==================================================================== CERT-Renater Note d'Information No. 2012/VULN136 ____________________________________________________________________ DATE : 16/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : FreeFlow Print Server ====================================================================== http://www.xerox.com/download/security/security-bulletin/1284333-14afb-4baadb5bccb00/cert_XRX12-002_v1.1.pdf ______________________________________________________________________ Xerox Security Bulletin XRX12-002 FreeFlow Print Server Oracle January 2012 OS and Security Patch Cluster (includes Java 6 Update 29 Software) v1.1 03/07/2012 Background Oracle delivers quarterly Critical Patch Updates (CPU) to address US-CERT-announced Security vulnerabilities and deliver reliability improvements to the Solaris Operating System. Oracle no longer provides these patches to the general public, but Xerox is authorized to deliver them to Customers with active FreeFlow Print Server (FFPS) Support contracts (FSMA). Customers who may have an Oracle Support Contract for their non-FFPS Solaris Servers should not install patches that have not been customized by Xerox. Otherwise the FFPS software could be damaged and result in downtime and a lengthy re-installation service call. This bulletin announces the availability of the following: 1. Oracle January 2012 CPU OS and Security Patch Cluster This supersedes the Oracle October 2011 CPU Cluster 2. Java 6 Update 29 Software This supersedes Java 6 Update 26 Software The Security vulnerabilities that are remediated with this Oracle Security patch delivery are as follows: CVE-2011-0419 CVE-2011-2139 CVE-2011-2428 CVE-2011-4542 CVE-2011-3544 CVE-2011-3554 CVE-2011-1928 CVE-2011-2140 CVE-2011-2429 CVE-2011-4543 CVE-2011-3545 CVE-2011-3556 CVE-2011-2107 CVE-2011-2204 CVE-2011-2430 CVE-2012-0094 CVE-2011-3546 CVE-2011-3557 CVE-2011-2110 CVE-2011-2414 CVE-2011-2444 CVE-2012-0096 CVE-2011-3547 CVE-2011-3558 CVE-2011-2130 CVE-2011-2415 CVE-2011-2526 CVE-2012-0098 CVE-2011-3548 CVE-2011-3560 CVE-2011-2134 CVE-2011-2416 CVE-2011-2896 CVE-2012-0099 CVE-2011-3549 CVE-2011-3561 CVE-2011-2135 CVE-2011-2417 CVE-2011-3190 CVE-2012-0100 CVE-2011-3550 CVE-2011-2136 CVE-2011-2425 CVE-2011-4313 CVE-2012-0109 CVE-2011-3551 CVE-2011-2137 CVE-2011-2426 CVE-2011-4540 CVE-2011-3516 CVE-2011-3552 CVE-2011-2138 CVE-2011-2427 CVE-2011-4541 CVE-2011-3521 CVE-2011-3553 Note: Xerox recommends that customers evaluate their security needs periodically and if they need Security patches to address the above CVE issues, schedule an activity with their Xerox Service team to install the Critical Patch Updates. Applicability These Security updates are intended for Xerox printer products running one of the FFPS 73.C0.41 or 73.B3.61 SPAR software releases. This Security patch update has only been tested on these software releases and it is recommended that they be installed on these FFPS software release versions. They have not been tested with the FFPS 73.B0.73 and 73.A3.31 software releases. The Xerox CSE/Analyst is provided a tool (accessible from CFO Web site) that enables them to confirm the currently installed FFPS software release, Oracle Security Patch Cluster, and Java Software version. When this Security update has been installed on the FFPS system, this script will output the following: FFPS Release Version: 7.0_SP-3 (73.C0.41.86) Oracle Cluster: January 2012 Java Version: Java 6 Update 29 Disclaimer The information provided in this Xerox Product Response is provided "as is" without warranty of any kind. Xerox Corporation disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this Xerox Product Response including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential damages so the foregoing limitation may not apply. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================