Bug 15106

Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.5.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, shlomif, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/630207/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: java-1.7.0-openjdk-1.7.0.71-2.5.3.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-22 00:28:09 CET 
RedHat has issued an advisory on January 20:
https://rhn.redhat.com/errata/RHSA-2015-0067.html

This corresponds to the latest Oracle Critical Patch Update:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

As for IcedTea, no upstream announcements are available yet.  I'm not sure if it's released and not announced yet or if Fedora pulled a snapshot.  If I see an upstream announcement soon, I'll add it to the advisory.

The Java 8 update for Cauldron is being handled in Bug 15104.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated java-1.7.0 packages fix security vulnerabilities:

A flaw was found in the way the Hotspot component in OpenJDK verified
bytecode from the class files. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2014-6601).

Multiple improper permission check issues were discovered in the JAX-WS,
and RMI components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions (CVE-2015-0412,
CVE-2015-0408).

A flaw was found in the way the Hotspot garbage collector handled phantom
references. An untrusted Java application or applet could use this flaw to
corrupt the Java Virtual Machine memory and, possibly, execute arbitrary
code, bypassing Java sandbox restrictions (CVE-2015-0395).

A flaw was found in the way the DER (Distinguished Encoding Rules) decoder
in the Security component in OpenJDK handled negative length values. A
specially crafted, DER-encoded input could cause a Java application to
enter an infinite loop when decoded (CVE-2015-0410).

It was discovered that the SSL/TLS implementation in the JSSE component in
OpenJDK failed to properly check whether the ChangeCipherSpec was received
during the SSL/TLS connection handshake. An MITM attacker could possibly
use this flaw to force a connection to be established without encryption
being enabled (CVE-2014-6593).

An information leak flaw was found in the Swing component in OpenJDK. An
untrusted Java application or applet could use this flaw to bypass certain
Java sandbox restrictions (CVE-2015-0407).

A NULL pointer dereference flaw was found in the MulticastSocket
implementation in the Libraries component of OpenJDK. An untrusted Java
application or applet could possibly use this flaw to bypass certain Java
sandbox restrictions (CVE-2014-6587).

Multiple boundary check flaws were found in the font parsing code in the 2D
component in OpenJDK. A specially crafted font file could allow an
untrusted Java application or applet to disclose portions of the Java
Virtual Machine memory (CVE-2014-6585, CVE-2014-6591).

Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack (CVE-2015-0383).

Note: This update disables SSL 3.0 by default to mitigate the POODLE issue,
also known as CVE-2014-3566. The jdk.tls.disabledAlgorithms security
property can be used to re-enable SSL 3.0 support if needed. For additional
information, refer to the Red Hat Bugzilla bug linked to in the References
section.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
https://bugzilla.redhat.com/show_bug.cgi?id=1152789#c82
https://rhn.redhat.com/errata/RHSA-2015-0067.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-src-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.1.mga4
java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.1.mga4

from java-1.7.0-openjdk-1.7.0.75-2.5.4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-01-22 00:28:44 CET 
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java.

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-01-22 13:58:15 CET 
Tested fine for me through the browser plugin on Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 Shlomi Fish 2015-01-22 15:06:44 CET 
Tested fine for me on Mageia 4 x86-64 in a VBox VM.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 Herman Viaene 2015-01-22 15:25:55 CET 
MGA4-64 on HP Probook 6555b
No installation issues.
Tried two applets as per bug 14051 Comment 1. All seels OK.

CC: (none) => herman.viaene

Comment 5 claire robinson 2015-01-22 15:41:01 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-01-24 15:32:50 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0037.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED