RedHat has issued an advisory on October 21: https://rhn.redhat.com/errata/RHSA-2015-1919.html Corresponding Oracle CPU: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA LWN reference for the rest of the CVEs: http://lwn.net/Vulnerabilities/661762/ The Fedora 22 commit (which we synced with) says "One patch still missing," but RedHat already issued their update, so it *should* be OK, but we should keep an eye out for any further changes: http://pkgs.fedoraproject.org/cgit/java-1.8.0-openjdk.git/log/?h=f22 The CVEs mention ICU and LCMS2, but I don't believe there's anything that affects our system icu and lcms2 libraries. The lcms2 issue sounds like it was with how openjdk built its bundled copy, not in the code itself. Incidentally, this update switches the package from building against the system lcms2 to the bundled one. I'm not sure why (maybe it was necessary to mitigate the security issue). The updates are checked into SVN. The advisory will be as follows. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844). Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911). A flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted (CVE-2015-4868). It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy (CVE-2015-4872). Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2015-4806, CVE-2015-4840, CVE-2015-4882, CVE-2015-4842, CVE-2015-4734, CVE-2015-4903). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911 http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA https://rhn.redhat.com/errata/RHSA-2015-1919.html ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-devel-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-demo-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-src-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.65-1.b17.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.65-1.b17.1.mga5 from java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.src.rpm Reproducible: Steps to Reproduce:
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java
Whiteboard: (none) => has_procedure
Updated packages uploaded for Mageia 5 and Cauldron. Advisory in Comment 0. Test link in Comment 1.
Assignee: bugsquad => qa-bugs
Cisco ASDM runs fine, and a handful of Java applets I tried worked fine. However, the Oracle Java plugin test: https://www.java.com/en/download/installed.jsp fails with this error: IcedTea-Web Plugin version: 1.6.1 (mageia-1.mga5-i386) Fri Oct 23 11:58:30 EDT 2015 net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize applet. For more information click "more information button". at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:764) at net.sourceforge.jnlp.Launcher.getApplet(Launcher.java:686) at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:933) Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: The signed JNLP file did not match the launching JNLP file. Missing Resource: Signed Application did not match launching JNLP File at net.sourceforge.jnlp.runtime.JNLPClassLoader.verifySignedJNLP(JNLPClassLoader.java:1035) at net.sourceforge.jnlp.runtime.JNLPClassLoader.checkForMain(JNLPClassLoader.java:893) at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:679) at net.sourceforge.jnlp.runtime.JNLPClassLoader.<init>(JNLPClassLoader.java:285) at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:357) at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:429) at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:403) at net.sourceforge.jnlp.Launcher.createApplet(Launcher.java:729) ... 2 more I synced a few new patches in icedtea-web from Fedora and built an update to that (icedtea-web-1.6.1-1.1.mga5) but I still get the same error on the Oracle test. I'm not sure what to make of this.
In VirtualBox, M5, KDE, 32-bit Set Firefox -> Tools -> Add-ons -> IceTea-Web Plugin -> Always Active Package(s) under test: java-1.8.0 java-1.8.0-openjdk-headless icedtea-web default install of timezone-java java-1.8.0 java-1.8.0-openjdk-headless & icedtea-web [root@localhost wilcal]# urpmi timezone Package timezone-2015f-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi timezone-java Package timezone-java-2015f-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk Package java-1.8.0-openjdk-1.8.0.60-1.b27.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless Package java-1.8.0-openjdk-headless-1.8.0.60-1.b27.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi icedtea-web Package icedtea-web-1.6.1-1.mga5.i586 is already installed http://www.w3.org/People/mimasa/test/object/java/ tests run http://javatester.org/version.html indicates Java version 1.8.0_60 http://www.lalena.com/games/Swarm.aspx runs install timezone-java java-1.8 java-1.8.0-openjdk-headless & icedtea-web from updates_testing [root@localhost wilcal]# urpmi timezone Package timezone-2015f-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi timezone-java Package timezone-java-2015f-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk Package java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless Package java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5.i586 is already installed [root@localhost wilcal]# urpmi icedtea-web Package icedtea-web-1.6.1-1.1.mga5.i586 is already installed http://www.w3.org/People/mimasa/test/object/java/ tests run http://javatester.org/version.html indicates Java version 1.8.0_65 http://www.lalena.com/Games/Quick21.aspx runs
CC: (none) => wilcal.intWhiteboard: has_procedure => has_procedure MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Set Firefox -> Tools -> Add-ons -> IceTea-Web Plugin -> Always Active Package(s) under test: java-1.8.0 java-1.8.0-openjdk-headless icedtea-web default install of timezone-java java-1.8.0 java-1.8.0-openjdk-headless & icedtea-web [root@localhost wilcal]# urpmi timezone Package timezone-2015f-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi timezone-java Package timezone-java-2015f-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk Package java-1.8.0-openjdk-1.8.0.60-1.b27.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless Package java-1.8.0-openjdk-headless-1.8.0.60-1.b27.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi icedtea-web Package icedtea-web-1.6.1-1.mga5.x86_64 is already installed http://www.w3.org/People/mimasa/test/object/java/ tests run http://javatester.org/version.html indicates Java version 1.8.0_60 http://www.lalena.com/games/Swarm.aspx runs install timezone-java java-1.8 java-1.8.0-openjdk-headless & icedtea-web from updates_testing [root@localhost wilcal]# urpmi timezone Package timezone-2015f-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi timezone-java Package timezone-java-2015f-1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk Package java-1.8.0-openjdk-1.8.0.65-1.b17.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi java-1.8.0-openjdk-headless Package java-1.8.0-openjdk-headless-1.8.0.65-1.b17.1.mga5.x86_64 is already installed [root@localhost wilcal]# urpmi icedtea-web Package icedtea-web-1.6.1-1.1.mga5.x86_64 is already installed http://www.w3.org/People/mimasa/test/object/java/ tests run http://javatester.org/version.html indicates Java version 1.8.0_65 http://www.lalena.com/Games/Quick21.aspx runs
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
William, did you ever check: https://www.java.com/en/download/installed.jsp
advisory uploaded
CC: (none) => tmbWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0412.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #7) > William, did you ever check: > https://www.java.com/en/download/installed.jsp For some reason I'm getting an error when using that page: "We are unable to verify if Java is currently installed and enabled in your browser. If you have installed Java and there is an error with the verification, there could be a configuration issue (eg. browser, Java control panel, security settings) or the Java plug-in is blocked by the browser." And that even before I install the update. So even though it's Oracle I think Java is properly installed and running with the right version. That's kinda why I ignored it.
(In reply to William Kenney from comment #10) > And that even before I install the update. So even though it's Oracle > I think Java is properly installed and running with the right version. > That's kinda why I ignored it. Thanks, I didn't think to try it before the update. I guess Oracle broke their plugin test.