The java-1.7.0-openjdk packages provide the OpenJDK 7 Java RuntimeEnvironment and the OpenJDK 7 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)A flaw was found in the way TLS 1.2 could use the MD5 hash function forsigning ServerKeyExchange and Client Authentication packets during a TLShandshake. A man-in-the-middle attacker able to force a TLS connection touse the MD5 hash function could use this flaw to conduct collision attacksto impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)Multiple flaws were discovered in the Libraries, Networking, and JMXcomponents in OpenJDK. An untrusted Java application or applet could usethese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871,CVE-2016-0402, CVE-2016-0448)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe java.security file.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.