] Incorrect merge in the lwawt code

  - S8020319: Update Japanese man pages for 7u40

  - S8020371: [macosx] applets with Drag and Drop fail with     IllegalArgumentException

  - S8020381: new hotspot build - hs24-b54

  - S8020425: Product options incorrectly removed in minor     version

  - S8020430: NullPointerException in xml sqe nightly result     on 2013-07-12

  - S8020433: Crash when using -XX:+RestoreMXCSROnJNICalls

  - S8020498: Crash when both libnet.so and libmawt.so are     loaded

  - S8020525: Increment build # of hs23.25 to b03 for     7u25-b34 psu

  - S8020547: Event based tracing needs a UNICODE string     type

  - S8020625: [TESTBUG]     java/util/HashMap/OverrideIsEmpty.java doesn't compile     for jdk7u

  - S8020701: Avoid crashes in WatcherThread

  - S8020796: new hotspot build - hs24-b55

  - S8020811: [macosx] Merge fault 7u25-7u40: Missed focus     fix JDK-8012330

  - S8020940: Valid OCSP responses are rejected for     backdated enquiries

  - S8020983: OutOfMemoryError caused by non garbage     collected JPEGImageWriter Instances

  - S8021008: Provide java and jcmd man pages for Mac     (OpenJDK)

  - S8021148: Regression in SAXParserImpl in 7u40 b34 (NPE)

  - S8021353: Event based tracing is missing thread exit

  - S8021381: JavaFX scene included in Swing JDialog not     starting from Web Start

  - S8021565: new hotspot build - hs24-b56

  - S8021771: warning stat64 is deprecated - when building     on OSX 10.7.5

  - S8021946: Disabling     sun.reflect.Reflection.getCallerCaller(int) by default     breaks several frameworks and libraries

  - S8022548: SPECJVM2008 has errors introduced in 7u40-b34

  - S8023751: Need to backout 8020943, was pushed to hs24     without approval

  - S8024914: Swapped usage of idx_t and bm_word_t types in     bitMap.inline.hpp

  - New features

  - RH991170: java does not use correct kerberos credential     cache

  - PR1536: Allow use of system Kerberos to obtain cache     location

  - PR1551: Add build support for Zero AArch64

  - PR1552: Add -D_LITTLE_ENDIAN for ARM architectures.

  - PR1553: Add Debian AArch64 support

  - PR1554: Fix build on Mac OS X

  - Bug fixes

  - RH661505: JPEGs with sRGB IEC61966-2.1 color profiles     have wrong colors

  - RH995488: Java thinks that the default timezone is     Busingen instead of Zurich

  - Cleanup file resources properly in TimeZone_md.

  - PR1410: Icedtea 2.3.9 fails to build using icedtea     1.12.4

  - G477456: emerge fails on pax system: java attempts RWX     map, paxctl -m missing

  - G478484: patches/boot/ecj-diamond.patch FAILED

  - Fix Zero following changes to entry_frame_call_wrapper     in 8016131

  - Set ZERO_BUILD in flags.make so it is set on rebuilds

  - Cast should use same type as GCDrainStackTargetSize     (uintx).

  - Add casts to fix build on S390

  - JamVM

  - JSR292: Invoke Dynamic

  - sun.misc.Unsafe: additional methods get/putAddress:
    allows JamVM with OpenJDK 7/8 to run recent versions of     JEdit.

  - FreeClassData: adjust method count for Miranda methods

  - Patches changes (mostly sync with Fedora)

  - removed java-1.7.0-openjdk-arm-fixes.patch, fixed     upstream

  - removed java-1.7.0-openjdk-fork.patch, fixed upstream

  - renamed java-1.7.0-openjdk-bitmap.patch to     zero-s8024914.patch

  - renamed java-1.7.0-openjdk-size_t.patch to     zero-size_t.patch

  - added PStack-808293.patch

  - added RH661505-toBeReverted.patch

  - added abrt_friendly_hs_log_jdk7.patch

  - added gstackbounds.patch

  - added java-1.7.0-openjdk-freetype-check-fix.patch

  - added pulse-soundproperties.patch

  - added rhino.patch

  - added zero-entry_frame_call_wrapper.patch

  - added zero-gcdrainstacktargetsize.patch

  - added zero-zero_build.patch

The remote host has one or more instances of NSM (Network and Security Manager) Server running, with version(s) prior to 2012.2R9. It is, therefore, affected by multiple vulnerabilities related to its Java and Apache installations.

