| Summary: | java-1.7.0-openjdk new security issue CVE-2012-4681 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | High | CC: | davidwhodgins, dmorganec, lemonzest, qa-bugs, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | MGA2-64-OK MGA2-32-OK | ||
| Source RPM: | java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | Gondvv.java | ||
|
Description
David Walser
2012-08-31 22:06:30 CEST
David Walser
2012-08-31 22:06:47 CEST
Priority:
Normal =>
High Luckily nothing in Mageia 2 requires java-1.7.0-openjdk, greatly reducing our exposure to this vulnerability. I guess the only way to get exploited would be to run malicious code manually. Yes I just brought this up in the irc channel, but I believe that oracle also released a patched 1.6.35 to fix a similar problem (that would be exploited on 2 as its icedtea web is linked to openjdk-java-1.6) CC:
(none) =>
lemonzest Thanks for letting us know Simon. They have also updated IcedTea7 again, now to 2.3.2. http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ CC:
(none) =>
qa-bugs D Morgan has updated the IcedTea to 2.3.2. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 Assignee:
dmorganec =>
qa-bugs Oops, forgot the other two CVE URLs in the references. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 Created attachment 2770 [details] Gondvv.java Modified copy of the POC from Comment 2. $ javac Gondvv.java $ java Gondvv Results in /usr/bin/kcalc running. Testing complete on Mageia 2 i586 and x86-64. After installing the update, $ java Gondvv java.lang.NoSuchMethodException: <unbound>=Class.getField(Class, "acc"); Could someone from the sysadmin team push the srpm java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ https://bugs.mageia.org/show_bug.cgi?id=7278 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0260 Status:
NEW =>
RESOLVED |