Bug 16998 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/661763/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK ...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-10-22 19:56 CEST by David Walser
Modified: 2015-10-25 19:21 CET (History)
3 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.60-1.b27.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-10-22 19:56:37 CEST
RedHat has issued an advisory on October 21:
https://rhn.redhat.com/errata/RHSA-2015-1919.html

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA

LWN reference for the rest of the CVEs:
http://lwn.net/Vulnerabilities/661762/

The Fedora 22 commit (which we synced with) says "One patch still missing," but RedHat already issued their update, so it *should* be OK, but we should keep an eye out for any further changes:
http://pkgs.fedoraproject.org/cgit/java-1.8.0-openjdk.git/log/?h=f22

The CVEs mention ICU and LCMS2, but I don't believe there's anything that affects our system icu and lcms2 libraries.  The lcms2 issue sounds like it was with how openjdk built its bundled copy, not in the code itself.  Incidentally, this update switches the package from building against the system lcms2 to the bundled one.  I'm not sure why (maybe it was necessary to mitigate the security issue).

The updates are checked into SVN.  The advisory will be as follows.

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization,
and 2D components in OpenJDK. An untrusted Java application or applet could
use these flaws to completely bypass Java sandbox restrictions
(CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860,
CVE-2015-4805, CVE-2015-4844).

Multiple denial of service flaws were found in the JAXP component in
OpenJDK. A specially crafted XML file could cause a Java application using
JAXP to consume an excessive amount of CPU and memory when parsed
(CVE-2015-4803, CVE-2015-4893, CVE-2015-4911).

A flaw was found in the way the Libraries component in OpenJDK handled
certificate revocation lists (CRL). In certain cases, CRL checking code
could fail to report a revoked certificate, causing the application to
accept it as trusted (CVE-2015-4868).

It was discovered that the Security component in OpenJDK failed to properly
check if a certificate satisfied all defined constraints. In certain cases,
this could cause a Java application to accept an X.509 certificate which
does not meet requirements of the defined policy (CVE-2015-4872).

Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass certain Java sandbox restrictions (CVE-2015-4806,
CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
https://rhn.redhat.com/errata/RHSA-2015-1919.html
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-devel-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-demo-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-src-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.65-1.b17.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.65-1.b17.1.mga5

from java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-10-22 19:56:56 CEST
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-10-23 15:38:15 CEST
Updated packages uploaded for Mageia 5 and Cauldron.  Advisory in Comment 0.  Test link in Comment 1.

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2015-10-23 18:32:37 CEST
Cisco ASDM runs fine, and a handful of Java applets I tried worked fine.  However, the Oracle Java plugin test:
https://www.java.com/en/download/installed.jsp

fails with this error:
IcedTea-Web Plugin version: 1.6.1 (mageia-1.mga5-i386)
Fri Oct 23 11:58:30 EDT 2015
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize applet. For more information click "more information button".
	at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:764)
	at net.sourceforge.jnlp.Launcher.getApplet(Launcher.java:686)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:933)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: The signed JNLP file did not match the launching JNLP file. Missing Resource: Signed Application did not match launching JNLP File
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.verifySignedJNLP(JNLPClassLoader.java:1035)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.checkForMain(JNLPClassLoader.java:893)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:679)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.<init>(JNLPClassLoader.java:285)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:357)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:429)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:403)
	at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:729)
	... 2 more


I synced a few new patches in icedtea-web from Fedora and built an update to that (icedtea-web-1.6.1-1.1.mga5) but I still get the same error on the Oracle test.  I'm not sure what to make of this.
Comment 4 William Kenney 2015-10-25 16:14:08 CET
In VirtualBox, M5, KDE, 32-bit

Set Firefox -> Tools -> Add-ons -> IceTea-Web Plugin -> Always Active

Package(s) under test:
java-1.8.0 java-1.8.0-openjdk-headless icedtea-web

default install of timezone-java java-1.8.0 java-1.8.0-openjdk-headless & icedtea-web

