Bug 12317

Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.4.4
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/580562/
Whiteboard: has_procedure mga3-64-ok mga3-32-ok
Source RPM: java-1.7.0-openjdk CVE: CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428
Status comment:

Description Oden Eriksson 2014-01-15 18:06:09 CET 
https://rhn.redhat.com/errata/RHSA-2014-0026.html

CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-01-15 18:20:01 CET 
java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga4 was submitted, but unfortunately to core/updates_testing.

java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3 has been submitted.
David Walser 2014-01-15 18:58:43 CET

URL: https://rhn.redhat.com/errata/RHSA-2014-0026.html => http://lwn.net/Vulnerabilities/580562/

Comment 2 Oden Eriksson 2014-01-16 13:57:39 CET 
Please submit java-1.7.0-openjdk-1.7.0.60-2.4.4.2.mga4 for cauldron.
Comment 3 David Walser 2014-01-18 22:05:15 CET 
Thanks Oden!

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An input validation flaw was discovered in the font layout engine in the 2D
component. A specially crafted font file could trigger Java Virtual Machine
memory corruption when processed. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2013-5907).

Multiple improper permission check issues were discovered in the CORBA,
JNDI, and Libraries components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions
(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893).

Multiple improper permission check issues were discovered in the
Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878,
CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,
CVE-2014-0368).

It was discovered that the Beans component did not restrict processing of
XML external entities. This flaw could cause a Java application using Beans
to leak sensitive information, or affect application availability
(CVE-2014-0423).

It was discovered that the JSSE component could leak timing information
during the TLS/SSL handshake. This could possibly lead to disclosure of
information about the used encryption keys (CVE-2014-0411).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
https://rhn.redhat.com/errata/RHSA-2014-0026.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-headless-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-devel-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-demo-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-src-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-javadoc-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-accessibility-1.7.0.60-2.4.4.1.mga3

from java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => critical

David Walser 2014-01-18 22:05:42 CET

Summary: multiple vulnerabilities in java-1.7.0-openjdk => java-1.7.0-openjdk new security issues fixed in IcedTea 2.4.4

Comment 4 Bill Wilkinson 2014-01-19 03:19:24 CET 
Tested MGA3-64.

Java -version returns 
java version "1.7.0_45"
OpenJDK Runtime Environment (mageia-2.4.4.1.mga3-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)

Javatester.org returns 1.7.0_45

HelloWorldApp and OddEven work expected.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga3-64-ok

Comment 5 Bill Wilkinson 2014-01-19 03:42:31 CET 
Tested mga3-32 as in comment 4.

All tests as above.

Advisory needed in SVN to validate.

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2014-01-20 09:04:52 CET 
advisory uploaded. validating

could sysadmin please push from 3 core/updates_testing to updates

thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-01-21 17:46:26 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0023.html

Status: NEW => RESOLVED
CC: (none) => tmb
CVE: (none) => CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428
Resolution: (none) => FIXED