Java security updates released this week

Oracle has released a new version of Java 6 and Java 7 in response to new vulnerabilities that allow malicious web sites to allow full access to systems when web browsers with Java enabled visit them.

This only affects client side use of Java, as in web start apps or the Java plugin in web browsers. It should not be exploitable by server side uses of Java. 

As a precaution, however everyone is recommended to install the latest Java patches. Scientific Linux and Red hat have both released updated Java 6 and 7 packages. New packages for Mac and Windows systems are also available. 

New Java Exploit in the Wild

Last week a vulnerability was discovered in Java 7 that allowed compromised web sites to take control of computers visiting the site with a web browser with the Java plugin enabled. This has been reported to be actively exploiting systems in the wild.

The vulnerability seems to be specific to Java 7, and specifically the web browser plugin, so grid services do not seem to be vulnerable.

Oracle has released a new version of Java as of Sunday that should fix this vulnerability. It is recommended that people disable the Java browser plugin if its not needed until the update is installed.

Here's an article that has a good list of FAQs about this vulnerability:
https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

Ganglia Vulnerability

There is a Ganglia vulnerability that potentially allows remote users to execute unauthorized scripts. This has been fixed in the EPEL Ganglia for EL6, and doesn't seem to affect the EPEL Ganglia for EL5.

sudo update

An update for sudo  was released yesterday which can prevent privilege escalation in certain situations.

Scientific Linux Updates

Since Thursday there have been 31 Scientific Linux updates announced, mostly for SL6. The full list is here. Also, a local user privilege escalation bug fix for the SL6 kernel was announced a few weeks ago. Please upgrade as needed.

Kernel and GridEngine updates this week

Kernel update for Red Hat and Scientific Linux

Red Hat and Scientific Linux have both released updated kernel packages to address a local denial of service vulnerability in the xfrm6_tunnel kernel module.
The redhat announcement is here.

Updates to Oracle Grid Engine

Oracle has released updates to Oracle Grid Engine to address two local privilege escalation vulnerabilities, one in the qrsh component and the other in sgepasswd.
Oracle advisory is here.

A Couple Noteworthy Security Updates

Apple Update for Java

Apple has released an update for Java for Lion and Snow Leopard to address critical vulnerabilities that can lead to the compromise of systems using Java, especially in web browsers. Systems are being actively exploited in the wild. At this time, we have not yet received reports of infected Macs from OSG users, however reports estimate over 600,000 Macs have been compromised so far: [PC World Article]

Apple's original announcement is here: [Apple Announcement]

A good quick guide to checking if your Mac is infected is available here: [Lifehacker Article]

RHEL/SL Update for RPM

Red Hat and Scientific Linux have both released updated RPM packages to address an important vulnerability. It is possible for maliciously made rpm files to compromise a system before the rpm signature is checked. More information is available here: [Red Hat Announcement]