RedHat has issued an advisory today (October 17): https://rhn.redhat.com/errata/RHSA-2012-1385.html (IcedTea 1.10) https://rhn.redhat.com/errata/RHSA-2012-1384.html (IcedTea 1.11) Mageia 1 and Mageia 2 are both affected.
CC: (none) => dmorganecWhiteboard: (none) => MGA1TOO
Interesting dilemma with this one, the release tags in our java-1.6.0-openjdk packages begin with a number that conventionally has been defined as follows. 29.b22.1.mga1, 29 = IcedTea6 1.10.9, 2 in the 29 corresponds to the 10 34.b24.1.mga2, 34 = IcedTea6 1.11.4, 3 in the 34 corresponds to the 11 So the last digit corresponds to the last part of the IcedTea6 version number, but with this update, the IcedTea6 in Mageia 1 will be 1.10.10, which raises the question of what number to use at the beginning of the release tag. It can't be 210, as that would be newer than 3x in Mageia 2. Making it would be 30 seems wrong, as it suggests 1.11.0 according to the numbering convention. Could it be 2A like hexadecimal 10 at the end?
I decided to use 30 for the release tag, as we still have the b22/b24 to distinguish the versions using IcedTea6 1.10.x from 1.11.x. Updated packages uploaded for Mageia 1 and Mageia 2. Advisory (Mageia 1): ======================== Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2012-5086, CVE-2012-5084, CVE-2012-5089). Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072). It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2012-5079). It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception (CVE-2012-5081). It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information (CVE-2012-5075). A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory (CVE-2012-4416). It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information (CVE-2012-5077). It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory (CVE-2012-3216). This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true (CVE-2012-5085). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089 http://blog.fuseyism.com/index.php/2012/10/19/security-icedtea-1-10-10-1-11-15-2-1-3-2-2-3-2-3-3-released/ http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html https://rhn.redhat.com/errata/RHSA-2012-1385.html Advisory (Mageia 2): ======================== Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2012-5086, CVE-2012-5084, CVE-2012-5089). Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072). It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2012-5079). It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception (CVE-2012-5081). It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information (CVE-2012-5075). A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory (CVE-2012-4416). It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information (CVE-2012-5077). It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory (CVE-2012-3216). This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true (CVE-2012-5085). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089 http://blog.fuseyism.com/index.php/2012/10/19/security-icedtea-1-10-10-1-11-15-2-1-3-2-2-3-2-3-3-released/ http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html https://rhn.redhat.com/errata/RHSA-2012-1384.html ======================== Updated packages in core/updates_testing: ======================== java-1.6.0-openjdk-1.6.0.0-30.b22.1.mga1 java-1.6.0-openjdk-devel-1.6.0.0-30.b22.1.mga1 java-1.6.0-openjdk-demo-1.6.0.0-30.b22.1.mga1 java-1.6.0-openjdk-src-1.6.0.0-30.b22.1.mga1 java-1.6.0-openjdk-javadoc-1.6.0.0-30.b22.1.mga1 java-1.6.0-openjdk-1.6.0.0-35.b24.1.mga2 java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1.mga2 java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1.mga2 java-1.6.0-openjdk-src-1.6.0.0-35.b24.1.mga2 java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1.mga2 from SRPMS: java-1.6.0-openjdk-1.6.0.0-30.b22.1.mga1.src.rpm java-1.6.0-openjdk-1.6.0.0-35.b24.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
tested only for regression with java program tvbrowser for mga2 i586 and x86_64: no regression detected.
Whiteboard: MGA1TOO => MGA1TOO, MGA2-64-OK, MGA2-32-OK
Been testing a whole range of applets online and all of them pass, no regressions On MGA2, x86_64 Simon/Lemonzest
CC: (none) => lemonzest
tested with the same java program as in Comment #3 for mga1 on both architectures. No regression detected.
Whiteboard: MGA1TOO, MGA2-64-OK, MGA2-32-OK => MGA1TOO, MGA2-64-OK, MGA2-32-OK, MGA1-32-OK, MGA1-64-OK
updates validated then Sysadmin for the advisory and srpms see https://bugs.mageia.org/show_bug.cgi?id=7832#c2 Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
just additional test performed with other java programs (ie. freemind from repos) - nothing to report
Update pushed: Mageia 1: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0307 Mageia 2: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0308
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED