Bug 8976 - java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.6
: java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.6
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-05 23:12 CET by David Walser
Modified: 2013-02-10 19:00 CET (History)
5 users (show)

See Also:
Source RPM: java-1.6.0-openjdk-1.6.0.0-35.b24.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-05 23:12:45 CET
IcedTea6 1.11.6 has been released upstream, fixing several security issues:
http://blog.fuseyism.com/index.php/2013/02/03/security-icedtea6-1-11-6-released/
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021708.html

Updated package uploaded for Mageia 2.

Here's a preliminary advisory; it will probably be updated when RedHat issues an advisory for this with better CVE descriptions.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

RMI data sanitization (CVE-2013-0424).

Add logging context (CVE-2013-0425).

Find log level matching its name or value given at construction time
(CVE-2013-0426).

Improve thread pool shutdown (CVE-2013-0427).

Improving CORBA internals (CVE-2013-0429).

Improve clipboard access (CVE-2013-0432).

Better validation of client keys (CVE-2013-0443).

Better Checking of order of TLS Messages (CVE-2013-0440).

Issue in toolkit thread (CVE-2013-0442).

(proxy) Reflect about creating reflective proxies (CVE-2013-0428).

Change modifiers on unused fields (CVE-2013-0441).

Better handling of UI elements (CVE-2013-0435).

InetSocketAddress serialization issue (CVE-2013-0433).

Contextualize RequiredModelMBean class (CVE-2013-0450).

Improve IIOP type reuse management (CVE-2013-1475).

Restrict access to class constructor (CVE-2013-1476).

Improve JAXP HTTP handling (CVE-2013-0434).

Improve image processing (CVE-2013-1478).

Improve management of images (CVE-2013-1480).

This updates IcedTea6 to version 1.11.6, which fixes these issues, as well
as several others.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0424
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0425
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0426
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0427
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0428
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0429
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0432
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0434
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0435
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0441
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0442
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0450
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1475
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1476
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1478
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1480
http://blog.fuseyism.com/index.php/2013/02/03/security-icedtea6-1-11-6-released/
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-36.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-36.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-36.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-36.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-36.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-36.b24.1.mga2.src.rpm
Comment 1 Dave Hodgins 2013-02-06 04:14:28 CET
Testing complete on Mageia 2 i586 and x86_64.

No poc, so just testing that java applets and tomcat6 work.

Could someone from the sysadmin team push the srpm
java-1.6.0-openjdk-1.6.0.0-36.b24.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

See the Description for the advisory.
Comment 2 Thomas Backlund 2013-02-06 23:31:01 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0038
Comment 3 David Walser 2013-02-10 19:00:00 CET
RedHat has issued an advisory for this on February 8:
https://rhn.redhat.com/errata/RHSA-2013-0245.html

I noticed that one of the CVE references was missing in our list of references:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0443

It was listed in the advisory text itself.  RedHat also has another:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0445

I don't know where they got that one from.

Anyway, here's the updated advisory with the advisory text from RedHat.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

Multiple improper permission check issues were discovered in the AWT,
CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions (CVE-2013-0442, CVE-2013-0445, CVE-2013-0441, CVE-2013-1475,
CVE-2013-1476, CVE-2013-0429, CVE-2013-0450, CVE-2013-0425, CVE-2013-0426,
CVE-2013-0428).

Multiple flaws were found in the way image parsers in the 2D and AWT
components handled image raster parameters. A specially-crafted image could
cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with the virtual machine privileges
(CVE-2013-1478, CVE-2013-1480).

A flaw was found in the AWT component's clipboard handling code. An
untrusted Java application or applet could use this flaw to access
clipboard data, bypassing Java sandbox restrictions (CVE-2013-0432).

The default Java security properties configuration did not restrict access
to certain com.sun.xml.internal packages. An untrusted Java application or
applet could use this flaw to access information, bypassing certain Java
sandbox restrictions. This update lists the whole package as restricted
(CVE-2013-0435).

Multiple improper permission check issues were discovered in the Libraries,
Networking, and JAXP components. An untrusted Java application or applet
could use these flaws to bypass certain Java sandbox restrictions
(CVE-2013-0427, CVE-2013-0433, CVE-2013-0434).

It was discovered that the RMI component's CGIHandler class used user
inputs in error messages without any sanitization. An attacker could use
this flaw to perform a cross-site scripting (XSS) attack (CVE-2013-0424).

It was discovered that the SSL/TLS implementation in the JSSE component
did not properly enforce handshake message ordering, allowing an unlimited
number of handshake restarts. A remote attacker could use this flaw to
make an SSL/TLS server using JSSE consume an excessive amount of CPU by
continuously restarting the handshake (CVE-2013-0440).

It was discovered that the JSSE component did not properly validate
Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw
to perform a small subgroup attack (CVE-2013-0443).

This updates IcedTea6 to version 1.11.6, which fixes these issues, as well
as several others.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0424
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0425
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0426
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0427
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0428
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0429
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0432
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0434
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0435
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0441
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0442
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0443
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0445
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0450
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1475
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1476
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1478
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-1480
http://blog.fuseyism.com/index.php/2013/02/03/security-icedtea6-1-11-6-released/
http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
https://rhn.redhat.com/errata/RHSA-2013-0245.html

Note You need to log in before you can comment on or make changes to this bug.