Bug 18235 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/684597/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2016-04-21 20:43 CEST by David Walser
Modified: 2016-04-25 09:58 CEST (History)
3 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-
Status comment:

Shell script to download the missing files (495 bytes, application/x-shellscript)
2016-04-22 12:48 CEST, Nicolas Salguero

Description David Walser 2016-04-21 20:43:58 CEST
RedHat has issued an advisory on April 20:

Corresponding Oracle CPU:

Updates building now, hopefully successfully.


Updated java-1.8.0-openjdk packages fix security vulnerabilities:

Multiple flaws were discovered in the Serialization and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions (CVE-2016-0686, CVE-2016-0687).

It was discovered that the RMI server implementation in the JMX component in
OpenJDK did not restrict which classes can be deserialized when deserializing
authentication credentials. A remote, unauthenticated attacker able to connect
to a JMX port could possibly use this flaw to trigger deserialization flaws

It was discovered that the JAXP component in OpenJDK failed to properly handle
Unicode surrogate pairs used as part of the XML attribute values. Specially
crafted XML input could cause a Java application to use an excessive amount of
memory when parsed (CVE-2016-3425).

It was discovered that the GCM (Galois/Counter Mode) implementation in the JCE
component in OpenJDK used a non-constant time comparison when comparing GCM
authentication tags. A remote attacker could possibly use this flaw to
determine the value of the authentication tag (CVE-2016-3426).

It was discovered that the Security component in OpenJDK failed to check the
digest algorithm strength when generating DSA signatures. The use of a digest
weaker than the key strength could lead to the generation of signatures that
were weaker than expected (CVE-2016-0695).


Updated packages in core/updates_testing:

from java-1.8.0-openjdk-
Comment 1 David Walser 2016-04-21 20:44:18 CEST
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-04-21 20:51:19 CEST
Same problem as last time.

Nicolas, can you help with this again?  Maybe rather than regenerating the whole tarball, just make an additional source that includes the missing files.

CC: (none) => nicolas.salguero
Whiteboard: has_procedure => has_procedure feedback

Comment 3 Nicolas Salguero 2016-04-22 12:48:18 CEST
Created attachment 7691 [details]
Shell script to download the missing files


The additional source would also need to be updated because the missing files may have been updated since the previous version.

I made a little shell script (which requires mercurial and wget packages to work) to get the missing files from the corresponding version.

I think that, if we use that script, we should add this command in %prep section, after the line "%setup ...":
"tar xjf %{SOURCEx} -C openjdk/jdk --strip-components=1 --overwrite".

Best regards,

Comment 4 David Walser 2016-04-22 14:17:02 CEST
I think it could be constructed in such a way that it could be added as an additional source argument to %setup so that it wouldn't need another command.
Comment 5 Nicolas Salguero 2016-04-22 16:49:39 CEST
I was not able to find the right syntax for %setup macro so I used the "tar ..." command given in comment 3, sorry.

I also added "%patch400" in Cauldron version otherwise build failed on "make zip-docs" (I put the line at the same place as in fedora SPEC file).

Now, the build is successful.
Comment 6 David Walser 2016-04-22 18:23:14 CEST
OK, thanks again for the help Nicolas!

Whiteboard: has_procedure feedback => has_procedure

Comment 7 Brian Rockwell 2016-04-22 19:51:08 CEST
[brian@localhost ~]$ uname -a
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


The following 3 packages are going to be installed:

- java-1.8.0-openjdk-
- java-1.8.0-openjdk-devel-
- java-1.8.0-openjdk-headless-

18KB of additional disk space will be used.

36MB of packages will be retrieved.


Before installation

[brian@localhost ~]$ java -version
openjdk version "1.8.0_77"
OpenJDK Runtime Environment (build 1.8.0_77-b03)
OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode)

After installation

[brian@localhost ~]$ java -version
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

Ran Eclipse

Go into Help | Installation Details | Configuration


Seems to be working properly to me.

CC: (none) => brtians1
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 8 Brian Rockwell 2016-04-23 00:35:21 CEST
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux

The following 6 packages are going to be installed:

- java-1.8.0-openjdk-
- java-1.8.0-openjdk-demo-
- java-1.8.0-openjdk-devel-
- java-1.8.0-openjdk-headless-
- java-1.8.0-openjdk-javadoc-
- java-1.8.0-openjdk-src-

93MB of additional disk space will be used.

96MB of packages will be retrieved.

openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-b14)
OpenJDK Server VM (build 25.91-b14, mixed mode)

followed links Bill provided:


Verified Java Version
Completion checkmark

You have the recommended Java installed (Version 8 Update 91).



Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Brian Rockwell 2016-04-23 00:36:10 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2016-04-23 14:41:03 CEST
Nice testing Brian. Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 10 Mageia Robot 2016-04-25 09:58:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.