RedHat has issued an advisory today (October 20): https://access.redhat.com/errata/RHSA-2017:2998 Corresponding Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html The update is not yet available in Fedora.
copy-jdk-configs 3.2 will also be pushed with this update (already in SVN).
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => mageia
I'll need to update copy-jdk-configs again to 3.3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/H22N3CYF2YZXVDBEBHAH57P3JAKZIELL/
Fedora has issued an advisory for this on October 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2553MGSRWW7BGCVMCSDW5KHO5HO742JR/
I updated the package but it failed to build: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20171106123345.mrambo3501.duvel.38530/log/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7/build.0.20171106123550.log The log ends with the following, which seems to me like RPM is having an issue with the %1, which it previously didn't... Processing files: java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i586 error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/share/applications/*policytool%1.desktop error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libjsoundalsa.so error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libsplashscreen.so error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libawt_xawt.so error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libjawt.so error: File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/bin/policytool RPM build errors: line 1175: Possible unexpanded macro in: Provides: jre = 1.8.0%1 File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/share/applications/*policytool%1.desktop File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libjsoundalsa.so File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libsplashscreen.so File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libawt_xawt.so File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/lib/i386/libjawt.so File not found: /home/iurt/rpmbuild/BUILDROOT/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga7.i386%1/jre/bin/policytool I: [iurt_root_command] ERROR: chroot
CC: (none) => thierry.vignaud
I found this commit: http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/?id=701fb2b15ef27c922b0ecd2fc2389eda20fbd2ce So I tried to do the same modifications in our spec file to adapt to rpmbuild 4.14, i.e.: - replace some "global" by "define" - replace "%1" by "%{?1}" - replace "%%1" by "-- %{?1}" - add " -- " in various places
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerabilities: Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10285, CVE-2017-10346) It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. (CVE-2017-10388) It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. (CVE-2017-10356) A flaw was found in the Smart Card IO component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2017-10274) It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. (CVE-2017-10355) It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. (CVE-2017-10295) It was discovered that multiple classes in the JAXP, Serialization, Libraries, and JAX-WS components of OpenJDK did not limit the amount of memory allocated when creating object instances from the serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized. (CVE-2017-10349, CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345, CVE-2017-10348, CVE-2017-10350) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10349 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10347 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10348 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10350 https://access.redhat.com/errata/RHSA-2017:2998 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ======================== Updated package in 5/core/updates_testing: ======================== copy-jdk-configs-3.3-1.mga5 java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-headless-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-devel-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-demo-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-src-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.151-1.b12.1.mga5 from SRPMS: copy-jdk-configs-3.3-1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== copy-jdk-configs-3.3-1.mga6 java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-headless-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-devel-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-demo-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-src-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.151-1.b12.1.mga6 from SRPMS: copy-jdk-configs-3.3-1.mga6.src.rpm java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus: NEW => ASSIGNEDAssignee: mageia => qa-bugsVersion: Cauldron => 6
MGA5-32 on Dell Latitude D600 Xfce No installation issues Installed beid-middleware and old eid-viewer jar and run: $ java -jar ../Downloads/eid-viewer.jar Dec 21, 2017 4:39:48 PM be.fedict.eidviewer.lib.file.helper.LibJ2PCSCGNULinuxFix fixNativeLibrary INFO: OS is [Linux]. Enabling PCSC library fix. Dec 21, 2017 4:39:48 PM be.fedict.eidviewer.lib.file.helper.LibJ2PCSCGNULinuxFix fixNativeLibrary INFO: Setting [sun.security.smartcardio.library] to [/lib/libpcsclite.so.1] Dec 21, 2017 4:39:48 PM be.fedict.eidviewer.gui.helper.LogHelper logJavaSpecs and a lot more The eid card is displayed and I could test my Pin number and validate the certificates. OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Testing M6/64 BEFORE update, I had: copy-jdk-configs-2.3-1.mga6 java-1.8.0-openjdk-1.8.0.141-1.b16.1.mga6 java-1.8.0-openjdk-devel-1.8.0.141-1.b16.1.mga6 java-1.8.0-openjdk-headless-1.8.0.141-1.b16.1.mga6 Following my own advice in https://bugs.mageia.org/show_bug.cgi?id=20165#c9 and C8, I installed icedtea-web; and made sure Firefox knew about it: Additions-Plugins. UPDATED to: copy-jdk-configs-3.3-1.mga6 java-1.8.0-openjdk-devel-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga6 java-1.8.0-openjdk-headless-1.8.0.151-1.b12.1.mga6 $ java -version openjdk version "1.8.0_151" OpenJDK Runtime Environment (build 1.8.0_151-b12) OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode) 1. http://www.java.com/en/download/installed.jsp has a nasty surprise: "Starting with Firefox Version 52 (released in March 2017), Firefox has limited support for plug-ins, and therefore will not run Java. Use the Java Control Panel to find the installed Java version. How to find the installed Java version ยป Firefox and plug-ins FAQ Firefox 52 ESR users: If you'd like to run the verify app as a plugin, please click here." Following the 'click' invitation eventually showed an IcedTeaWeb box, then a couple of confirmation dialogues ending OK with: "Verified Java Version Completion checkmark Congratulations! You have the recommended Java installed (Version 8 Update 151)." 2. http://javatester.org/version.html did *not* work (it used to; progress...): "If Java is working, you will see a pink rectangle above with one line of text that says something like: Java Version 1.8.0_25 from Oracle Corporation " Grey rectangle, no text. 3. http://www.w3.org/People/mimasa/test/object/java/ These require huge numbers of confirmation clicks to advance. - Simple Java applet test with applet and object *eventually* showed its 2 rows of 4 clocks; OK. All of the following started with a moving IcedTeaWeb display, and ended with blank grey squares inbstead of (in the past) Othello games. Bad news. - Archived Java applet test with applet and object - Archived Java applet test, using attributes of object / using params - Archived Java applet test, using a nested conbination of attributes of object and params - Archived Java applet test, using a nested conbination of attributes of object and params, with applet as a fall-back 4. https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html Some of the later examples *do* work. This is as much as I know how to do. Browser use of Java is definitely on the way out. OKing it x64 notwithstanding.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKCC: (none) => lewyssmith
Testing M5/64 UPDATED to: copy-jdk-configs-3.3-1.mga5 java-1.8.0-openjdk-1.8.0.151-1.b12.1.mga5 java-1.8.0-openjdk-headless-1.8.0.151-1.b12.1.mga5 $ java -version openjdk version "1.8.0_151" OpenJDK Runtime Environment (build 1.8.0_151-b12) OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode) Following the prior tests, with their qualifications (again with Firefox + IcedTea-web): 1. http://www.java.com/en/download/installed.jsp -> "Verified Java Version Completion checkmark Congratulations! You have the recommended Java installed (Version 8 Update 151)." OK 2. http://javatester.org/version.html Hmmm. This time, it showed the correct result, pink rectangle with correct version. 3. http://www.w3.org/People/mimasa/test/object/java/ - Simple Java applet test with applet and object OK. Faster than with M6, it showed the 8 clocks. - Archived Java applet test with applet and object - Archived Java applet test, using attributes of object / using params - Archived Java applet test, using a nested conbination of attributes of object and params - Archived Java applet test, using a nested conbination of attributes of object and paraageia ms, with applet as a fall-back As for M6, these 4 Othello games ended just in grey squares with no controls. 4. https://docs.oracle.com/javase/tutorial/deployment/applet/examplesIndex.html Again, the first 3 did not work, most of the remainder did or at least partially. OKing, validating.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0460.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED