lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Uyhui-0000dS-9H@titan.mandriva.com>
Date: Mon, 15 Jul 2013 14:30:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2013:196 ] java-1.6.0-openjdk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:196
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.6.0-openjdk
 Date    : July 15, 2013
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.6.0-openjdk packages fix security vulnerabilities:
 
 Multiple flaws were discovered in the ImagingLib and the image
 attribute, channel, layout and raster processing in the 2D
 component. An untrusted Java application or applet could possibly
 use these flaws to trigger Java Virtual Machine memory corruption
 (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,
 CVE-2013-2463, CVE-2013-2465, CVE-2013-2469).
 
 Integer overflow flaws were found in the way AWT processed certain
 input. An attacker could use these flaws to execute arbitrary code
 with the privileges of the user running an untrusted Java applet or
 application (CVE-2013-2459).
 
 Multiple improper permission check issues were discovered in the
 Sound and JMX components in OpenJDK. An untrusted Java application
 or applet could use these flaws to bypass Java sandbox restrictions
 (CVE-2013-2448, CVE-2013-2457, CVE-2013-2453).
 
 Multiple flaws in the Serialization, Networking, Libraries and CORBA
 components can be exploited by an untrusted Java application or applet
 to gain access to potentially sensitive information (CVE-2013-2456,
 CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,
 CVE-2013-2446).
 
 It was discovered that the Hotspot component did not properly handle
 out-of-memory errors. An untrusted Java application or applet could
 possibly use these flaws to terminate the Java Virtual Machine
 (CVE-2013-2445).
 
 It was discovered that the AWT component did not properly manage
 certain resources and that the ObjectStreamClass of the Serialization
 component did not properly handle circular references. An untrusted
 Java application or applet could possibly use these flaws to cause
 a denial of service (CVE-2013-2444, CVE-2013-2450).
 
 It was discovered that the Libraries component contained certain errors
 related to XML security and the class loader. A remote attacker could
 possibly exploit these flaws to bypass intended security mechanisms
 or disclose potentially sensitive information and cause a denial of
 service (CVE-2013-2407, CVE-2013-2461).
 
 It was discovered that JConsole did not properly inform the user when
 establishing an SSL connection failed. An attacker could exploit
 this flaw to gain access to potentially sensitive information
 (CVE-2013-2412).
 
 It was found that documentation generated by Javadoc was vulnerable to
 a frame injection attack. If such documentation was accessible over
 a network, and a remote attacker could trick a user into visiting a
 specially-crafted URL, it would lead to arbitrary web content being
 displayed next to the documentation. This could be used to perform a
 phishing attack by providing frame content that spoofed a login form
 on the site hosting the vulnerable documentation (CVE-2013-1571).
 
 It was discovered that the 2D component created shared memory segments
 with insecure permissions. A local attacker could use this flaw to
 read or write to the shared memory segment (CVE-2013-1500).
 
 It was discovered that the Networking component did not properly
 enforce exclusive port binding. A local attacker could exploit this
 flaw to bind to ports intended to be exclusively bound (CVE-2013-2451).
 
 This updates IcedTea6 to version 1.11.12, which fixes these issues,
 as well as several other bugs.
 
 Additionally, this OpenJDK update causes icedtea-web, the Java browser
 plugin, to crash, so icedtea-web has been patched to fix this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
 https://rhn.redhat.com/errata/RHSA-2013-1014.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 3ae552d38d7cd10be746e4703279f789  mes5/i586/icedtea-web-1.3.2-0.4mdvmes5.2.i586.rpm
 cb106d5fa87dcb272347ccc6ff4c1c24  mes5/i586/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.i586.rpm
 2ae9cb967329a454731c3c5c50118fb5  mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 05afab461704f00714707dd22f4811be  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 dc372b36845109db264de4d33301d9e5  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 55cdf45405844e373f60c3bcac1c3fbc  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 48653ecc4f9b945fafbf43e972465a18  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 6ffbc522ac4a2db8212ac963de525576  mes5/x86_64/icedtea-web-1.3.2-0.4mdvmes5.2.x86_64.rpm
 2bc2c2b9ce03a4785ef061ca66156aaa  mes5/x86_64/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.x86_64.rpm
 841d31717e695fd649290fd561400a4d  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 51bd267b7c1b2efe641e080deb68fe96  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 68fb561cd1b10758db8d9d6aa7d24487  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 775811371aca053a714df2d570c19720  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 7ce118640d8e59d659b020febe513427  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFR47+cmqjQ0CJFipgRAmnTAJ4lalit4V4VWsSE6KHeem9qtHb+9gCgmJ/U
GUelRnMi6Rq7d9NhnTCwrlg=
=rErU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