RedHat has issued an advisory on January 20: https://rhn.redhat.com/errata/RHSA-2016-0049.html Corresponding Oracle CPU: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA LWN reference for the rest of the CVEs: http://lwn.net/Vulnerabilities/672814/ This update required importing a new package "copy-jdk-configs" and updating chkconfig to version 1.7 (Cauldron) or adding a patch to it (Mageia 5) which adds a --family option to the alternatives command. Those two packages are included with this update. I noticed that one of the CVEs (CVE-2015-4844) from the last update which mentioned ICU does in fact impact upstream, but upstream hasn't fixed it yet, nor has any distro patched it. CVE-2016-0494 in this update is a fix to a regression caused by the fix for CVE-2015-4844 in the last update. I'll file a new bug for icu. The java-1.8.0-openjdk update is not built yet, but I hope to get it done tonight. Here is the advisory. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2016-0483). An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2016-0494). It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected (CVE-2016-0475). It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory (CVE-2016-0466). A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client (CVE-2015-7575). Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2016-0402, CVE-2016-0448). This update also required the addition of a new package, copy-jdk-configs, and a patch to the chkconfig package which adds the --family option to the alternatives command. Both of these are used by scriplets in the update java-1.8.0-openjdk packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA https://rhn.redhat.com/errata/RHSA-2016-0049.html ======================== Updated packages in core/updates_testing: ======================== copy-jdk-configs-1.1-1.mga5 chkconfig-1.3.63-2.mga5 ntsysv-1.3.63-2.mga5 java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-headless-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-devel-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-demo-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-src-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.71-1.b15.1.mga5 from SRPMS: copy-jdk-configs-1.1-1.mga5.src.rpm chkconfig-1.3.63-2.mga5.src.rpm java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga5.src.rpm Reproducible: Steps to Reproduce:
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java
Whiteboard: (none) => has_procedure
OK, so this doesn't build (linking error related to jpeg library): http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20160122004627.luigiwalser.valstar.17474/log/java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga6/build.0.20160122004838.log copy-jdk-configs has two unsatisfied Requires. One is lua-posix which is yet another package that needs to be imported. The other is "/usr/bin/lua" and I don't see where that's coming from, because it's not in the spec. The spec says Requires: lua, which should satisfy that.
I think a BR on lua will fix the Requires on /usr/bin/lua. lua-posix BR's lua-lunit, which we also don't have...
Christiaan fixed the system-libjpeg patch, now there are some more linking errors: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20160125153611.luigiwalser.valstar.15069/log/java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga6/build.0.20160125153621.log
LWN reference for the Fedora update: http://lwn.net/Vulnerabilities/673464/
Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2016-0483). An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2016-0494). It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected (CVE-2016-0475). It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory (CVE-2016-0466). A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client (CVE-2015-7575). Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2016-0402, CVE-2016-0448). This update also required the addition of new package, copy-jdk-configs, lua-lunit, and lua-posix, and a patch to the chkconfig package which adds the --family option to the alternatives command. These are used by scriplets in the updated java-1.8.0-openjdk packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA https://rhn.redhat.com/errata/RHSA-2016-0049.html ======================== Updated packages in core/updates_testing: ======================== lua-lunit-0.5-1.mga5 lua-posix-33.3.1-1.mga5 copy-jdk-configs-1.1-1.1.mga5 chkconfig-1.3.63-2.mga5 ntsysv-1.3.63-2.mga5 java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-headless-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-devel-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-demo-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-src-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.71-1.b15.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.71-1.b15.1.mga5 from SRPMS: lua-lunit-0.5-1.mga5.src.rpm lua-posix-33.3.1-1.mga5.src.rpm copy-jdk-configs-1.1-1.1.mga5.src.rpm chkconfig-1.3.63-2.mga5.src.rpm java-1.8.0-openjdk-1.8.0.71-1.b15.1.mga5.src.rpm
Assignee: bugsquad => qa-bugs
On hold again, because our chkconfig package isn't providing the alternatives and update-alternatives commands as expected by this Java update.
Whiteboard: has_procedure => has_procedure feedback
Dependence on chkconfig and it's alternatives system has been removed. Fedora has updated Java again (1.8.0.72) and I have followed suit. This should be the final advisory once I'm able to get the updated Java built. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2016-0483). An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2016-0494). It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected (CVE-2016-0475). It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory (CVE-2016-0466). A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client (CVE-2015-7575). Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2016-0402, CVE-2016-0448). This update also required the addition of new packages, copy-jdk-configs, lua-lunit, and lua-posix, which are used by scriplets in the updated java-1.8.0-openjdk packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA https://rhn.redhat.com/errata/RHSA-2016-0049.html ======================== Updated packages in core/updates_testing: ======================== lua-lunit-0.5-1.mga5 lua-posix-33.3.1-1.mga5 copy-jdk-configs-1.1-1.1.mga5 java-1.8.0-openjdk-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-headless-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-devel-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-demo-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-src-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.72-1.b15.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.72-1.b15.1.mga5 from SRPMS: lua-lunit-0.5-1.mga5.src.rpm lua-posix-33.3.1-1.mga5.src.rpm copy-jdk-configs-1.1-1.1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.72-1.b15.1.mga5.src.rpm
Updated java-1.8.0-openjdk building now...
Whiteboard: has_procedure feedback => has_procedure
mga5 x86_64 Mate Before updating ran the tests posted in the links referenced in comment #1. Had to install java-plugin and reload the browser. mimasa clock test works verify java @ http://www.java.com/en/download/installed.jsp fails "An exception has occurred" javatester reports: 1.8.0_65 from Oracle Corporation The potty-racers game needed a flashplayer update but installing the latest plugin did not help. Reloaded firefox but was still prompted to download flashplayer after the advert. Firefox configuration: IcedTea enabled Firefox about:config search java && flash plugin.state.java : user set : integer : 2 plugin.state.flash : default : integer : 2 Shockwave Flash = 11.2.202.559
CC: (none) => tarazed25
Updating packages from Core Updates Testing. Installed ntsysv from command line but was offered Core Release only ntsysv-1.3.63-1.mga5 Updated the media sources again and tried another mirror. No joy. Had a look at ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/5/x86_64/media/core/updates_testing and could not see it there.
chkconfig and ntsysv are no longer part of this update. See Comment 8 for the correct advisory and package list.
Thanks David. Hadn't noticed that.
Browser tests after update 1a) mimasa clock test OK 1b) java applet tests (Othello game) - first four worked but fifth presented blank grey field. 2) IcedTea error as above (comment #10) 3) Reports java version 1.8.0_72 4) Update flashplayer request - dead end - already installed How should all this be interpreted? Is partial success a failure?
Oracle's Java plugin test was also broken when we updated last time, so I guess they haven't fixed it. Flash is not relevant to this update.
Right. Scratch out test 4 then. OK for 64-bits.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Tested on i586. All tests worked except the same Oracle's one.
Status: NEW => ASSIGNEDCC: (none) => lists.jjorgeWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0048.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED