This also affects Mageia 1 and Mageia 2. Cauldron (java-1.7.0-openjdk) should be updated to OpenJDK 7u5 and IcedTea7 2.2.1. This can be synced with Fedora. Mageia 2 (java-1.7.0-openjdk) should be updated to IcedTea7 2.1.1. Mageia 2 (java-1.6.0-openjdk) should be updated to IcedTea6 1.11.3. The release tag will start with 33. Mageia 1 (java-1.6.0-openjdk) should be updated to IcedTea6 1.10.8. The release tag will start with 28. IcedTea6 update announcement: http://blog.fuseyism.com/index.php/2012/06/12/security-icedtea6-1-10-8-1-11-3-released/ IcedTea7 update announcement: http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/
CC: (none) => dmorganec
I've taken care of java-1.6.0-openjdk and filed Bug 6457 to hand that off to QA. Now we just need java-1.7.0-openjdk to be taken care of.
Summary: java-1.6.0-openjdk and java-1.7.0-openjdk need new IcedTea releases for security updates => java-1.7.0-openjdk needs new IcedTea releases for security updatesSource RPM: java-1.6.0-openjdk, java-1.7.0-openjdk => java-1.7.0-openjdkWhiteboard: (none) => MGA2TOO
URL: (none) => http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019094.html
D Morgan has updated this package for Cauldron and Mageia 2. He has chosen to use IcedTea7 2.2.1 for both. As noted in Bug 6457, several critical, remotely exploitable vulnerabilities have been fixed. It is also discussed in an article here: http://www.h-online.com/open/news/item/Oracle-update-of-Java-closes-critical-holes-1616681.html Advisory: ======================== Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data (CVE-2012-1711, CVE-2012-1719). It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1716). Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine (CVE-2012-1713). Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1723, CVE-2012-1725). It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop (CVE-2012-1724). It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored (CVE-2012-1718). It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files (CVE-2012-1717). It was discovered that java.lang.invoke.MethodHandles.Lookup did not properly honor access modes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2012-1726). The package has been updated to IcedTea-2.2.1, which is not vulnerable to these issues. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1711 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1713 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1716 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1717 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1718 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1719 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1724 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1725 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1726 https://bugzilla.redhat.com/show_bug.cgi?id=829377 http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/ http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html https://rhn.redhat.com/errata/RHSA-2012-0729.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.3-2.2.1.0.1.mga2 java-1.7.0-openjdk-demo-1.7.0.3-2.2.1.0.1.mga2 java-1.7.0-openjdk-devel-1.7.0.3-2.2.1.0.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.3-2.2.1.0.1.mga2 java-1.7.0-openjdk-src-1.7.0.3-2.2.1.0.1.mga2 from java-1.7.0-openjdk-1.7.0.3-2.2.1.0.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Note that java-1.6.0-openjdk (Bug 6457) is the more critical of these two updates, as that is the Java that our icedtea-web (Java browser plugin) is using.
I'm using Mageia 2 x86_64 and just got this update in /core/updates/testing and it obsoleted java-openjdk-1.6.0 thus forcing the removal of icedtea-web, it needs rebuilding.
CC: (none) => lemonzest
Thanks Simon. I've fixed it. Advisory: ======================== Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data (CVE-2012-1711, CVE-2012-1719). It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1716). Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine (CVE-2012-1713). Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1723, CVE-2012-1725). It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop (CVE-2012-1724). It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored (CVE-2012-1718). It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files (CVE-2012-1717). It was discovered that java.lang.invoke.MethodHandles.Lookup did not properly honor access modes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2012-1726). The package has been updated to IcedTea-2.2.1, which is not vulnerable to these issues. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1711 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1713 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1716 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1717 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1718 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1719 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1724 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1725 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1726 https://bugzilla.redhat.com/show_bug.cgi?id=829377 http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/ http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html https://rhn.redhat.com/errata/RHSA-2012-0729.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-demo-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-devel-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-javadoc-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-src-1.7.0.3-2.2.1.0.2.mga2 from java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2.src.rpm
Testing complete x86_64 and i586 Mageia 2 for the SRPM java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2.src.rpm Tested after using update-alternatives --config java and selecting 1.7.0 then using libreoffice --base to create a database and table, enter some data and construct a query. David can you please check the advisory, it appears to be for java-1.6.0-openjdk. This can then be validated. Thanks.
Hardware: i586 => AllWhiteboard: (none) => mga2-32-OK mga2-64-OK
Whoopsies :o) I think I did that three times last week :o( Reposting. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data (CVE-2012-1711, CVE-2012-1719). It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1716). Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine (CVE-2012-1713). Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions (CVE-2012-1723, CVE-2012-1725). It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop (CVE-2012-1724). It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored (CVE-2012-1718). It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files (CVE-2012-1717). It was discovered that java.lang.invoke.MethodHandles.Lookup did not properly honor access modes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions (CVE-2012-1726). The package has been updated to IcedTea-2.2.1, which is not vulnerable to these issues. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1711 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1713 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1716 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1717 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1718 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1719 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1724 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1725 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1726 https://bugzilla.redhat.com/show_bug.cgi?id=829377 http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/ http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html https://rhn.redhat.com/errata/RHSA-2012-0729.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-demo-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-devel-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-javadoc-1.7.0.3-2.2.1.0.2.mga2 java-1.7.0-openjdk-src-1.7.0.3-2.2.1.0.2.mga2 from java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2.src.rpm
Validating. Please see comment 7 for advisory and srpm. Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Hm, I see a comment about icedtea-web needing a rebuild, but I see nothing in repos?
CC: (none) => tmb
It was this which needed the rebuild Thomas as it obsoleted java-1.6.0-openjdk which icedtea-web has as a require and forced it's removal. Thanks for all the pushes.
Ok, thanks for clarifying. Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0122
Status: NEW => RESOLVEDResolution: (none) => FIXED