Security packages for Java posted for testing at
ftp://ftp.scientificlinux.org/linux/scientific/5rolling/testing/i386/
ftp://ftp.scientificlinux.org/linux/scientific/5rolling/testing/x86_64/
Next week these packages will be officially released. This delay is to
allow you time to test and verify your production applications will run
as expected once this security update is applied.
If you do not want this security update please consult your site's
local security policy to determine how you should proceed. Scientific
Linux will automatically feature this update next week.
As a reminder, the openjdk Java environment is available in Scientific
Linux 5. Updates for openjdk are released in a similar manner to other
security updates. Additionally, Scientific Linux 6 does not bundle the
closed source Java environment. So if you are planning to move to
Scientific Linux 6 in the future, you may wish to begin the java
migration to openjdk at this time.
The update advisory is posted below:
Synopsis: Important: java-1.6.0-sun
Issue Date: 2012-09-04
CVE Numbers: CVE-2012-4681
These vulnerabilities may be remotely exploitable without
authentication, i.e., they may be exploited over a network without the
need for a username and password. To be successfully exploited, an
unsuspecting user running an affected release in a browser will need to
visit a malicious web page that leverages this vulnerability. Successful
exploits can impact the availability, integrity, and confidentiality of
the user's system.
In addition, this Security Alert includes a security-in-depth fix in the
AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2012-4681 "in the
wild," we strongly recommend that you apply the updates as soon as
possible.
