7279 – java-1.6.0-openjdk new security issues CVE-2012-1682 and CVE-2012-0547

Bug 7279 - java-1.6.0-openjdk new security issues CVE-2012-1682 and CVE-2012-0547

Summary: java-1.6.0-openjdk new security issues CVE-2012-1682 and CVE-2012-0547

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://blog.fuseyism.com/index.php/20...
Whiteboard:	MGA1TOO mga2-32-OK mga2-64-OK mga1-32...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-09-01 03:36 CEST by David Walser
Modified:	2012-09-04 18:57 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	java-1.6.0-openjdk-1.6.0.0-33.b24.1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-09-01 03:36:17 CEST

IcedTea6 1.11.4 and 1.10.9 have been released, fixing two security issues.

Updated packages have been uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

IcedTea6 has been updated to versions 1.10.9 and 1.11.4, which fix an
XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue
with AWT internals references (CVE-2012-0547), along with other bugs.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-29.b22.1.mga1
java-1.6.0-openjdk-devel-1.6.0.0-29.b22.1.mga1
java-1.6.0-openjdk-demo-1.6.0.0-29.b22.1.mga1
java-1.6.0-openjdk-src-1.6.0.0-29.b22.1.mga1
java-1.6.0-openjdk-javadoc-1.6.0.0-29.b22.1.mga1
java-1.6.0-openjdk-1.6.0.0-34.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-34.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-34.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-34.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-34.b24.1.mga2

from SRPMS:
java-1.6.0-openjdk-1.6.0.0-29.b22.1.mga1.src.rpm
java-1.6.0-openjdk-1.6.0.0-34.b24.1.mga2.src.rpm

David Walser 2012-09-01 03:37:24 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 Tolhildan Karker 2012-09-01 10:20:59 CEST

Tested MGA2, 32-bits. Works here with icedtea with both Firefox, Google Chrome (Complains about newer version ?) and Opera.

CC: (none) => tolhildan_123

Comment 2 claire robinson 2012-09-01 11:36:45 CEST

Testing Mga2 64

Thanks Tolhidan, adding whiteboard keyword

No PoC's for these so just testing java 1.6 with icedtea-web in various browsers.

Whiteboard: MGA1TOO => MGA1TOO mga2-32-OK

Comment 3 claire robinson 2012-09-01 11:43:05 CEST

Testing complete x86_64 mga2

http://www.java.com/en/download/testjava.jsp

Hardware: i586 => All
Whiteboard: MGA1TOO mga2-32-OK => MGA1TOO mga2-32-OK mga2-64-OK

Comment 4 claire robinson 2012-09-01 12:01:06 CEST

Testing complete mga1 i586

Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-32-OK

Comment 5 claire robinson 2012-09-01 12:35:31 CEST

Testing complete mga1 x86_64

Validating

See comment 0 for advisory and srpms

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO mga2-32-OK mga2-64-OK mga1-32-OK => MGA1TOO mga2-32-OK mga2-64-OK mga1-32-OK mga1-64-OK

Comment 6 Thomas Backlund 2012-09-04 18:57:22 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0252

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.