RHSA-2016:0067: java-1.6.0-openjdk security update

Description

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java RuntimeEnvironment and the OpenJDK 6 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)Multiple flaws were discovered in the Networking and JMX components inOpenJDK. An untrusted Java application or applet could use these flaws tobypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe java.security file.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.