Bug 9139 - java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.7
Summary: java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/539202/
Whiteboard: has_procedure MGA2-64-OK mga2-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-02-21 00:56 CET by David Walser
Modified: 2013-03-03 01:10 CET (History)
4 users (show)

See Also:
Source RPM: java-1.7.0-openjdk
CVE:
Status comment:


Attachments

Description David Walser 2013-02-21 00:56:21 CET
RedHat has issued an advisory today (February 20):
https://rhn.redhat.com/errata/RHSA-2013-0275.html

The Fedora commit shows several changes:
http://pkgs.fedoraproject.org/cgit/java-1.7.0-openjdk.git/commit/

Mageia 2 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2013-02-21 00:56:34 CET

CC: (none) => dmorganec
Whiteboard: (none) => MGA2TOO

Comment 2 David Walser 2013-03-02 20:51:07 CET
Updated packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

Multiple improper permission check issues were discovered in the JMX and
Libraries components in OpenJDK. An untrusted Java application or applet
could use these flaws to bypass Java sandbox restrictions (CVE-2013-1486,
CVE-2013-1484).

An improper permission check issue was discovered in the Libraries
component in OpenJDK. An untrusted Java application or applet could use
this flaw to bypass certain Java sandbox restrictions (CVE-2013-1485).

It was discovered that OpenJDK leaked timing information when decrypting
TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.
A remote attacker could possibly use this flaw to retrieve plain text from
the encrypted packets by using a TLS/SSL server as a padding oracle
(CVE-2013-0169).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
https://rhn.redhat.com/errata/RHSA-2013-0275.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.7.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.7.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: dmorganec => qa-bugs
Whiteboard: MGA2TOO => (none)

Comment 3 Bill Wilkinson 2013-03-02 21:05:33 CET
testing mga2-64

No PoC on securityfocus.

CC: (none) => wrw105

Comment 4 Bill Wilkinson 2013-03-02 21:35:04 CET
$ java -version
java version "1.7.0_06-icedtea"
OpenJDK Runtime Environment (mageia-2.3.7.1.mga2-x86_64)
OpenJDK 64-Bit Server VM (build 23.7-b01, mixed mode)

tested HelloWorld from
http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html

Tested OddEven from
https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example

Both provided appropriate answers.

MGA2-64-OK

Whiteboard: (none) => MGA2-64-OK

Comment 5 claire robinson 2013-03-02 23:30:44 CET
Testing complete mga2 32

Validating, could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA2-64-OK => has_procedure MGA2-64-OK mga2-32-ok

Comment 6 claire robinson 2013-03-02 23:31:11 CET
Sorry, advisory & srpm in comment 2
Comment 7 Thomas Backlund 2013-03-03 01:10:15 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.