[root@localhost wilcal]# urpmi timezone
Package timezone-2015f-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi timezone-java
Package timezone-java-2015f-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk
Package java-1.8.0-openjdk-1.8.0.60-1.b27.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless
Package java-1.8.0-openjdk-headless-1.8.0.60-1.b27.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icedtea-web
Package icedtea-web-1.6.1-1.mga5.i586 is already installed

http://www.w3.org/People/mimasa/test/object/java/ tests run
http://javatester.org/version.html indicates Java version 1.8.0_60
http://www.lalena.com/games/Swarm.aspx runs

install timezone-java java-1.8 java-1.8.0-openjdk-headless & icedtea-web from updates_testing

[root@localhost wilcal]# urpmi timezone
Package timezone-2015f-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi timezone-java
Package timezone-java-2015f-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk
Package java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless
Package java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi icedtea-web
Package icedtea-web-1.6.1-1.1.mga5.i586 is already installed

http://www.w3.org/People/mimasa/test/object/java/ tests run
http://javatester.org/version.html indicates Java version 1.8.0_65
http://www.lalena.com/Games/Quick21.aspx runs

CC: (none) => wilcal.int
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 5 William Kenney 2015-10-25 16:29:32 CET
In VirtualBox, M5, KDE, 64-bit

Set Firefox -> Tools -> Add-ons -> IceTea-Web Plugin -> Always Active

Package(s) under test:
java-1.8.0 java-1.8.0-openjdk-headless icedtea-web

default install of timezone-java java-1.8.0 java-1.8.0-openjdk-headless & icedtea-web

[root@localhost wilcal]# urpmi timezone
Package timezone-2015f-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi timezone-java
Package timezone-java-2015f-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk
Package java-1.8.0-openjdk-1.8.0.60-1.b27.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless
Package java-1.8.0-openjdk-headless-1.8.0.60-1.b27.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icedtea-web
Package icedtea-web-1.6.1-1.mga5.x86_64 is already installed

http://www.w3.org/People/mimasa/test/object/java/ tests run
http://javatester.org/version.html indicates Java version 1.8.0_60
http://www.lalena.com/games/Swarm.aspx runs

install timezone-java java-1.8 java-1.8.0-openjdk-headless & icedtea-web from updates_testing

[root@localhost wilcal]# urpmi timezone
Package timezone-2015f-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi timezone-java
Package timezone-java-2015f-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk
Package java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless
Package java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi icedtea-web
Package icedtea-web-1.6.1-1.1.mga5.x86_64 is already installed

http://www.w3.org/People/mimasa/test/object/java/ tests run
http://javatester.org/version.html indicates Java version 1.8.0_65
http://www.lalena.com/Games/Quick21.aspx runs
William Kenney 2015-10-25 16:29:48 CET

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 6 William Kenney 2015-10-25 16:30:19 CET
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 David Walser 2015-10-25 16:47:23 CET
William, did you ever check:
https://www.java.com/en/download/installed.jsp
Comment 8 Thomas Backlund 2015-10-25 17:29:16 CET
advisory uploaded

CC: (none) => tmb
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 9 Mageia Robot 2015-10-25 17:35:45 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0412.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 William Kenney 2015-10-25 19:17:12 CET
(In reply to David Walser from comment #7)

> William, did you ever check:
> https://www.java.com/en/download/installed.jsp

For some reason I'm getting an error when using that page:

"We are unable to verify if Java is currently installed and
enabled in your browser.

If you have installed Java and there is an error with the verification,
there could be a configuration issue (eg. browser, Java control panel,
security settings) or the Java plug-in is blocked by the browser."

And that even before I install the update. So even though it's Oracle
I think Java is properly installed and running with the right version.
That's kinda why I ignored it.
Comment 11 David Walser 2015-10-25 19:21:41 CET
(In reply to William Kenney from comment #10)
> And that even before I install the update. So even though it's Oracle
> I think Java is properly installed and running with the right version.
> That's kinda why I ignored it.

Thanks, I didn't think to try it before the update.  I guess Oracle broke their plugin test.

Note You need to log in before you can comment on or make changes to this bug.