Bug 9140 - java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.8
Summary: java-1.6.0-openjdk new security issues fixed in IcedTea6 1.11.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/539200/
Whiteboard: MGA2-64-OK mga2-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-02-21 01:00 CET by David Walser
Modified: 2013-02-21 22:11 CET (History)
3 users (show)

See Also:
Source RPM: java-1.6.0-openjdk
CVE:
Status comment:


Attachments

Description David Walser 2013-02-21 01:00:15 CET
RedHat has issued an advisory today (February 20):
https://rhn.redhat.com/errata/RHSA-2013-0273.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-02-21 15:13:04 CET
Updated package uploaded for Mageia 2.

Advisory:
========================

Updated java-1.6.0-openjdk packages fix security vulnerabilities:

An improper permission check issue was discovered in the JMX component in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions (CVE-2013-1486).

It was discovered that OpenJDK leaked timing information when decrypting
TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.
A remote attacker could possibly use this flaw to retrieve plain text from
the encrypted packets by using a TLS/SSL server as a padding oracle
(CVE-2013-0169).

This updates IcedTea6 to version 1.11.8, which fixes these and other issues.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-1-11-8-1-12-3-for-openjdk-6-released/
https://rhn.redhat.com/errata/RHSA-2013-0273.html
========================

Updated packages in core/updates_testing:
========================
java-1.6.0-openjdk-1.6.0.0-38.b24.1.mga2
java-1.6.0-openjdk-devel-1.6.0.0-38.b24.1.mga2
java-1.6.0-openjdk-demo-1.6.0.0-38.b24.1.mga2
java-1.6.0-openjdk-src-1.6.0.0-38.b24.1.mga2
java-1.6.0-openjdk-javadoc-1.6.0.0-38.b24.1.mga2

from java-1.6.0-openjdk-1.6.0.0-38.b24.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 claire robinson 2013-02-21 15:31:08 CET
No PoC's
Comment 3 Bill Wilkinson 2013-02-21 15:54:49 CET
Tested with HelloWorld
http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html

tested with OddEven
https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example

All works as expected x86_64 MGA2

CC: (none) => wrw105
Whiteboard: (none) => MGA2-64-OK

Comment 4 claire robinson 2013-02-21 16:47:22 CET
Testing complete mga2 32

Validating

Advisory & srpm in comment 1

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA2-64-OK => MGA2-64-OK mga2-32-ok

Comment 5 Thomas Backlund 2013-02-21 22:11:37 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0062

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.