| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2015 19:03:00 +0200 From: security@...driva.com To: bugtraq@...urityfocus.com Subject: [ MDVSA-2015:212 ] java-1.7.0-openjdk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:212 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : java-1.7.0-openjdk Date : April 27, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated java-1.7.0 packages fix security vulnerabilities: An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2015-0469). A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460). A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly (CVE-2015-0488). A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0477). A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted (CVE-2005-1080, CVE-2015-0480). It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures (CVE-2015-0478). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488 http://advisories.mageia.org/MGASA-2015-0158.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 65ed5762e704150c083edeb68138f17c mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm db45d488531f88df789dd99fc91f08a3 mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 317fc70a3d0d14e0e4ecdc643619b1be mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm e1af37f571aa22905b3203eb1f2575df mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 2ff58c8c02ad00b6847e19bdceee610b mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 26479b11ee458639fe6b9b1853d899a2 mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.5.1.mbs1.noarch.rpm 80f9a48ed77c6b28cf18f1b25b3e8e74 mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 72b8836e9d3816d590296010e250f7a5 mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVPl29mqjQ0CJFipgRAvNjAKC9WYFSv2z9oowJwdg3VBR1+3mzKgCg1HL7 /Cjkp/gkYi1/GbAEfYCvIGE= =TR1x -----END PGP SIGNATURE-----
Powered by blists - more mailing lists