IBM Java 1.6.0 has been updated to SR14 to fix bugs and security issues.

Please see also http://www.ibm.com/developerworks/java/jdk/alerts/

Also the following bugs have been fixed :

  - add Europe/Busingen to tzmappings. (bnc#817062)

  - mark files in jre/bin and bin/ as executable     (bnc#823034)

IBM Java 1.6.0 has been updated to SR14 to fix bugs and security issues

Please see also http://www.ibm.com/developerworks/java/jdk/alerts/

Also the following bug has been fixed :

  - add Europe/Busingen to tzmappings. (bnc#817062)

  - mark files in jre/bin and bin/ as executable     (bnc#823034)

Updated java-1.6.0-sun packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

[Updated 12th May 2014] The package list in this erratum has been updated to make the packages available in the Oracle Java for Red Hat Enterprise Linux 6 Workstation x86_64 channels on the Red Hat Network.

Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory pages, listed in the References section. (CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2461, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3829, CVE-2013-4002, CVE-2013-5772, CVE-2013-5774, CVE-2013-5776, CVE-2013-5778, CVE-2013-5780, CVE-2013-5782, CVE-2013-5783, CVE-2013-5784, CVE-2013-5787, CVE-2013-5789, CVE-2013-5790, CVE-2013-5797, CVE-2013-5801, CVE-2013-5802, CVE-2013-5803, CVE-2013-5804, CVE-2013-5809, CVE-2013-5812, CVE-2013-5814, CVE-2013-5817, CVE-2013-5818, CVE-2013-5819, CVE-2013-5820, CVE-2013-5823, CVE-2013-5824, CVE-2013-5825, CVE-2013-5829, CVE-2013-5830, CVE-2013-5831, CVE-2013-5832, CVE-2013-5840, CVE-2013-5842, CVE-2013-5843, CVE-2013-5848, CVE-2013-5849, CVE-2013-5850, CVE-2013-5852, CVE-2013-5878, CVE-2013-5884, CVE-2013-5887, CVE-2013-5888, CVE-2013-5889, CVE-2013-5896, CVE-2013-5898, CVE-2013-5899, CVE-2013-5902, CVE-2013-5905, CVE-2013-5906, CVE-2013-5907, CVE-2013-5910, CVE-2013-6629, CVE-2013-6954, CVE-2014-0368, CVE-2014-0373, CVE-2014-0375, CVE-2014-0376, CVE-2014-0387, CVE-2014-0403, CVE-2014-0410, CVE-2014-0411, CVE-2014-0415, CVE-2014-0416, CVE-2014-0417, CVE-2014-0418, CVE-2014-0422, CVE-2014-0423, CVE-2014-0424, CVE-2014-0428, CVE-2014-0429, CVE-2014-0446, CVE-2014-0449, CVE-2014-0451, CVE-2014-0452, CVE-2014-0453, CVE-2014-0456, CVE-2014-0457, CVE-2014-0458, CVE-2014-0460, CVE-2014-0461, CVE-2014-1876, CVE-2014-2398, CVE-2014-2401, CVE-2014-2403, CVE-2014-2409, CVE-2014-2412, CVE-2014-2414, CVE-2014-2420, CVE-2014-2421, CVE-2014-2423, CVE-2014-2427, CVE-2014-2428)

All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 75 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

The remote host has a version of IBM Domino (formerly Lotus Domino) 9.x prior to 9.0.1 installed. It is, therefore, reportedly affected by the following vulnerabilities :

  - The included version of the IBM Java SDK contains a     version of IBM JRE that contains numerous security     issues. (CVE-2013-0809, CVE-2013-1493, CVE-2013-2436,     CVE-2013-2455, CVE-2013-3006, CVE-2013-3007,     CVE-2013-3008, CVE-2013-3009, CVE-2013-3010,     CVE-2013-3011, CVE-2013-3012)

  - An input validation error exists related to handling     content in email messages that could allow cross-site     scripting attacks. (CVE-2013-4063)

  - An input validation error exists related to iNotes when     running in 'ultra-light' mode that could allow cross-     site scripting attacks. (CVE-2013-4064)

  - An input validation error exists related to handling     content in email messages and iNotes when running in     'ultra-light' mode that could allow cross-site     scripting attacks. (CVE-2013-4065)

