copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0339 - [Mac][OSX] Java: Multiple vulnerabilities

Date: 04 April 2012
References: ASB-2012.0009  ESB-2012.0171  ASB-2012.0023.2  ASB-2012.0024.2  ESB-2012.0368  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0339
        Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7
                               4 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Java
Publisher:         Apple
Operating System:  Mac OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Reduced Security                -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0507 CVE-2012-0506 CVE-2012-0505
                   CVE-2012-0503 CVE-2012-0502 CVE-2012-0501
                   CVE-2012-0500 CVE-2012-0499 CVE-2012-0498
                   CVE-2012-0497 CVE-2011-5035 CVE-2011-3563

Reference:         ASB-2012.0024
                   ASB-2012.0009
                   ESB-2012.0171
                   ASB-2012.0023.2

Original Bulletin: 
   http://support.apple.com/kb/HT5228

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2012-04-03-1 Java for OS X 2012-001 and
Java for Mac OS X 10.6 Update 7

Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7 is now
available and addresses the following:

Java
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.3, OS X Lion Server v10.7.3
Impact:  Multiple vulnerabilities in Java 1.6.0_29
Description:  Multiple vulnerabilities exist in Java 1.6.0_29, the
most serious of which may allow an untrusted Java applet to execute
arbitrary code outside the Java sandbox. Visiting a web page
containing a maliciously crafted untrusted Java applet may lead to
arbitrary code execution with the privileges of the current user.
These issues are addressed by updating to Java version 1.6.0_31.
Further information is available via the Java website at http://www.o
racle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2011-3563
CVE-2011-5035
CVE-2012-0497
CVE-2012-0498
CVE-2012-0499
CVE-2012-0500
CVE-2012-0501
CVE-2012-0502
CVE-2012-0503
CVE-2012-0505
CVE-2012-0506
CVE-2012-0507


Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7
may be obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.dmg
Its SHA-1 digest is: f76807153bc0ca253e4a466a2a8c0abf1e180667

For OS X Lion systems
The download file is named: JavaForOSX.dmg
Its SHA-1 digest is: 176ac1f8e79b4245301e84b616de5105ccd13e16

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJPezVqAAoJEGnF2JsdZQee7gIIALa7b5hVTKL7kOXF7EYT6wjx
VnAmxoQbjEwpBkdzPzqqhCQ303/iBdLdHr2O/yxdaX0tFuB+5+4iInPU2t6O+PNh
7iJ3rhQszzIj5q/qGDXyzIQEjurNfvrEKAxQ3T7uj1At+n/9YVBaw8p6i+HopbRc
Fo6Jrxy0Qf/MyeGO4lqxht2Aq8omh+pEBNP68EglqrJp/CjZTYGaFAHVGvnm8/gA
wjcpIRQBacXcBCJ3K8pZhuQvXhm+GVLWYgc2KGsZ/l7jbQX5Bi67b7CFf7lBHlyd
V7ss6N/0T/O3nspdhg+jhnvcaia1Ow3GikC/707NNkM8Dm3lm0DFVMBBgpNvPcU=
=Pf96
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT3ua8u4yVqjM2NGpAQLfJhAAudIM2sJI6tsv4BZeXJ7zk5AsUXWrqRQl
NSLuwVKqrlXopMtNUkgCjjDDOrEzwbr8d6Yg7WVlSpCgF6CqqiqmUMPlo6zyfwyQ
XdFBcH85gZbhUPTHwk9krLLs5l6G9De6kyM3x8LJoN0EUmDUiVHWyGRGl2HNIIpm
7Q68rxf90wav0RKwDkSsGvltEuIepZQ0YL0rxaNH9xFN1F33NVLsmUowt+9E94cu
UHLe8GSVIufJ/GnNXFTjnrxDZaHYCsdq0AFlDiUUMgqwQOJ4Qh6YsR3cvfNREdjt
BgKVveRxXKMAOpHB9U5OGpRhXBdm9szq25E/GW4IjcRpsQx9ThadEcxiGxaHddtH
NmuwT8rQw18G5zO91nLuvVB4QKuLqfJGjB2VAdlBWfo6I8eDsvqgcAUMbJsN63Jn
Ky2wpxRgIahTdyCbdTHDOuNPbUh7vtjpIAsTMM4IRFlWOaH2rxEZxHpcgbAvsMIe
JkODUqCtsfyHkWNmqI7C1+/DMivur8Vf/yCcKDQWDabDcs46mqtEs/h/uqK6pcTp
9LZZxC/hBQTmT/duV1oW7qOTDdBMzNugwPuKwAm8LMZuDFmrfz65/TPdxYbIO6Xu
j+fmp7Zvbi6M1b1T0Pcp50tpdANPlt6MxV9UsZljXT9J9Jz8P2Vv1OwGmfXVkuC1
L4cXS/o/4Jk=
=j1vE
-----END PGP SIGNATURE-----