RedHat has issued an advisory on April 20: https://rhn.redhat.com/errata/RHSA-2017-1108.html Corresponding Oracle CPU: https://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html
Source RPM: (none) => java-1.8.0-openjdk-1.8.0.121-1.b14.1.mga6.src.rpmWhiteboard: (none) => MGA5TOO
Assigning to the registered maintainer
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11
CC: (none) => luigiwalser
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
See below for useful links to test java: https://bugs.mageia.org/show_bug.cgi?id=14051#c4 https://bugs.mageia.org/show_bug.cgi?id=19626#c8 Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges (CVE-2017-3511). It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory (CVE-2017-3526). It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user (CVE-2017-3509). Note: This update adds support for the "jdk.ntlm.cache" system property which, when set to false, prevents caching of NTLM connections and authentications and hence prevents this issue. However, caching remains enabled by default. It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm (CVE-2017-3539). Note: This updates extends the fix for CVE-2016-5542 released as part of the MGASA-2016-0359 advisory to no longer allow the MD5 hash algorithm during the Jar integrity verification by adding it to the jdk.jar.disabledAlgorithms security property. Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application (CVE-2017-3533, CVE-2017-3544). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html https://rhn.redhat.com/errata/RHSA-2017-1108.html ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-headless-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-devel-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-demo-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-src-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.131-1.b12.1.mga5 from java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugs
copy-jdk-configs needed to be updated to 2.2 for this update. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges (CVE-2017-3511). It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory (CVE-2017-3526). It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user (CVE-2017-3509). Note: This update adds support for the "jdk.ntlm.cache" system property which, when set to false, prevents caching of NTLM connections and authentications and hence prevents this issue. However, caching remains enabled by default. It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm (CVE-2017-3539). Note: This updates extends the fix for CVE-2016-5542 released as part of the MGASA-2016-0359 advisory to no longer allow the MD5 hash algorithm during the Jar integrity verification by adding it to the jdk.jar.disabledAlgorithms security property. Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application (CVE-2017-3533, CVE-2017-3544). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWGDKQCJNISSJZ2DEPVCA3O6TAK2LBID/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4YXXBHMYBU6G4LLYCM72P57OMX6KLPUV/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TR5TUVVH3KU4VRKHKGH4DTM6PMAWWFSG/ https://rhn.redhat.com/errata/RHSA-2017-1108.html ======================== Updated packages in core/updates_testing: ======================== copy-jdk-configs-2.2-1.mga5 java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-headless-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-devel-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-demo-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-src-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.131-1.b12.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.131-1.b12.1.mga5 from SRPMS: copy-jdk-configs-2.2-1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5.src.rpm
Make sure you test this with Firefox 45, as 52 currently won't run the Java plugin.
Testing on x86_64 real hardware - firefox 45.8 Installed missing packages before the update and the java plugin, which is actually called Iced Tea-Web. The java console can be accessed via System menu -> Administration -> OpenJDK 8 Monitoring & Management.... $ java -version openjdk version "1.8.0_121" OpenJDK Runtime Environment (build 1.8.0_121-b14) OpenJDK 64-Bit Server VM (build 25.121-b14, mixed mode) The links supplied do not help much with testing the several vulnerabilities reported, one of which has actually been exploited in the wild to gain unauthorized access to celebrity Twitter accounts. RedHat rates the severity of the issues as moderate. Since these are development packages and therefore needing expert knowledge it is unlikely that QA can test the vulnerabilities, leaving just the installation check, unless somebody can explain how to run the demonstrations. $ urpmq -i java-1.8.0-openjdk-demo $MIRRORLIST: