RedHat has issued an advisory on January 16: https://rhn.redhat.com/errata/RHSA-2013-0165.html We'll also need to update this for Mageia 2, but not as critical there as it doesn't affect icedtea-web on Mageia 2 which uses java-1.6.0-openjdk.
Whiteboard: (none) => MGA2TOO
Fixed in Cauldron in java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga3. Another reference for the advisory: http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
Version: Cauldron => 2Source RPM: java-1.7.0-openjdk-1.7.0.6-2.3.3.2.mga3.src.rpm => java-1.7.0-openjdk-1.7.0.6-2.3.3.1.mga2.src.rpmWhiteboard: MGA2TOO => (none)
Updated package uploaded for Mageia 2. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerabilities: Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2012-3174, CVE-2013-0422). IcedTea7 has been updated to version 2.3.4 to fix these security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/ http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html https://rhn.redhat.com/errata/RHSA-2013-0165.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.4.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.4.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.4.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.4.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2.src.rpm
CC: (none) => dmorganecAssignee: dmorganec => qa-bugsSeverity: normal => major
Testing complete on Mageia 2 i586 and x86-64. No poc, just testing that freemind works. Could someone from the sysadmin team push the srpm java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated java-1.7.0-openjdk packages fix security vulnerabilities: Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2012-3174, CVE-2013-0422). IcedTea7 has been updated to version 2.3.4 to fix these security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422 http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/ http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html https://rhn.redhat.com/errata/RHSA-2013-0165.html https://bugs.mageia.org/show_bug.cgi?id=8728
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
*** Bug 8685 has been marked as a duplicate of this bug. ***
CC: (none) => oe