RedHat has issued an advisory today (July 20):
Corresponding Oracle CPU:
Fedora has updated it in git today finally, and I have synced it.
Question for Nicolas Salguero:
Is there anything more we need to do before we push it? Does the f8725698a870.tar.bz2 you added before need to be updated?
(In reply to David Walser from comment #1)
> Question for Nicolas Salguero:
> Is there anything more we need to do before we push it? Does the
> f8725698a870.tar.bz2 you added before need to be updated?
I added a new version of my script mga-add-missing-files.sh (because the previous version get the missing files from http://hg.openjdk.java.net/jdk8u/... whereas it should get those files from http://hg.openjdk.java.net/aarch64-port/...) and I launched that script to update Source1 (in this case, f8725698a870.tar.bz2 is replaced by 5e27ac7f7cbc.tar.bz2, using the command: "./mga-add-missing-files.sh aarch64-jdk8u101-b14").
We should update Source1 (by launching the script) each time we update java-1.8.0-openjdk to be sure the missing files in Source1 come from the same commit as the files in "aarch64-port-jdk8u-aarch64-..." tarball.
Thomas, Nicolas has pushed the build for Mageia 5 to the build system already. Please push chkconfig and java-1.8.0-openjdk in Cauldron ASAP. Thanks.
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java
Updated java-1.8.0-openjdk packages fix security vulnerabilities:
Multiple flaws were discovered in the Hotspot and Libraries components in
OpenJDK. An untrusted Java application or applet could use these flaws to
completely bypass Java sandbox restrictions (CVE-2016-3606, CVE-2016-3587,
Multiple denial of service flaws were found in the JAXP component in OpenJDK.
A specially crafted XML file could cause a Java application using JAXP to
consume an excessive amount of CPU and memory when parsed (CVE-2016-3500,
Multiple flaws were found in the CORBA and Hotsport components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass certain
Java sandbox restrictions (CVE-2016-3458, CVE-2016-3550).
Updated packages in core/updates_testing:
I tested the update on a Mageia 5 x86-64 VirtualBox VM and while it seems fine - I ran into some problems with the test procedure:
1. The applets in the first link are too 'whack-a-mole'-y and don't work.
2. The fourth link (with the stick runner game) does not work.
I used https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html instead. Marking as mga5-64-ok.
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK advisoryCC:
An update for this issue has been pushed to the Mageia Updates repository.