Bug 4563

Summary: java-1.6.0-openjdk updated needed for security and upgrading from MDV 2010.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: java-1.6.0-openjdk-1.6.0.0-24.b22.6.1.mga1.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 4405    

Description David Walser 2012-02-17 20:59:03 CET 
Mandriva has issued an update for java-1.6.0-openjdk today (February 17):
http://lists.mandriva.com/security-announce/2012-02/msg00024.php

It lists several CVEs that are fixed with the update.

It also updates the package version to 1.6.0.0-26.b22.1mdv2010.2 which is newer than the one we have (note the 26 vs. our 24), so we need to account for that in our update.

It also mentions that the update provides icedtea6-1.10.6.  I'm not sure exactly how that corresponds to the version of our icedtea-web package (currently at version 1.1.4), but it's likely that it needs updated to go along with this as well.

Though they weren't provided in Mandriva's update, we could consider updating the rootcerts and timezone packages that are usually updated with Java updates (I believe new versions of both are available).
Comment 1 David Walser 2012-02-17 21:00:25 CET 
I believe this update will also need to be done in Cauldron.
D Morgan 2012-02-17 21:20:42 CET

CC: (none) => dmorganec
Assignee: bugsquad => dmorganec

Comment 2 David Walser 2012-02-19 03:42:42 CET 
Possibly relevant, Mandriva has a patch for icedtea-web, with commit log:
"Rebuild with reviewed version of patch to work with firefox 10."

http://svn.mandriva.com/svn/packages/cooker/icedtea-web/current/SOURCES/PR820.patch
Comment 3 David Walser 2012-02-24 00:16:54 CET 
Indeed, the rootcerts package needs to be updated because of MDV's newest Mozilla update (see Bug 4664).
David Walser 2012-02-26 23:32:41 CET

Blocks: (none) => 4405

David Walser 2012-03-22 03:08:44 CET

Blocks: (none) => 5046

Comment 4 David Walser 2012-04-06 17:19:53 CEST 
Updated link for the Mandriva advisory, since their mailing list archives are gone:
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021
Comment 5 David Walser 2012-04-07 21:15:44 CEST 
OK, a few things.

The 26 at the beginning of the release tag corresponds to the icedtea version (1.10.6).  When we update Mageia 1 accordingly, that 24 (for icedtea 1.10.4 which we have currently) will get changed to a 26.  For Cauldron, with icedtea 1.11, it should be a 30.

For icedtea-web, Mageia 1 does need the PR820 patch, but Cauldron does not need the PR820 patch, which was committed upstream in icedtea-web 1.2.  Cooker does have this patch which still looks needed in both:
http://svn.mandriva.com/svn/packages/cooker/icedtea-web/current/SOURCES/icedtea-web-1.0.2-mutex_and_leak.patch
Comment 6 David Walser 2012-04-08 02:46:10 CEST 
Three hunks of the PR820 patch are rejected.  Re-diffing the first one is easy.  It's not clear what to do with the other two.  The reference for that patch is:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=866
Comment 7 David Walser 2012-04-08 04:22:12 CEST 
Updated packages uploaded for Mageia 1 and Cauldron.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

Fix issues in java sound (CVE-2011-3563).

Fix in AtomicReferenceArray (CVE-2011-3571).

Add property to limit number of request headers to the HTTP Server
(CVE-2011-5035).

Incorect checking for graphics rendering object (CVE-2012-0497).

Multiple unspecified vulnerabilities allow remote attackers to affect
confidentiality, integrity, and availability via unknown vectors
(CVE-2012-0498, CVE-2012-0499, CVE-2012-0500).

Better input parameter checking in zip file processing (CVE-2012-0501).

Issues with some KeyboardFocusManager methods (CVE-2012-0502).

Issues with TimeZone class (CVE-2012-0503).

Enhance exception throwing mechanism in ObjectStreamClass
(CVE-2012-0505).

Issues with some methods in corba (CVE-2012-0506).

The updated packages provide IcedTea6-1.10.6 which is not vulnerable
to these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1
java-1.6.0-openjdk-devel-1.6.0.0-26.b22.1.mga1
java-1.6.0-openjdk-demo-1.6.0.0-26.b22.1.mga1
java-1.6.0-openjdk-src-1.6.0.0-26.b22.1.mga1
java-1.6.0-openjdk-javadoc-1.6.0.0-26.b22.1.mga1

from java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm

Assignee: dmorganec => qa-bugs

David Walser 2012-04-08 04:23:06 CEST

Blocks: 5046 => (none)

Comment 8 David Walser 2012-04-09 21:19:27 CEST 
Note to QA:  I know there are a lot of updates pending QA right now, but you might want to make this one a priority.  There are reports that these vulnerabilities are being actively exploited, and that they are the same ones that have led to widespread reported infections of Mac OS X machines recently, as well as the same ones causing the Windows version of Firefox to actively and automatically disable vulnerable versions of the Java plugin.
Comment 9 Dave Hodgins 2012-04-10 05:09:41 CEST 
Tsting complete for the srpm
java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm

Samme testing as was done for bug 1731.

CC: (none) => davidwhodgins

David Walser 2012-04-11 01:10:04 CEST

Severity: normal => critical

Comment 10 Manuel Hiebel 2012-04-11 01:17:14 CEST 
Testing fallowing the comment of Claire. Ok 


Suggested Advisory:
-------------
Updated java-1.6.0-openjdk packages fix security vulnerabilities:

Fix issues in java sound (CVE-2011-3563).

Fix in AtomicReferenceArray (CVE-2011-3571).

Add property to limit number of request headers to the HTTP Server
(CVE-2011-5035).

Incorect checking for graphics rendering object (CVE-2012-0497).

Multiple unspecified vulnerabilities allow remote attackers to affect
confidentiality, integrity, and availability via unknown vectors
(CVE-2012-0498, CVE-2012-0499, CVE-2012-0500).

Better input parameter checking in zip file processing (CVE-2012-0501).

Issues with some KeyboardFocusManager methods (CVE-2012-0502).

Issues with TimeZone class (CVE-2012-0503).

Enhance exception throwing mechanism in ObjectStreamClass
(CVE-2012-0505).

Issues with some methods in corba (CVE-2012-0506).

The updated packages provide IcedTea6-1.10.6 which is not vulnerable
to these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021

https://bugs.mageia.org/show_bug.cgi?id=4563
-------------

SRPM: java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Severity: critical => normal

Manuel Hiebel 2012-04-11 01:18:01 CEST

Severity: normal => critical

Comment 11 Thomas Backlund 2012-04-11 20:38:04 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED