Bug 9139 - java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.7
: java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.7
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/539202/
: has_procedure MGA2-64-OK mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-21 00:56 CET by David Walser
Modified: 2013-03-03 01:10 CET (History)
4 users (show)

See Also:
Source RPM: java-1.7.0-openjdk
CVE:


Attachments

Description David Walser 2013-02-21 00:56:21 CET
RedHat has issued an advisory today (February 20):
https://rhn.redhat.com/errata/RHSA-2013-0275.html

The Fedora commit shows several changes:
http://pkgs.fedoraproject.org/cgit/java-1.7.0-openjdk.git/commit/

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2013-03-02 20:51:07 CET
Updated packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Multiple improper permission check issues were discovered in the JMX and
Libraries components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions (CVE-2013-1486,
CVE-2013-1484).

An improper permission check issue was discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
this flaw to bypass certain Java sandbox restrictions (CVE-2013-1485).

It was discovered that OpenJDK leaked timing information when decrypting
TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.
A remote attacker could possibly use this flaw to retrieve plain text from
the encrypted packets by using a TLS/SSL server as a padding oracle
(CVE-2013-0169).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
https://rhn.redhat.com/errata/RHSA-2013-0275.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.7.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm
Comment 3 Bill Wilkinson 2013-03-02 21:05:33 CET
testing mga2-64

No PoC on securityfocus.
Comment 4 Bill Wilkinson 2013-03-02 21:35:04 CET
$ java -version
java version "1.7.0_06-icedtea"
OpenJDK Runtime Environment (mageia-2.3.7.1.mga2-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

tested HelloWorld from
http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html

Tested OddEven from
https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example

Both provided appropriate answers.

MGA2-64-OK
Comment 5 claire robinson 2013-03-02 23:30:44 CET
Testing complete mga2 32

Validating, could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 6 claire robinson 2013-03-02 23:31:11 CET
Sorry, advisory & srpm in comment 2
Comment 7 Thomas Backlund 2013-03-03 01:10:15 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

Note You need to log in before you can comment on or make changes to this bug.