RedHat has issued an advisory on January 20: https://rhn.redhat.com/errata/RHSA-2017-0180.html Corresponding Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
Whiteboard: (none) => MGA5TOO
URL: (none) => https://lwn.net/Vulnerabilities/712058/
Assigning to the registered maintainer
Assignee: bugsquad => mageiaCC: (none) => marja11
We'll probably want to update copy-jdk-configs with this as well: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GZOPXPD7WPE3LDX5KRJVFVVHZ5J2MY6O/
Hi Nicolas, I checked the changes for java-1.8.0-openjdk into SVN, but I can't update the Source1 tarball. Hg doesn't have u121 tagged. Maybe we need to solve this problem differently, like modifying SOURCES/pr1983-jdk.patch?
CC: (none) => nicolas.salguero
copy-jdk-configs update checked into SVN as well for when this is ready.
(In reply to David Walser from comment #3) > Hi Nicolas, Hi David, > I checked the changes for java-1.8.0-openjdk into SVN, but I can't update > the Source1 tarball. Hg doesn't have u121 tagged. Maybe we need to solve > this problem differently, like modifying SOURCES/pr1983-jdk.patch? Maybe you could use the previous version of my script: http://svnweb.mageia.org/packages/cauldron/java-1.8.0-openjdk/current/SOURCES/mga-add-missing-files.sh?view=markup&pathrev=1043832 (with "aarch64-jdk8u121-b13" as argument since it is the latest tag possible in the branch jdk8u).
Thanks Nicolas! That's worth a shot.
See https://bugs.mageia.org/show_bug.cgi?id=14051#c4 for useful links to test java Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application (CVE-2017-3241). This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions (CVE-2017-3272, CVE-2017-3289). A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel (CVE-2016-5548). It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools (CVE-2016-5546). It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory (CVE-2017-3253). It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory (CVE-2016-5547). It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN (CVE-2017-3252). It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL (CVE-2016-5552). Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2017-3261, CVE-2017-3231). A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite (CVE-2016-2183). This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289 http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html https://rhn.redhat.com/errata/RHSA-2017-0180.html ======================== Updated packages in core/updates_testing: ======================== copy-jdk-configs-2.0-1.mga5 java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-devel-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-demo-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-src-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.121-1.b14.1.mga5 from SRPMS: copy-jdk-configs-2.0-1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5.src.rpm
Version: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)CC: (none) => mageia
Testing pointer: https://bugs.mageia.org/show_bug.cgi?id=19626#c8 -------------- I wasted time in vain on this before, and this link includes things that eventually proved useful. Remember to have 'icedtea-web' installed, and ensure that Firefox knows it is there (plugin). Be aware that you have a *lot* of clicking to get through the various examples.
CC: (none) => lewyssmith
Testing M5_64 Had better luck with the tests than reported in the link above; by mistake, I used Opera 12: http://www.java.com/en/download/installed.jsp Verified Java Version Congratulations! You have the recommended Java installed (Version 8 Update 121). http://javatester.org/version.html Correctly showed the pink triangle with "Java Version: 1.8.0_121 from Oracle Corporation" http://www.w3.org/People/mimasa/test/object/java/ All 5 tests worked; the first with 2 rows of several clocks; the rest popping up Othello games. To start these, you need to first click on the "Press space bar to start game" control, then press it. Did not persue. https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html At least some of these worked OK; did not try them all. Update looks good. OK.
Whiteboard: (none) => MGA5-64-OK
Forgot to specify the updated package versions tested: java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5 java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5 Advisory uploaded.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
The following 6 packages are going to be installed: - java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga5.i586 - java-1.8.0-openjdk-accessibility-1.8.0.121-1.b14.1.mga5.i586 - java-1.8.0-openjdk-devel-1.8.0.121-1.b14.1.mga5.i586 - java-1.8.0-openjdk-headless-1.8.0.121-1.b14.1.mga5.i586 - java-1.8.0-openjdk-javadoc-1.8.0.121-1.b14.1.mga5.noarch - java-atk-wrapper-0.30.4-6.mga5.i586 309MB of additional disk space will be used. [brian@localhost ~]$ uname -a Linux localhost 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:52:20 UTC 2016 i686 i686 i686 GNU/Linux [brian@localhost ~]$ [brian@localhost ~]$ java -version openjdk version "1.8.0_121" OpenJDK Runtime Environment (build 1.8.0_121-b14) OpenJDK Server VM (build 25.121-b14, mixed mode) [brian@localhost ~]$ javac -version javac 1.8.0_121 I ran one of my old programs รข seems to be working as designed. Fun! [brian@localhost BookReader]$ java GUIBookStart 0 /media/sf_vmshare/BookReader/TERMC10.TXT Average Columns 31 14 Average Columns 55 Average Columns 55 Saving position: 21318 [brian@localhost BookReader]$
CC: (none) => brtians1
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK mga5-32-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0041.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED