Assigning to the registered maintainer

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, marja11

copy-jdk-configs needed to be updated to 2.2 for this update.

Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence
escalate their privileges (CVE-2017-3511).

It was found that the JAXP component of OpenJDK failed to correctly enforce
parse tree size limits when parsing XML document. An attacker able to make a
Java application parse a specially crafted XML document could use this flaw
to make it consume an excessive amount of CPU and memory (CVE-2017-3526).

It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated connection
in a different security context. A remote attacker could possibly use this
flaw to make a Java application perform HTTP requests authenticated with
credentials of a different user (CVE-2017-3509).

Note: This update adds support for the "jdk.ntlm.cache" system property
which, when set to false, prevents caching of NTLM connections and
authentications and hence prevents this issue. However, caching remains
enabled by default.

It was discovered that the Security component of OpenJDK did not allow users
to restrict the set of algorithms allowed for Jar integrity verification. This
flaw could allow an attacker to modify content of the Jar file that used weak
signing key or hash algorithm (CVE-2017-3539).

Note: This updates extends the fix for CVE-2016-5542 released as part of the
MGASA-2016-0359 advisory to no longer allow the MD5 hash algorithm during the
Jar integrity verification by adding it to the jdk.jar.disabledAlgorithms
security property.

Newline injection flaws were discovered in FTP and SMTP client implementations
in the Networking component in OpenJDK. A remote attacker could possibly use
these flaws to manipulate FTP or SMTP connections established by a Java
application (CVE-2017-3533, CVE-2017-3544).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWGDKQCJNISSJZ2DEPVCA3O6TAK2LBID/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4YXXBHMYBU6G4LLYCM72P57OMX6KLPUV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TR5TUVVH3KU4VRKHKGH4DTM6PMAWWFSG/
https://rhn.redhat.com/errata/RHSA-2017-1108.html
========================

Updated packages in core/updates_testing:
========================
copy-jdk-configs-2.2-1.mga5
java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-headless-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-devel-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-demo-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-src-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.131-1.b12.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.131-1.b12.1.mga5

from SRPMS:
copy-jdk-configs-2.2-1.mga5.src.rpm
java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5.src.rpm

Make sure you test this with Firefox 45, as 52 currently won't run the Java plugin.

Testing on x86_64 real hardware - firefox 45.8

Installed missing packages before the update and the java plugin, which is actually called Iced Tea-Web.  The java console can be accessed via System menu -> Administration -> OpenJDK 8 Monitoring & Management....
$ java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-b14)
OpenJDK 64-Bit Server VM (build 25.121-b14, mixed mode)

The links supplied do not help much with testing the several vulnerabilities reported, one of which has actually been exploited in the wild to gain unauthorized access to celebrity Twitter accounts.  RedHat rates the severity of the issues as moderate.

Since these are development packages and therefore needing expert knowledge it is unlikely that QA can test the vulnerabilities, leaving just the installation check, unless somebody can explain how to run the demonstrations.
  
$ urpmq -i java-1.8.0-openjdk-demo
    $MIRRORLIST: media/core/release/media_info/20150615-211931-info.xml.lzma
    $MIRRORLIST: media/core/updates/media_info/20170424-072630-info.xml.lzma   
Name        : java-1.8.0-openjdk-demo                                          
Version     : 1.8.0.45
Release     : 6.b14.1.mga5
Group       : Development/Java
Size        : 4296531                      Architecture: x86_64
Source RPM  : java-1.8.0-openjdk-1.8.0.45-6.b14.1.mga5.src.rpm
URL         : http://openjdk.java.net/
Summary     : OpenJDK Demos
Description :
The OpenJDK demos.

Installed the Eclipse platform, which requires java-headless, and stumbled through the HelloWorld tutorial.  It worked fine.

Updated the packages.
$ java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (build 1.8.0_131-b12)
OpenJDK 64-Bit Server VM (build 25.131-b12, mixed mode)

Opened eclipse and edited the HelloWorld class and ran the script as a java application.  Everything OK.

CC: (none) => tarazed25

Testing on firefox 52.1

java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5.x86_64 
java-1.8.0-openjdk-headless-1.8.0.131-1.b12.1.mga5.x86_64 
copy-jdk-configs-2.2-1.mga5.noarch   

https://www.java.com/en/download/installed.jsp
reports that plugins are not supported

https://www.w3.org/People/mimasa/test/object/java/clock
loads and displays a series of six functioning clocks

http://javatester.org/version.html
loads and correctly displays the installed java version

OK for me on mga5-64

CC: (none) => jim

Testing in i586 virtualbox

$ firefox --version
Mozilla Firefox 45.8.0
Installed java-plugin (icedtea-web) and eclipse-platform.
Updated the openjdk 32-bit packages from updates testing.
$ java -version
openjdk version "1.8.0_131"
OpenJDK Runtime Environment (build 1.8.0_131-b12)
OpenJDK Server VM (build 25.131-b12, mixed mode)

In firefox about:plugins lists the IcedTea plugin 
    File: IcedTeaPlugin.so
    Path: /usr/lib/IcedTeaPlugin.so

No idea how to write a java applet and eclipse seems to lack any java development tutorial.  There are two tutorials available from the Welcome screen as opposed to six in the 64-bit system so it is not a lot of use for a beginner.

Conclusion; no confidence that the 32-bit update is working.

Referring to comment 6, for vbox i586:

https://www.w3.org/People/mimasa/test/object/java/clock
This goes round in a loop asking security questions, with momentary glimpses of a clockface, and eventually freezes on one.  firefox unfreezes after a while and removes the web page.

http://javatester.org/version.html fails to show the jre version.

So, it does look as if something is not quite right about the 32-bit version.

All three of the links from comment 6 work fine in x86_64.

Re-tested those links in i586 vbox and they all worked after "Allow and remember" was clicked after activating the Iced Tea plugin.

This is probably enough validation for 32-bits.

@James Kerr - ref comment 6
By the way, thanks for those links James.  Had used them in the past and totally forgotten about them.

Thanks Len. Advisory committed to svn. Validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0120.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

I used the wrong advisory from this bug report, when adding the advisory to svn.

The advisory in svn has been corrected, but copy-jdk-configs-2.2-1.mga5
still needs to be pushed from Mageia 5 core updates testing to updates.

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

(In reply to Dave Hodgins from comment #14)
> I used the wrong advisory from this bug report, when adding the advisory to
> svn.
> 

Depending on the method you use, in this case, that could probably have been prevented by tagging the comment with the first advisory as obsolete, which would have collapsed that comment. Of course the two useful links in that comment about testing java should then have been copied to a new comment.
 
Anyway, tagging that comment as obsolete, now, and copying the links to this comment:

(In reply to David Walser from comment #2)
> See below for useful links to test java:
> https://bugs.mageia.org/show_bug.cgi?id=14051#c4
> https://bugs.mageia.org/show_bug.cgi?id=19626#c8
> 

Of course, tagging the old advisory comment won't help when the advisory was already uploaded before the new advisory and packages list was written :-(

Ouch, tagging no longer works for me :-(

@ LpSolit

What am I doing wrong?

CC: (none) => LpSolit

tagging seems to be working here. Selected the tag option for comment 2,
typed in obsolete, then pressed enter (Not save changes).

Missing package pushed.

Resolution: (none) => FIXED
CC: (none) => tmb
Status: REOPENED => RESOLVED

*** Bug 20789 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu