lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YmmQu-0002Up-BM@titan.mandriva.com>
Date: Mon, 27 Apr 2015 19:03:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2015:212 ] java-1.7.0-openjdk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:
 
 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).
 
 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 could use this flaw to corrupt the Java Virtual Machine memory and,
 possibly, execute arbitrary code, bypassing Java sandbox restrictions
 (CVE-2015-0460).
 
 A flaw was found in the way the JSSE component in OpenJDK parsed X.509
 certificate options. A specially crafted certificate could cause JSSE
 to raise an exception, possibly causing an application using JSSE to
 exit unexpectedly (CVE-2015-0488).
 
 A flaw was discovered in the Beans component in OpenJDK. An untrusted
 Java application or applet could use this flaw to bypass certain Java
 sandbox restrictions (CVE-2015-0477).
 
 A directory traversal flaw was found in the way the jar tool extracted
 JAR archive files. A specially crafted JAR archive could cause jar
 to overwrite arbitrary files writable by the user running jar when
 the archive was extracted (CVE-2005-1080, CVE-2015-0480).
 
 It was found that the RSA implementation in the JCE component in
 OpenJDK did not follow recommended practices for implementing RSA
 signatures (CVE-2015-0478).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
 http://advisories.mageia.org/MGASA-2015-0158.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 65ed5762e704150c083edeb68138f17c  mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 db45d488531f88df789dd99fc91f08a3  mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 317fc70a3d0d14e0e4ecdc643619b1be  mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 e1af37f571aa22905b3203eb1f2575df  mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 2ff58c8c02ad00b6847e19bdceee610b  mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 26479b11ee458639fe6b9b1853d899a2  mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.5.1.mbs1.noarch.rpm
 80f9a48ed77c6b28cf18f1b25b3e8e74  mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 
 72b8836e9d3816d590296010e250f7a5  mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVPl29mqjQ0CJFipgRAvNjAKC9WYFSv2z9oowJwdg3VBR1+3mzKgCg1HL7
/Cjkp/gkYi1/GbAEfYCvIGE=
=TR1x
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