lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1XhetR-0000x3-1b@titan.mandriva.com>
Date: Fri, 24 Oct 2014 15:27:01 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:209 ] java-1.7.0-openjdk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:209
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : October 24, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in
 java-1.7.0-openjdk:
 
 Multiple flaws were discovered in the Libraries, 2D, and Hotspot
 components in OpenJDK. An untrusted Java application or applet
 could use these flaws to bypass certain Java sandbox restrictions
 (CVE-2014-6506, CVE-2014-6531, CVE-2014-6502, CVE-2014-6511,
 CVE-2014-6504, CVE-2014-6519).
 
 It was discovered that the StAX XML parser in the JAXP component in
 OpenJDK performed expansion of external parameter entities even when
 external entity substitution was disabled. A remote attacker could
 use this flaw to perform XML eXternal Entity (XXE) attack against
 applications using the StAX parser to parse untrusted XML documents
 (CVE-2014-6517).
 
 It was discovered that the DatagramSocket implementation in OpenJDK
 failed to perform source address checks for packets received on a
 connected socket. A remote attacker could use this flaw to have their
 packets processed as if they were received from the expected source
 (CVE-2014-6512).
 
 It was discovered that the TLS/SSL implementation in the JSSE component
 in OpenJDK failed to properly verify the server identity during
 the renegotiation following session resumption, making it possible
 for malicious TLS/SSL servers to perform a Triple Handshake attack
 against clients using JSSE and client certificate authentication
 (CVE-2014-6457).
 
 It was discovered that the CipherInputStream class implementation
 in OpenJDK did not properly handle certain exceptions. This could
 possibly allow an attacker to affect the integrity of an encrypted
 stream handled by this class (CVE-2014-6558).
 
 The updated packages provides a solution for these security issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558
 https://rhn.redhat.com/errata/RHSA-2014-1620.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 074cfe0c59da29070a20f70633aea0b0  mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm
 5067420848eeb3be6499c3724e809516  mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm
 b67f970dda230ae840de1b57c9a0b505  mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm
 fb962660ae0d51522ebb637f5affaa7e  mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm
 0f8af959bd37a6d0d87ab0ed71c939a5  mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm
 f8ac7d924262f56bada729d578eb2eef  mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.3.1.mbs1.noarch.rpm
 eade17c9eb0ef7e400426b73e37666f4  mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.3.1.mbs1.x86_64.rpm 
 acab374072c72483b36d2579989b0bbb  mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.3.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUSkWDmqjQ0CJFipgRAsEQAJ9mezftBdHfRYToMsRR6/EG/EyU1gCeLky+
kbUrqJUINinHuGCVAQ7nZNY=
=EwWD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