  - Note that fixes in the Oracle Java CPUs for February,     April and June 2013 are included in the fixed IBM Java     release, which is included in the fixed IBM Domino     release. (CVE-2012-1541, CVE-2012-3213, CVE-2012-3342,     CVE-2013-0351, CVE-2013-0401, CVE-2013-0402,     CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,     CVE-2013-0424, CVE-2013-0425, CVE-2013-0426,     CVE-2013-0427, CVE-2013-0428, CVE-2013-0429,     CVE-2013-0430, CVE-2013-0431, CVE-2013-0432,     CVE-2013-0433, CVE-2013-0434, CVE-2013-0435,     CVE-2013-0437, CVE-2013-0438, CVE-2013-0440,     CVE-2013-0441, CVE-2013-0442, CVE-2013-0443,     CVE-2013-0444, CVE-2013-0445, CVE-2013-0446,     CVE-2013-0448, CVE-2013-0449, CVE-2013-0450,     CVE-2013-1473, CVE-2013-1475, CVE-2013-1476,     CVE-2013-1478, CVE-2013-1479, CVE-2013-1480,     CVE-2013-1481, CVE-2013-1488, CVE-2013-1489,     CVE-2013-1491, CVE-2013-1500, CVE-2013-1518,     CVE-2013-1537, CVE-2013-1540, CVE-2013-1557,     CVE-2013-1558, CVE-2013-1561, CVE-2013-1563,     CVE-2013-1564, CVE-2013-1569, CVE-2013-1571,     CVE-2013-2383, CVE-2013-2384, CVE-2013-2394,     CVE-2013-2400, CVE-2013-2407, CVE-2013-2412,     CVE-2013-2414, CVE-2013-2415, CVE-2013-2416,     CVE-2013-2417, CVE-2013-2418, CVE-2013-2419,     CVE-2013-2420, CVE-2013-2421, CVE-2013-2422,     CVE-2013-2423, CVE-2013-2424, CVE-2013-2425,     CVE-2013-2426, CVE-2013-2427, CVE-2013-2428,     CVE-2013-2429, CVE-2013-2430, CVE-2013-2431,     CVE-2013-2432, CVE-2013-2433, CVE-2013-2434,     CVE-2013-2435, CVE-2013-2437, CVE-2013-2438,     CVE-2013-2439, CVE-2013-2440, CVE-2013-2442,     CVE-2013-2443, CVE-2013-2444, CVE-2013-2445,     CVE-2013-2446, CVE-2013-2447, CVE-2013-2448,     CVE-2013-2449, CVE-2013-2450, CVE-2013-2451,     CVE-2013-2452, CVE-2013-2453, CVE-2013-2454,     CVE-2013-2456, CVE-2013-2457, CVE-2013-2458,     CVE-2013-2459, CVE-2013-2460, CVE-2013-2461,     CVE-2013-2462, CVE-2013-2463, CVE-2013-2464,     CVE-2013-2465, CVE-2013-2466, CVE-2013-2467,     CVE-2013-2468, CVE-2013-2469, CVE-2013-2470,     CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,     CVE-2013-3743, CVE-2013-3744, CVE-2013-4002)

ID	Name	Product	Family	Published	Updated	Severity
70770	Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2013-1505)	Nessus	Oracle Linux Local Security Checks	11/6/2013	10/22/2024	medium
70873	SuSE 11.3 Security Update : OpenJDK 7 (SAT Patch Number 8494)	Nessus	SuSE Local Security Checks	11/13/2013	1/19/2021	critical
70897	Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-235)	Nessus	Amazon Linux Local Security Checks	11/14/2013	7/10/2019	critical
73970	IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities	Nessus	Windows	5/12/2014	11/26/2019	critical
75196	openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:1663-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/19/2021	critical
77326	Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642)	Nessus	Misc.	8/22/2014	12/5/2022	critical
69069	SuSE 11.2 / 11.3 Security Update : java-1_6_0-ibm (SAT Patch Numbers 8105 / 8107)	Nessus	SuSE Local Security Checks	7/26/2013	3/29/2022	critical
69072	SuSE 10 Security Update : java-1_6_0-ibm (ZYPP Patch Number 8657)	Nessus	SuSE Local Security Checks	7/26/2013	3/29/2022	critical
79011	RHEL 5 / 6 : java-1.6.0-sun (RHSA-2014:0414)	Nessus	Red Hat Local Security Checks	11/8/2014	4/25/2023	medium
71861	IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	1/8/2014	5/25/2022	critical

Detections

Analytics

Plugins Search

medium

critical

critical

critical

critical

critical

critical

critical

medium

critical