lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 27 Apr 2015 19:03:00 +0200
Subject: [ MDVSA-2015:212 ] java-1.7.0-openjdk

Hash: SHA1


 Mandriva Linux Security Advisory                         MDVSA-2015:212

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:
 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).
 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 could use this flaw to corrupt the Java Virtual Machine memory and,
 possibly, execute arbitrary code, bypassing Java sandbox restrictions
 A flaw was found in the way the JSSE component in OpenJDK parsed X.509
 certificate options. A specially crafted certificate could cause JSSE
 to raise an exception, possibly causing an application using JSSE to
 exit unexpectedly (CVE-2015-0488).
 A flaw was discovered in the Beans component in OpenJDK. An untrusted
 Java application or applet could use this flaw to bypass certain Java
 sandbox restrictions (CVE-2015-0477).
 A directory traversal flaw was found in the way the jar tool extracted
 JAR archive files. A specially crafted JAR archive could cause jar
 to overwrite arbitrary files writable by the user running jar when
 the archive was extracted (CVE-2005-1080, CVE-2015-0480).
 It was found that the RSA implementation in the JCE component in
 OpenJDK did not follow recommended practices for implementing RSA
 signatures (CVE-2015-0478).


 Updated Packages:

 Mandriva Business Server 1/X86_64:
 65ed5762e704150c083edeb68138f17c  mbs1/x86_64/java-1.7.0-openjdk-
 db45d488531f88df789dd99fc91f08a3  mbs1/x86_64/java-1.7.0-openjdk-accessibility-
 317fc70a3d0d14e0e4ecdc643619b1be  mbs1/x86_64/java-1.7.0-openjdk-demo-
 e1af37f571aa22905b3203eb1f2575df  mbs1/x86_64/java-1.7.0-openjdk-devel-
 2ff58c8c02ad00b6847e19bdceee610b  mbs1/x86_64/java-1.7.0-openjdk-headless-
 26479b11ee458639fe6b9b1853d899a2  mbs1/x86_64/java-1.7.0-openjdk-javadoc-
 80f9a48ed77c6b28cf18f1b25b3e8e74  mbs1/x86_64/java-1.7.0-openjdk-src- 
 72b8836e9d3816d590296010e250f7a5  mbs1/SRPMS/java-1.7.0-openjdk-

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver 0x22458A98

 You can view other update advisories for Mandriva Linux at:

 If you want to report vulnerabilities, please contact


 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.12 (GNU/Linux)


Powered by blists - more mailing lists