Bug 12317 - java-1.7.0-openjdk new security issues fixed in IcedTea 2.4.4
: java-1.7.0-openjdk new security issues fixed in IcedTea 2.4.4
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/580562/
: has_procedure mga3-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-15 18:06 CET by Oden Eriksson
Modified: 2014-01-21 17:46 CET (History)
3 users (show)

See Also:
Source RPM: java-1.7.0-openjdk
CVE: CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428


Attachments

Description Oden Eriksson 2014-01-15 18:06:09 CET
https://rhn.redhat.com/errata/RHSA-2014-0026.html

CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2014-01-15 18:20:01 CET
java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga4 was submitted, but unfortunately to core/updates_testing.

java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3 has been submitted.
Comment 2 Oden Eriksson 2014-01-16 13:57:39 CET
Please submit java-1.7.0-openjdk-1.7.0.60-2.4.4.2.mga4 for cauldron.
Comment 3 David Walser 2014-01-18 22:05:15 CET
Thanks Oden!

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An input validation flaw was discovered in the font layout engine in the 2D
component. A specially crafted font file could trigger Java Virtual Machine
memory corruption when processed. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2013-5907).

Multiple improper permission check issues were discovered in the CORBA,
JNDI, and Libraries components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions
(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893).

Multiple improper permission check issues were discovered in the
Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878,
CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,
CVE-2014-0368).

It was discovered that the Beans component did not restrict processing of
XML external entities. This flaw could cause a Java application using Beans
to leak sensitive information, or affect application availability
(CVE-2014-0423).

It was discovered that the JSSE component could leak timing information
during the TLS/SSL handshake. This could possibly lead to disclosure of
information about the used encryption keys (CVE-2014-0411).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
https://rhn.redhat.com/errata/RHSA-2014-0026.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-headless-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-devel-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-demo-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-src-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-javadoc-1.7.0.60-2.4.4.1.mga3
java-1.7.0-openjdk-accessibility-1.7.0.60-2.4.4.1.mga3

from java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3.src.rpm
Comment 4 Bill Wilkinson 2014-01-19 03:19:24 CET
Tested MGA3-64.

Java -version returns 
java version "1.7.0_45"
OpenJDK Runtime Environment (mageia-2.4.4.1.mga3-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)

Javatester.org returns 1.7.0_45

HelloWorldApp and OddEven work expected.
Comment 5 Bill Wilkinson 2014-01-19 03:42:31 CET
Tested mga3-32 as in comment 4.

All tests as above.

Advisory needed in SVN to validate.
Comment 6 claire robinson 2014-01-20 09:04:52 CET
advisory uploaded. validating

could sysadmin please push from 3 core/updates_testing to updates

thanks
Comment 7 Thomas Backlund 2014-01-21 17:46:26 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0023.html

Note You need to log in before you can comment on or make changes to this bug.