RedHat has issued an advisory today (February 20): https://rhn.redhat.com/errata/RHSA-2013-0275.html The Fedora commit shows several changes: http://pkgs.fedoraproject.org/cgit/java-1.7.0-openjdk.git/commit/ Mageia 2 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => dmorganecWhiteboard: (none) => MGA2TOO
Here is the upstream announcement: http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html
Updated packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerabilities: Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-1486, CVE-2013-1484). An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2013-1485). It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle (CVE-2013-0169). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486 http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ https://rhn.redhat.com/errata/RHSA-2013-0275.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-demo-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-devel-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-src-1.7.0.6-2.3.7.1.mga2 java-1.7.0-openjdk-debug-1.7.0.6-2.3.7.1.mga2 from java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm
Version: Cauldron => 2Assignee: dmorganec => qa-bugsWhiteboard: MGA2TOO => (none)
testing mga2-64 No PoC on securityfocus.
CC: (none) => wrw105
$ java -version java version "1.7.0_06-icedtea" OpenJDK Runtime Environment (mageia-2.3.7.1.mga2-x86_64) OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode) tested HelloWorld from http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html Tested OddEven from https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example Both provided appropriate answers. MGA2-64-OK
Whiteboard: (none) => MGA2-64-OK
Testing complete mga2 32 Validating, could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-64-OK => has_procedure MGA2-64-OK mga2-32-ok
Sorry, advisory & srpm in comment 2
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED