Bug 19002

Summary: java-1.8.0-openjdk new security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, marja11, nicolas.salguero, shlomif, sysadmin-bugs, tmb
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/694957/
Whiteboard: has_procedure MGA5-64-OK advisory
Source RPM: java-1.8.0-openjdk-1.8.0.91-1.b14.3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-20 20:44:01 CEST 
RedHat has issued an advisory today (July 20):
https://rhn.redhat.com/errata/RHSA-2016-1458.html

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
David Walser 2016-07-20 20:46:22 CEST

Whiteboard: (none) => MGA5TOO

Nicolas Salguero 2016-07-22 15:22:36 CEST

CC: (none) => nicolas.salguero

Marja Van Waes 2016-07-24 10:01:16 CEST

CC: (none) => marja11
Assignee: bugsquad => mageia

Comment 1 David Walser 2016-07-28 19:44:26 CEST 
Fedora has updated it in git today finally, and I have synced it.

Question for Nicolas Salguero:
Is there anything more we need to do before we push it?  Does the f8725698a870.tar.bz2 you added before need to be updated?
Comment 2 Nicolas Salguero 2016-07-29 15:04:39 CEST 
(In reply to David Walser from comment #1)
> Question for Nicolas Salguero:
> Is there anything more we need to do before we push it?  Does the
> f8725698a870.tar.bz2 you added before need to be updated?

I added a new version of my script mga-add-missing-files.sh (because the previous version get the missing files from http://hg.openjdk.java.net/jdk8u/... whereas it should get those files from http://hg.openjdk.java.net/aarch64-port/...) and I launched that script to update Source1 (in this case, f8725698a870.tar.bz2 is replaced by 5e27ac7f7cbc.tar.bz2, using the command: "./mga-add-missing-files.sh aarch64-jdk8u101-b14").

We should update Source1 (by launching the script) each time we update java-1.8.0-openjdk to be sure the missing files in Source1 come from the same commit as the files in "aarch64-port-jdk8u-aarch64-..." tarball.

Best regards,

Nico.
Comment 3 David Walser 2016-07-29 15:53:36 CEST 
Thanks Nicolas!

Thomas, Nicolas has pushed the build for Mageia 5 to the build system already.  Please push chkconfig and java-1.8.0-openjdk in Cauldron ASAP.  Thanks.

CC: (none) => tmb

Comment 4 David Walser 2016-07-29 15:57:12 CEST 
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the Hotspot and Libraries components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions (CVE-2016-3606, CVE-2016-3587,
CVE-2016-3598, CVE-2016-3610).

Multiple denial of service flaws were found in the JAXP component in OpenJDK.
A specially crafted XML file could cause a Java application using JAXP to
consume an excessive amount of CPU and memory when parsed (CVE-2016-3500,
CVE-2016-3508).

Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass certain
Java sandbox restrictions (CVE-2016-3458, CVE-2016-3550).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3610
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://rhn.redhat.com/errata/RHSA-2016-1458.html
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-headless-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-devel-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-demo-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-src-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.101-1.b14.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.101-1.b14.1.mga5

from java-1.8.0-openjdk-1.8.0.101-1.b14.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 5 Shlomi Fish 2016-07-31 21:11:43 CEST 
Hi!

I tested the update on a Mageia 5 x86-64 VirtualBox VM and while it seems fine - I ran into some problems with the test procedure:

1. The applets in the first link are too 'whack-a-mole'-y and don't work.

2. The fourth link (with the stick runner game) does not work.

I used https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html instead. Marking as mga5-64-ok.

CC: (none) => shlomif
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Dave Hodgins 2016-08-03 06:12:42 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-08-03 12:57:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0273.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED