RedHat has issued an advisory on April 20: https://rhn.redhat.com/errata/RHSA-2016-0650.html Corresponding Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Updates building now, hopefully successfully. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions (CVE-2016-0686, CVE-2016-0687). It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws (CVE-2016-3427). It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed (CVE-2016-3425). It was discovered that the GCM (Galois/Counter Mode) implementation in the JCE component in OpenJDK used a non-constant time comparison when comparing GCM authentication tags. A remote attacker could possibly use this flaw to determine the value of the authentication tag (CVE-2016-3426). It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected (CVE-2016-0695). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427 http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html https://rhn.redhat.com/errata/RHSA-2016-0650.html ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-demo-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-src-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.91-1.b14.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.91-1.b14.1.mga5 from java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.src.rpm
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java
Whiteboard: (none) => has_procedure
Same problem as last time. Nicolas, can you help with this again? Maybe rather than regenerating the whole tarball, just make an additional source that includes the missing files.
CC: (none) => nicolas.salgueroWhiteboard: has_procedure => has_procedure feedback
Created attachment 7691 [details] Shell script to download the missing files Hi, The additional source would also need to be updated because the missing files may have been updated since the previous version. I made a little shell script (which requires mercurial and wget packages to work) to get the missing files from the corresponding version. I think that, if we use that script, we should add this command in %prep section, after the line "%setup ...": "tar xjf %{SOURCEx} -C openjdk/jdk --strip-components=1 --overwrite". Best regards, Nico.
I think it could be constructed in such a way that it could be added as an additional source argument to %setup so that it wouldn't need another command.
I was not able to find the right syntax for %setup macro so I used the "tar ..." command given in comment 3, sorry. I also added "%patch400" in Cauldron version otherwise build failed on "make zip-docs" (I put the line at the same place as in fedora SPEC file). Now, the build is successful.
OK, thanks again for the help Nicolas!
Whiteboard: has_procedure feedback => has_procedure
[brian@localhost ~]$ uname -a Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux ----installation---- The following 3 packages are going to be installed: - java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64 - java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5.x86_64 - java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5.x86_64 18KB of additional disk space will be used. 36MB of packages will be retrieved. ------------------- Before installation [brian@localhost ~]$ java -version openjdk version "1.8.0_77" OpenJDK Runtime Environment (build 1.8.0_77-b03) OpenJDK 64-Bit Server VM (build 25.77-b03, mixed mode) After installation [brian@localhost ~]$ java -version openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode) Ran Eclipse Go into Help | Installation Details | Configuration sun.arch.data.model=64 sun.boot.class.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/resources.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/rt.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jsse.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jce.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/charsets.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/jfr.jar:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/classes sun.boot.library.path=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.x86_64/jre/lib/amd64 sun.cpu.endian=little Seems to be working properly to me.
CC: (none) => brtians1Whiteboard: has_procedure => has_procedure MGA5-64-OK
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux The following 6 packages are going to be installed: - java-1.8.0-openjdk-1.8.0.91-1.b14.1.mga5.i586 - java-1.8.0-openjdk-demo-1.8.0.91-1.b14.1.mga5.i586 - java-1.8.0-openjdk-devel-1.8.0.91-1.b14.1.mga5.i586 - java-1.8.0-openjdk-headless-1.8.0.91-1.b14.1.mga5.i586 - java-1.8.0-openjdk-javadoc-1.8.0.91-1.b14.1.mga5.noarch - java-1.8.0-openjdk-src-1.8.0.91-1.b14.1.mga5.i586 93MB of additional disk space will be used. 96MB of packages will be retrieved. openjdk version "1.8.0_91" OpenJDK Runtime Environment (build 1.8.0_91-b14) OpenJDK Server VM (build 25.91-b14, mixed mode) followed links Bill provided: http://www.java.com/en/download/installed.jsp Verified Java Version Completion checkmark Congratulations! You have the recommended Java installed (Version 8 Update 91). http://javatester.org/version.html Successful!
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Nice testing Brian. Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0149.html
Status: NEW => RESOLVEDResolution: (none) => FIXED