Bug 8728 - java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.4
Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.4
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/532660/
Whiteboard: MGA2-64-OK MGA2-32-OK
Keywords: validated_update
: 8685 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-01-17 22:27 CET by David Walser
Modified: 2013-01-31 22:43 CET (History)
5 users (show)

See Also:
Source RPM: java-1.7.0-openjdk-1.7.0.6-2.3.3.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-01-17 22:27:29 CET
RedHat has issued an advisory on January 16:
https://rhn.redhat.com/errata/RHSA-2013-0165.html

We'll also need to update this for Mageia 2, but not as critical there as it doesn't affect icedtea-web on Mageia 2 which uses java-1.6.0-openjdk.
David Walser 2013-01-17 22:27:36 CET

Whiteboard: (none) => MGA2TOO

Comment 1 David Walser 2013-01-17 23:25:36 CET
Fixed in Cauldron in java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga3.

Another reference for the advisory:
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/

Version: Cauldron => 2
Source RPM: java-1.7.0-openjdk-1.7.0.6-2.3.3.2.mga3.src.rpm => java-1.7.0-openjdk-1.7.0.6-2.3.3.1.mga2.src.rpm
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-01-18 21:08:14 CET
Updated package uploaded for Mageia 2.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Two improper permission check issues were discovered in the reflection API
in OpenJDK. An untrusted Java application or applet could use these flaws
to bypass Java sandbox restrictions (CVE-2012-3174, CVE-2013-0422).

IcedTea7 has been updated to version 2.3.4 to fix these security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
https://rhn.redhat.com/errata/RHSA-2013-0165.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.4.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.4.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.4.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.4.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2.src.rpm

CC: (none) => dmorganec
Assignee: dmorganec => qa-bugs
Severity: normal => major

Comment 3 Dave Hodgins 2013-01-22 00:19:07 CET
Testing complete on Mageia 2 i586 and x86-64.

No poc, just testing that freemind works.

Could someone from the sysadmin team push the srpm
java-1.7.0-openjdk-1.7.0.6-2.3.4.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Two improper permission check issues were discovered in the reflection API
in OpenJDK. An untrusted Java application or applet could use these flaws
to bypass Java sandbox restrictions (CVE-2012-3174, CVE-2013-0422).

IcedTea7 has been updated to version 2.3.4 to fix these security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
https://rhn.redhat.com/errata/RHSA-2013-0165.html

https://bugs.mageia.org/show_bug.cgi?id=8728

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 4 Thomas Backlund 2013-01-24 23:34:36 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 5 David Walser 2013-01-31 22:43:42 CET
*** Bug 8685 has been marked as a duplicate of this bug. ***

CC: (none) => oe


Note You need to log in before you can comment on or make changes to this bug.