| Summary: | java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.7 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | critical | ||
| Priority: | Normal | CC: | dmorganec, sysadmin-bugs, tmb, wrw105 |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/539202/ | ||
| Whiteboard: | has_procedure MGA2-64-OK mga2-32-ok | ||
| Source RPM: | java-1.7.0-openjdk | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-02-21 00:56:21 CET
David Walser
2013-02-21 00:56:34 CET
CC:
(none) =>
dmorganec Here is the upstream announcement: http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html Updated packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerabilities: Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-1486, CVE-2013-1484). An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2013-1485). It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle (CVE-2013-0169). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486 http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ https://rhn.redhat.com/errata/RHSA-2013-0275.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-debug-1.7.0.6-2.3.7.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm Version:
Cauldron =>
2 testing mga2-64 No PoC on securityfocus. CC:
(none) =>
wrw105 $ java -version java version "1.7.0_06-icedtea" OpenJDK Runtime Environment (mageia-2.3.7.1.mga2-x86_64) OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode) tested HelloWorld from http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html Tested OddEven from https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example Both provided appropriate answers. MGA2-64-OK Whiteboard:
(none) =>
MGA2-64-OK Testing complete mga2 32 Validating, could sysadmin please push from core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 Status:
NEW =>
RESOLVED |