media/core/release/media_info/20150615-211931-info.xml.lzma $MIRRORLIST: media/core/updates/media_info/20170424-072630-info.xml.lzma Name : java-1.8.0-openjdk-demo Version : 1.8.0.45 Release : 6.b14.1.mga5 Group : Development/Java Size : 4296531 Architecture: x86_64 Source RPM : java-1.8.0-openjdk-1.8.0.45-6.b14.1.mga5.src.rpm URL : http://openjdk.java.net/ Summary : OpenJDK Demos Description : The OpenJDK demos. Installed the Eclipse platform, which requires java-headless, and stumbled through the HelloWorld tutorial. It worked fine. Updated the packages. $ java -version openjdk version "1.8.0_131" OpenJDK Runtime Environment (build 1.8.0_131-b12) OpenJDK 64-Bit Server VM (build 25.131-b12, mixed mode) Opened eclipse and edited the HelloWorld class and ran the script as a java application. Everything OK.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Testing on firefox 52.1 java-1.8.0-openjdk-1.8.0.131-1.b12.1.mga5.x86_64 java-1.8.0-openjdk-headless-1.8.0.131-1.b12.1.mga5.x86_64 copy-jdk-configs-2.2-1.mga5.noarch https://www.java.com/en/download/installed.jsp reports that plugins are not supported https://www.w3.org/People/mimasa/test/object/java/clock loads and displays a series of six functioning clocks http://javatester.org/version.html loads and correctly displays the installed java version OK for me on mga5-64
CC: (none) => jim
Testing in i586 virtualbox $ firefox --version Mozilla Firefox 45.8.0 Installed java-plugin (icedtea-web) and eclipse-platform. Updated the openjdk 32-bit packages from updates testing. $ java -version openjdk version "1.8.0_131" OpenJDK Runtime Environment (build 1.8.0_131-b12) OpenJDK Server VM (build 25.131-b12, mixed mode) In firefox about:plugins lists the IcedTea plugin File: IcedTeaPlugin.so Path: /usr/lib/IcedTeaPlugin.so No idea how to write a java applet and eclipse seems to lack any java development tutorial. There are two tutorials available from the Welcome screen as opposed to six in the 64-bit system so it is not a lot of use for a beginner. Conclusion; no confidence that the 32-bit update is working.
Referring to comment 6, for vbox i586: https://www.w3.org/People/mimasa/test/object/java/clock This goes round in a loop asking security questions, with momentary glimpses of a clockface, and eventually freezes on one. firefox unfreezes after a while and removes the web page. http://javatester.org/version.html fails to show the jre version. So, it does look as if something is not quite right about the 32-bit version.
All three of the links from comment 6 work fine in x86_64.
Re-tested those links in i586 vbox and they all worked after "Allow and remember" was clicked after activating the Iced Tea plugin. This is probably enough validation for 32-bits.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
@James Kerr - ref comment 6 By the way, thanks for those links James. Had used them in the past and totally forgotten about them.
Thanks Len. Advisory committed to svn. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0120.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
I used the wrong advisory from this bug report, when adding the advisory to svn. The advisory in svn has been corrected, but copy-jdk-configs-2.2-1.mga5 still needs to be pushed from Mageia 5 core updates testing to updates.
Resolution: FIXED => (none)Status: RESOLVED => REOPENED
(In reply to Dave Hodgins from comment #14) > I used the wrong advisory from this bug report, when adding the advisory to > svn. > Depending on the method you use, in this case, that could probably have been prevented by tagging the comment with the first advisory as obsolete, which would have collapsed that comment. Of course the two useful links in that comment about testing java should then have been copied to a new comment. Anyway, tagging that comment as obsolete, now, and copying the links to this comment: (In reply to David Walser from comment #2) > See below for useful links to test java: > https://bugs.mageia.org/show_bug.cgi?id=14051#c4 > https://bugs.mageia.org/show_bug.cgi?id=19626#c8 > Of course, tagging the old advisory comment won't help when the advisory was already uploaded before the new advisory and packages list was written :-(
Ouch, tagging no longer works for me :-( @ LpSolit What am I doing wrong?
CC: (none) => LpSolit
tagging seems to be working here. Selected the tag option for comment 2, typed in obsolete, then pressed enter (Not save changes).
CC: LpSolit => (none)
Missing package pushed.
Resolution: (none) => FIXEDCC: (none) => tmbStatus: REOPENED => RESOLVED
*** Bug 20789 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
I rechecked those links in i586 vbox, and after activating the Iced Tea plugin, pressing "Allow and remember," they all function. For 32-bit, this verification may be sufficient. https://blueygame.com
CC: (none) => pauldupont1120