RHSA-2016:0049: java-1.8.0-openjdk security update

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java RuntimeEnvironment and the OpenJDK 8 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the password-based encryption (PBE) implementationin the Libraries component in OpenJDK used an incorrect key length. Thiscould, in certain cases, lead to generation of keys that were weaker thanexpected. (CVE-2016-0475)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)A flaw was found in the way TLS 1.2 could use the MD5 hash function forsigning ServerKeyExchange and Client Authentication packets during a TLShandshake. A man-in-the-middle attacker able to force a TLS connection touse the MD5 hash function could use this flaw to conduct collision attacksto impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)Multiple flaws were discovered in the Networking and JMX components inOpenJDK. An untrusted Java application or applet could use these flaws tobypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe java.security file.All users of java-1.8.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.