Mandriva has issued an update for java-1.6.0-openjdk today (February 17): http://lists.mandriva.com/security-announce/2012-02/msg00024.php It lists several CVEs that are fixed with the update. It also updates the package version to 1.6.0.0-26.b22.1mdv2010.2 which is newer than the one we have (note the 26 vs. our 24), so we need to account for that in our update. It also mentions that the update provides icedtea6-1.10.6. I'm not sure exactly how that corresponds to the version of our icedtea-web package (currently at version 1.1.4), but it's likely that it needs updated to go along with this as well. Though they weren't provided in Mandriva's update, we could consider updating the rootcerts and timezone packages that are usually updated with Java updates (I believe new versions of both are available).
I believe this update will also need to be done in Cauldron.
CC: (none) => dmorganecAssignee: bugsquad => dmorganec
Possibly relevant, Mandriva has a patch for icedtea-web, with commit log: "Rebuild with reviewed version of patch to work with firefox 10." http://svn.mandriva.com/svn/packages/cooker/icedtea-web/current/SOURCES/PR820.patch
Indeed, the rootcerts package needs to be updated because of MDV's newest Mozilla update (see Bug 4664).
Blocks: (none) => 4405
Blocks: (none) => 5046
Updated link for the Mandriva advisory, since their mailing list archives are gone: http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021
OK, a few things. The 26 at the beginning of the release tag corresponds to the icedtea version (1.10.6). When we update Mageia 1 accordingly, that 24 (for icedtea 1.10.4 which we have currently) will get changed to a 26. For Cauldron, with icedtea 1.11, it should be a 30. For icedtea-web, Mageia 1 does need the PR820 patch, but Cauldron does not need the PR820 patch, which was committed upstream in icedtea-web 1.2. Cooker does have this patch which still looks needed in both: http://svn.mandriva.com/svn/packages/cooker/icedtea-web/current/SOURCES/icedtea-web-1.0.2-mutex_and_leak.patch
Three hunks of the PR820 patch are rejected. Re-diffing the first one is easy. It's not clear what to do with the other two. The reference for that patch is: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=866
Updated packages uploaded for Mageia 1 and Cauldron. Advisory: ======================== Updated java-1.6.0-openjdk packages fix security vulnerabilities: Fix issues in java sound (CVE-2011-3563). Fix in AtomicReferenceArray (CVE-2011-3571). Add property to limit number of request headers to the HTTP Server (CVE-2011-5035). Incorect checking for graphics rendering object (CVE-2012-0497). Multiple unspecified vulnerabilities allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors (CVE-2012-0498, CVE-2012-0499, CVE-2012-0500). Better input parameter checking in zip file processing (CVE-2012-0501). Issues with some KeyboardFocusManager methods (CVE-2012-0502). Issues with TimeZone class (CVE-2012-0503). Enhance exception throwing mechanism in ObjectStreamClass (CVE-2012-0505). Issues with some methods in corba (CVE-2012-0506). The updated packages provide IcedTea6-1.10.6 which is not vulnerable to these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506 http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021 ======================== Updated packages in core/updates_testing: ======================== java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1 java-1.6.0-openjdk-devel-1.6.0.0-26.b22.1.mga1 java-1.6.0-openjdk-demo-1.6.0.0-26.b22.1.mga1 java-1.6.0-openjdk-src-1.6.0.0-26.b22.1.mga1 java-1.6.0-openjdk-javadoc-1.6.0.0-26.b22.1.mga1 from java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm
Assignee: dmorganec => qa-bugs
Blocks: 5046 => (none)
Note to QA: I know there are a lot of updates pending QA right now, but you might want to make this one a priority. There are reports that these vulnerabilities are being actively exploited, and that they are the same ones that have led to widespread reported infections of Mac OS X machines recently, as well as the same ones causing the Windows version of Firefox to actively and automatically disable vulnerable versions of the Java plugin.
Tsting complete for the srpm java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm Samme testing as was done for bug 1731.
CC: (none) => davidwhodgins
Severity: normal => critical
Testing fallowing the comment of Claire. Ok Suggested Advisory: ------------- Updated java-1.6.0-openjdk packages fix security vulnerabilities: Fix issues in java sound (CVE-2011-3563). Fix in AtomicReferenceArray (CVE-2011-3571). Add property to limit number of request headers to the HTTP Server (CVE-2011-5035). Incorect checking for graphics rendering object (CVE-2012-0497). Multiple unspecified vulnerabilities allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors (CVE-2012-0498, CVE-2012-0499, CVE-2012-0500). Better input parameter checking in zip file processing (CVE-2012-0501). Issues with some KeyboardFocusManager methods (CVE-2012-0502). Issues with TimeZone class (CVE-2012-0503). Enhance exception throwing mechanism in ObjectStreamClass (CVE-2012-0505). Issues with some methods in corba (CVE-2012-0506). The updated packages provide IcedTea6-1.10.6 which is not vulnerable to these issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0499 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506 http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:021 https://bugs.mageia.org/show_bug.cgi?id=4563 ------------- SRPM: java-1.6.0-openjdk-1.6.0.0-26.b22.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsSeverity: critical => normal
Update pushed
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED