[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ MDVSA-2015:212 ] java-1.7.0-openjdk



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:212
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : April 27, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0 packages fix security vulnerabilities:
 
 An off-by-one flaw, leading to a buffer overflow, was found in the
 font parsing code in the 2D component in OpenJDK. A specially crafted
 font file could possibly cause the Java Virtual Machine to execute
 arbitrary code, allowing an untrusted Java application or applet to
 bypass Java sandbox restrictions (CVE-2015-0469).
 
 A flaw was found in the way the Hotspot component in OpenJDK
 handled phantom references. An untrusted Java application or applet
 could use this flaw to corrupt the Java Virtual Machine memory and,
 possibly, execute arbitrary code, bypassing Java sandbox restrictions
 (CVE-2015-0460).
 
 A flaw was found in the way the JSSE component in OpenJDK parsed X.509
 certificate options. A specially crafted certificate could cause JSSE
 to raise an exception, possibly causing an application using JSSE to
 exit unexpectedly (CVE-2015-0488).
 
 A flaw was discovered in the Beans component in OpenJDK. An untrusted
 Java application or applet could use this flaw to bypass certain Java
 sandbox restrictions (CVE-2015-0477).
 
 A directory traversal flaw was found in the way the jar tool extracted
 JAR archive files. A specially crafted JAR archive could cause jar
 to overwrite arbitrary files writable by the user running jar when
 the archive was extracted (CVE-2005-1080, CVE-2015-0480).
 
 It was found that the RSA implementation in the JCE component in
 OpenJDK did not follow recommended practices for implementing RSA
 signatures (CVE-2015-0478).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
 http://advisories.mageia.org/MGASA-2015-0158.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 65ed5762e704150c083edeb68138f17c  mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 db45d488531f88df789dd99fc91f08a3  mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 317fc70a3d0d14e0e4ecdc643619b1be  mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 e1af37f571aa22905b3203eb1f2575df  mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 2ff58c8c02ad00b6847e19bdceee610b  mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
 26479b11ee458639fe6b9b1853d899a2  mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.5.1.mbs1.noarch.rpm
 80f9a48ed77c6b28cf18f1b25b3e8e74  mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm 
 72b8836e9d3816d590296010e250f7a5  mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVPl29mqjQ0CJFipgRAvNjAKC9WYFSv2z9oowJwdg3VBR1+3mzKgCg1HL7
/Cjkp/gkYi1/GbAEfYCvIGE=
=TR1x
-----END PGP SIGNATURE-----