Bug 9264 - java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.8
: java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.8
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure mga2-32-ok MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-05 16:51 CET by David Walser
Modified: 2013-03-09 01:59 CET (History)
3 users (show)

See Also:
Source RPM: java-1.7.0-openjdk-1.7.0.6-2.3.7.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-03-05 16:51:56 CET
IcedTea7 2.3.8 is out, though it hasn't been released yet.

It likely fixes the same two CVEs that were just fixed in IcedTea6.

Updated packages uploaded for Mageia 2 and Cauldron.

Advisory to come later.

Updated RPMs:
java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.8.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2013-03-05 16:54:30 CET
Again!?
Comment 2 David Walser 2013-03-06 22:36:45 CET
Finally, RedHat has issued their advisory:
https://rhn.redhat.com/errata/RHSA-2013-0602.html

This one still needs to be tested.  Here's the advisory (same CVEs as 6).

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An integer overflow flaw was found in the way the 2D component handled
certain sample model instances. A specially-crafted sample model instance
could cause Java Virtual Machine memory corruption and, possibly, lead to
arbitrary code execution with virtual machine privileges (CVE-2013-0809).

It was discovered that the 2D component did not properly reject certain
malformed images. Specially-crafted raster parameters could cause Java
Virtual Machine memory corruption and, possibly, lead to arbitrary code
execution with virtual machine privileges (CVE-2013-1493).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html
https://rhn.redhat.com/errata/RHSA-2013-0602.html
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.8.1.mga2
java-1.7.0-openjdk-debug-1.7.0.6-2.3.8.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.8.1.mga2.src.rpm
Comment 3 claire robinson 2013-03-06 23:29:46 CET
Testing complete mga2 32

# update-alternatives --config java

Select 1.7.0

$ javac HelloWorldApp.java
$ java HelloWorldApp
Hello World!
Comment 4 Bill Wilkinson 2013-03-07 04:47:05 CET
Testing complete mga2 64

HelloWorld app and OddEven work as expected.
Comment 5 Bill Wilkinson 2013-03-07 04:48:21 CET
validating.

Advisory and package list in comment 2.

can someone from the sysadmin team please push from core/updates_testing to core/updates?

Thanks!
Comment 6 David Walser 2013-03-07 13:46:43 CET
Thanks Bill.  Please remember to CC sysadmin-bugs when validating.
Comment 7 D Morgan 2013-03-09 01:59:09 CET
Update pushed: 
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0088

Note You need to log in before you can comment on or make changes to this bug.