3893 – security update: java-openjdk

Bug 3893 - security update: java-openjdk

Summary: security update: java-openjdk

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2011-12-27 02:27 CET by Manuel Hiebel
Modified:	2011-12-31 23:25 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	java-1.6.0-openjdk
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Manuel Hiebel 2011-12-27 02:27:57 CET

There is now 'java-1.6.0-openjdk-src-1.6.0.0-14.b22.6.1.mga1' in core/updates_testing to validate
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVEs:

- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

Other fixes in this release:

- RH727195 : Japanese font mappings are broken
- Backports
- S6826104, RH730015: Getting a NullPointer exception when clicked on Application & Toolkit Modal dialog
- Zero/Shark
- PR690: Shark fails to JIT using hs20.
- PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.
- Sync with cauldron version
- Resolves: rhbz#709375
- Bumped to IcedTea6 1.10.2
- RH706250, S6213702, CVE-2011-0872: (so) non-blocking sockets with TCP urgent
disabled get still selected for read ops (win)
- RH706106, S6618658, CVE-2011-0865: Vulnerability in deserialization
- RH706111, S7012520, CVE-2011-0815: Heap overflow vulnerability in
FileDialog.show() (win)
- RH706139, S7013519, CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D
code
- RH706153, S7013969, CVE-2011-0867: NetworkInterface.toString can reveal
bindings
- RH706234, S7013971, CVE-2011-0869: Vulnerability in SAAJ
- RH706239, S7016340, CVE-2011-0870: Vulnerability in SAAJ
- RH706241, S7016495, CVE-2011-0868: Crash in Java 2D transforming an image
with scale close to zero
- RH706248, S7020198, CVE-2011-0871: ImageIcon creates Component with null acc
- RH706245, S7020373, CVE-2011-0864: JSR rewriting can overflow memory address
size variables

Comment 1 David Walser 2011-12-27 16:31:07 CET

java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2 is the version in 2010.2, and since 24 > 14, I don't think the version in mga1/core/updates_testing is new enough to supercede that one.

CC: (none) => luigiwalser

Comment 2 Manuel Hiebel 2011-12-27 17:25:20 CET

Arf ok...

Assignee: qa-bugs => dmorganec

Comment 3 David Walser 2011-12-27 18:04:48 CET

The versioning on this package doesn't make sense and I imagine doesn't follow normal policy.  Looking at the package changelogs, it appears "b22" is the upstream version.  This version matches between MDV and this proposed update.  The "14" or "24" is actually the package version, which is usually supposed to go after the software version.  It looks like during the MDV 2010.1/2010.2 updates cycle, someone misunderstood the way the package versions were being done on this package (understandable, since it was being done in a non-standard way), and added a second package version after the software version (where it's supposed to go), hence the ".1mdv2010.2" in the MDV version and the ".6.1.mga1" in this proposed update.

I'm not sure how you want to handle this, but for the purposes of Mageia 1, it would be sufficient to just change the "14" to "24" and rebuild this proposed update.  For Cauldron this mess should probably be fixed, the "14/24" should probably be eliminated, and an epoch should probably be added to the package.

Comment 4 David Walser 2011-12-27 18:19:31 CET

For the record, this proposed update package installs and the Java plugin test works fine.

Comment 5 D Morgan 2011-12-28 03:04:32 CET

just workarounded by increasing release tks

Assignee: dmorganec => qa-bugs

Comment 6 Dave Hodgins 2011-12-29 01:50:34 CET

Testing complete on i586 for the srpm
java-1.6.0-openjdk-1.6.0.0-24.b22.6.1.mga1.src.rpm

No poc found, so just testing that java works running
a previously compiled program.
$ java HelloWorldApp
Hello World!

CC: (none) => davidwhodgins

Comment 7 D Morgan 2011-12-29 01:55:38 CET

don't forget to test icedtea-web

CC: (none) => dmorganec

Comment 8 David Walser 2011-12-29 02:05:43 CET

I can confirm icedtea-web still works on i586 with this update.

Comment 9 Manuel Hiebel 2011-12-31 18:33:29 CET

Testing complete on x86_64 with eclipse/ play framework of little apps.

Advisory
-------------
This update addresses the following CVEs:

- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under
SecurityManager
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error
checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against
SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

Other fixes in this release:

- RH727195 : Japanese font mappings are broken
- Backports
- S6826104, RH730015: Getting a NullPointer exception when clicked on
Application & Toolkit Modal dialog
- Zero/Shark
- PR690: Shark fails to JIT using hs20.
- PR696: Zero fails to handle fast_aldc and fast_aldc_w in hs20.
- Sync with cauldron version
- Resolves: rhbz#709375
- Bumped to IcedTea6 1.10.2
- RH706250, S6213702, CVE-2011-0872: (so) non-blocking sockets with TCP urgent
disabled get still selected for read ops (win)
- RH706106, S6618658, CVE-2011-0865: Vulnerability in deserialization
- RH706111, S7012520, CVE-2011-0815: Heap overflow vulnerability in
FileDialog.show() (win)
- RH706139, S7013519, CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D
code
- RH706153, S7013969, CVE-2011-0867: NetworkInterface.toString can reveal
bindings
- RH706234, S7013971, CVE-2011-0869: Vulnerability in SAAJ
- RH706239, S7016340, CVE-2011-0870: Vulnerability in SAAJ
- RH706241, S7016495, CVE-2011-0868: Crash in Java 2D transforming an image
with scale close to zero
- RH706248, S7020198, CVE-2011-0871: ImageIcon creates Component with null acc
- RH706245, S7020373, CVE-2011-0864: JSR rewriting can overflow memory address
size variables


-------------

SRPM: 	java-1.6.0-openjdk-1.6.0.0-24.b22.6.1.mga1.src.rpm	

(hope there is nothing related to this one )

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2011-12-31 23:25:20 CET

Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.