Bug 10564

Summary:	java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.10
Product:	Mageia	Reporter:	Oden Eriksson <oe>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	dmorganec, luigiwalser, sysadmin-bugs, wrw105
Version:	3	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/555689/
Whiteboard:	MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK mga2-64-OK
Source RPM:		CVE:
Status comment:
Attachments:	lcms2 fixes.

Description Oden Eriksson 2013-06-19 07:15:26 CEST

======================================================
Name: CVE-2013-1500
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130130
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows local users to affect
confidentiality and integrity via unknown vectors related to 2D.



======================================================
Name: CVE-2013-1571
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130130
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Javadoc component in Oracle Java SE 7
Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and
earlier, and JavaFX 2.2.21 and earlier allows remote attackers to
affect integrity via unknown vectors related to Javadoc.



======================================================
Name: CVE-2013-2400
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2400
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect integrity via unknown vectors related to
Deployment, a different vulnerability than CVE-2013-3744.



======================================================
Name: CVE-2013-2407
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality and
availability via unknown vectors related to Libraries.



======================================================
Name: CVE-2013-2412
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality via
unknown vectors related to Serviceability.



======================================================
Name: CVE-2013-2437
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality via
unknown vectors related to Deployment.



======================================================
Name: CVE-2013-2442
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment,
a different vulnerability than CVE-2013-2466 and CVE-2013-2468.



======================================================
Name: CVE-2013-2443
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via unknown vectors related to Libraries, a
different vulnerability than CVE-2013-2452 and CVE-2013-2455.



======================================================
Name: CVE-2013-2444
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier
allows remote attackers to affect availability via vectors related to
AWT.



======================================================
Name: CVE-2013-2445
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect availability via unknown vectors related to Hotspot.



======================================================
Name: CVE-2013-2446
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via vectors related to CORBA.



======================================================
Name: CVE-2013-2447
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via unknown vectors related to Networking.



======================================================
Name: CVE-2013-2448
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to Sound.



======================================================
Name: CVE-2013-2449
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect confidentiality via unknown vectors related to
Libraries.



======================================================
Name: CVE-2013-2450
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect availability via unknown vectors related to Serialization.



======================================================
Name: CVE-2013-2451
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows local users to affect confidentiality, integrity,
and availability via unknown vectors related to Networking.



======================================================
Name: CVE-2013-2452
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via unknown vectors related to Libraries, a
different vulnerability than CVE-2013-2443 and CVE-2013-2455.



======================================================
Name: CVE-2013-2453
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect integrity via vectors
related to JMX.



======================================================
Name: CVE-2013-2454
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality and integrity via vectors related to JDBC.



======================================================
Name: CVE-2013-2455
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via unknown vectors related to Libraries, a
different vulnerability than CVE-2013-2443 and CVE-2013-2452.



======================================================
Name: CVE-2013-2456
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality via unknown vectors related to Serialization.



======================================================
Name: CVE-2013-2457
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect integrity via vectors related to JMX.



======================================================
Name: CVE-2013-2458
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect confidentiality and integrity via unknown vectors
related to Libraries.



======================================================
Name: CVE-2013-2459
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via vectors
related to AWT.



======================================================
Name: CVE-2013-2460
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors related to Serviceability.



======================================================
Name: CVE-2013-2461
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Libraries.



======================================================
Name: CVE-2013-2462
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2462
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect confidentiality, integrity, and availability via
unknown vectors related to Deployment.



======================================================
Name: CVE-2013-2463
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2464,
CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2464
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2465
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2466
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment,
a different vulnerability than CVE-2013-2442 and CVE-2013-2468.



======================================================
Name: CVE-2013-2467
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2467
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 5.0 Update 45 and earlier allows local
users to affect confidentiality, integrity, and availability via
unknown vectors related to the Java installer.



======================================================
Name: CVE-2013-2468
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45
and earlier allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment,
a different vulnerability than CVE-2013-2442 and CVE-2013-2466.



======================================================
Name: CVE-2013-2469
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2470
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2471,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2471
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470,
CVE-2013-2472, and CVE-2013-2473.



======================================================
Name: CVE-2013-2472
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470,
CVE-2013-2471, and CVE-2013-2473.



======================================================
Name: CVE-2013-2473
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130305
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier allows remote attackers to
affect confidentiality, integrity, and availability via unknown
vectors related to 2D, a different vulnerability than CVE-2013-2463,
CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470,
CVE-2013-2471, and CVE-2013-2472.



======================================================
Name: CVE-2013-3743
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45
and earlier allows remote attackers to affect confidentiality,
integrity, and availability via vectors related to AWT.



======================================================
Name: CVE-2013-3744
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3744
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130603
Category: 
Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 7 Update 21 and earlier allows remote
attackers to affect integrity via unknown vectors related to
Deployment, a different vulnerability than CVE-2013-2400.




Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-06-19 07:16:39 CEST

I'm not sure where these may apply...

Comment 2 David Walser 2013-06-19 20:43:06 CEST

We'll find out when a new IcedTea is released to address this, which hasn't happened yet.  Because of changes in OpenJDK, a new icedtea-web will need to be provided with this update as well:
http://blog.fuseyism.com/index.php/2013/06/19/imminent-icedtea-web-breakage/

CC: (none) => luigiwalser
Version: 2 => Cauldron
Summary: Multiple vulnerabilities in Java => Java: multiple vulnerabilities fixed in June update
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 3 David Walser 2013-06-20 22:28:44 CEST

RedHat has issued an advisory for this on June 19:
https://rhn.redhat.com/errata/RHSA-2013-0957.html

They updated to IcedTea 2.3.10.

I still don't see any announcements from the IcedTea project itself.

URL: (none) => http://lwn.net/Vulnerabilities/555689/
CC: (none) => dmorganec

Comment 4 David Walser 2013-06-23 03:15:10 CEST

Still no announcements from upstream.

Here's RedHat's bugfix advisory for icedtea-web to go along with this update:
https://rhn.redhat.com/errata/RHBA-2013-0959.html

Speaking of icedtea-web, after updating openjdk and patching icedtea-web, icedtea-web isn't building:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130623011056.luigiwalser.valstar.1730/log/icedtea-web-1.3.2-2.mga4/build.0.20130623011107.log

Comment 5 David Walser 2013-06-23 03:17:50 CEST

We can't push this to QA until icedtea-web is fixed and built.

Here's the packages currently built for this update:
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga3

Comment 6 David Walser 2013-06-23 20:49:25 CEST

OK I got icedtea-web to build by syncing some changes from Fedora.

We won't build an icedtea-web update for Mageia 2 until java-1.6.0-openjdk has been updated.

Packages built:
icedtea-web-1.3.2-1.1.mga3
icedtea-web-javadoc-1.3.2-1.1.mga3

from icedtea-web-1.3.2-1.1.mga3.src.rpm

Version: Cauldron => 3
Summary: Java: multiple vulnerabilities fixed in June update => java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.10
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 7 David Walser 2013-06-23 21:01:28 CEST

Assigning to QA.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the ImagingLib and the image attribute,
channel, layout and raster processing in the 2D component. An untrusted
Java application or applet could possibly use these flaws to trigger Java
Virtual Machine memory corruption (CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469).

Integer overflow flaws were found in the way AWT processed certain input.
An attacker could use these flaws to execute arbitrary code with the
privileges of the user running an untrusted Java applet or application
(CVE-2013-2459).

Multiple improper permission check issues were discovered in the Sound,
JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass Java
sandbox restrictions (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,
CVE-2013-2457, CVE-2013-2453, CVE-2013-2460).

Multiple flaws in the Serialization, Networking, Libraries and CORBA
components can be exploited by an untrusted Java application or applet to
gain access to potentially sensitive information (CVE-2013-2456,
CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446).

It was discovered that the Hotspot component did not properly handle
out-of-memory errors. An untrusted Java application or applet could
possibly use these flaws to terminate the Java Virtual Machine
(CVE-2013-2445).

It was discovered that the AWT component did not properly manage certain
resources and that the ObjectStreamClass of the Serialization component
did not properly handle circular references. An untrusted Java application
or applet could possibly use these flaws to cause a denial of service
(CVE-2013-2444, CVE-2013-2450).

It was discovered that the Libraries component contained certain errors
related to XML security and the class loader. A remote attacker could
possibly exploit these flaws to bypass intended security mechanisms or
disclose potentially sensitive information and cause a denial of service
(CVE-2013-2407, CVE-2013-2461).

It was discovered that JConsole did not properly inform the user when
establishing an SSL connection failed. An attacker could exploit this flaw
to gain access to potentially sensitive information (CVE-2013-2412).

It was discovered that GnomeFileTypeDetector did not check for read
permissions when accessing files. An untrusted Java application or applet
could possibly use this flaw to disclose potentially sensitive information
(CVE-2013-2449).

It was found that documentation generated by Javadoc was vulnerable to a
frame injection attack. If such documentation was accessible over a
network, and a remote attacker could trick a user into visiting a
specially-crafted URL, it would lead to arbitrary web content being
displayed next to the documentation. This could be used to perform a
phishing attack by providing frame content that spoofed a login form on
the site hosting the vulnerable documentation (CVE-2013-1571).

It was discovered that the 2D component created shared memory segments with
insecure permissions. A local attacker could use this flaw to read or write
to the shared memory segment (CVE-2013-1500).

Additionally, this OpenJDK update causes icedtea-web, the Java browser
plugin, to crash, so icedtea-web has been patched to fix this on Mageia 3.

Note that on Mageia 2, icedtea-web uses java-1.6.0-openjdk, which has not
yet been updated to fix these security issues.  An ETA for that update is
not known at this time.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
https://rhn.redhat.com/errata/RHSA-2013-0957.html
https://rhn.redhat.com/errata/RHBA-2013-0959.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga2
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga3
java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga3
icedtea-web-1.3.2-1.1.mga3
icedtea-web-javadoc-1.3.2-1.1.mga3

from SRPMS:
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2.src.rpm
java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3.src.rpm
icedtea-web-1.3.2-1.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2013-06-23 21:01:38 CEST

Severity: normal => critical

Comment 8 Bill Wilkinson 2013-06-23 22:39:33 CEST

No exploits on securityfocus.

testing mga3-64

CC: (none) => wrw105

Comment 9 Bill Wilkinson 2013-06-23 23:05:44 CEST

tested with Hello World and OddEven

HelloWorld:
http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html

OddEven
https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example

OddEven is complaning:
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated. 

but works normally.

Whiteboard: MGA2TOO => MGA2TOO mga3-64-OK

Comment 10 Bill Wilkinson 2013-06-24 00:23:21 CEST

Tested mga3-32 as above.  No fontconfig warning.

HelloWorld and OddEven both work normally.  

With IcedTea-web update, proper version shows up at javatester.org for both 32 and 64 bit.

Whiteboard: MGA2TOO mga3-64-OK => MGA2TOO mga3-64-OK mga3-32-ok

Comment 11 Bill Wilkinson 2013-06-24 01:41:30 CEST

Tested mga2-32 as above. Both test cases work normally with java -version showing 1.7.0_25.

Whiteboard: MGA2TOO mga3-64-OK mga3-32-ok => MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK

Comment 12 Bill Wilkinson 2013-06-24 03:14:15 CEST

Tested mga2-64 in VM as above, test cases work normally.

Validating.

Can someone from the sysadmin team please push from 2 and 3 core/updates_testing to core_updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK => MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK mga2-64-OK
CC: (none) => sysadmin-bugs

Comment 13 Bill Wilkinson 2013-06-24 03:23:13 CEST

Almost forgot!

Advisory and SRPM list in comment 7

Comment 14 Oden Eriksson 2013-06-24 15:10:45 CEST

FYI. I extracted the lcms2 fixes from this update. Patch is applied, however I don't know what it fixes.

Comment 15 Oden Eriksson 2013-06-24 15:11:20 CEST

Created attachment 4164 [details]
lcms2 fixes.

Comment 16 David Walser 2013-06-24 16:53:52 CEST

(In reply to Oden Eriksson from comment #14)
> FYI. I extracted the lcms2 fixes from this update. Patch is applied, however
> I don't know what it fixes.

Cool.  I guess you can commit the patch in SVN for now.

Comment 17 Oden Eriksson 2013-06-24 17:23:02 CEST

(In reply to David Walser from comment #16)
> (In reply to Oden Eriksson from comment #14)
> > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however
> > I don't know what it fixes.
> 
> Cool.  I guess you can commit the patch in SVN for now.

Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I leave that for now.

Comment 18 claire robinson 2013-06-26 09:21:27 CEST

Advisory uploaded

Comment 19 Nicolas Vigier 2013-06-26 20:29:37 CEST

http://advisories.mageia.org/MGASA-2013-0185.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Comment 20 David Walser 2013-07-07 03:08:35 CEST

(In reply to Oden Eriksson from comment #17)
> (In reply to David Walser from comment #16)
> > (In reply to Oden Eriksson from comment #14)
> > > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however
> > > I don't know what it fixes.
> > 
> > Cool.  I guess you can commit the patch in SVN for now.
> 
> Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I
> leave that for now.

The upstream blog has finally announced this:
http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-openjdk-7-released/

I point it out because they link to 5 Sun bugs about the lcms2 security issues fixed within.

Comment 21 David Walser 2013-07-18 16:19:31 CEST

(In reply to David Walser from comment #20)
> (In reply to Oden Eriksson from comment #17)
> > (In reply to David Walser from comment #16)
> > > (In reply to Oden Eriksson from comment #14)
> > > > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however
> > > > I don't know what it fixes.
> > > 
> > > Cool.  I guess you can commit the patch in SVN for now.
> > 
> > Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I
> > leave that for now.
> 
> The upstream blog has finally announced this:
> http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-
> openjdk-7-released/
> 
> I point it out because they link to 5 Sun bugs about the lcms2 security
> issues fixed within.

As you probably already saw, there's a mention about this on oss-sec now with more details:
http://openwall.com/lists/oss-security/2013/07/18/7

Nicolas Vigier 2014-05-08 18:07:13 CEST

CC: boklm => (none)