D Morgan has built a *highly critical* update for java-1.7.0-openjdk. This is for a very high profile zero day exploit that is publicly available and being actively exploited. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.1 which fixes this issue, as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.1.1.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.1.1.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.1.1.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.1.1.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.1.1.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.1.1.1.mga2
Priority: Normal => HighCC: (none) => dmorganecSeverity: normal => critical
Luckily nothing in Mageia 2 requires java-1.7.0-openjdk, greatly reducing our exposure to this vulnerability. I guess the only way to get exploited would be to run malicious code manually.
PoC: http://pastie.org/4594319
Yes I just brought this up in the irc channel, but I believe that oracle also released a patched 1.6.35 to fix a similar problem (that would be exploited on 2 as its icedtea web is linked to openjdk-java-1.6)
CC: (none) => lemonzest
Thanks for letting us know Simon. They have also updated IcedTea7 again, now to 2.3.2. http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
CC: (none) => qa-bugsAssignee: qa-bugs => dmorganec
D Morgan has updated the IcedTea to 2.3.2. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2
Assignee: dmorganec => qa-bugs
Oops, forgot the other two CVE URLs in the references. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2
Created attachment 2770 [details] Gondvv.java Modified copy of the POC from Comment 2. $ javac Gondvv.java $ java Gondvv Results in /usr/bin/kcalc running.
Testing complete on Mageia 2 i586 and x86-64. After installing the update, $ java Gondvv java.lang.NoSuchMethodException: <unbound>=Class.getField(Class, "acc"); Could someone from the sysadmin team push the srpm java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated java-1.7.0-openjdk packages fix security vulnerability: A flaw in the Java security manager, which is used for sandboxing Java applets and enforcing other security restrictions, allows for arbitrary code execution (CVE-2012-4681). This updates IcedTea to version 2.3.2 which fixes this issue, an XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue with AWT internals references (CVE-2012-0547), as well as several other bugs. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681 http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ https://bugs.mageia.org/show_bug.cgi?id=7278
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0260
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED