Mageia alert MGASA-2014-0023 (java-1.7.0-openjdk)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2014-0023: Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities 
Date:
    	     
 
Tue, 21 Jan 2014 17:22:25 +0100
Message-ID:
    	     
 
<20140121162225.DF2865C390@valstar.mageia.org>
MGASA-2014-0023 - Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities

Publication date: 21 Jan 2014
URL: http://advisories.mageia.org/MGASA-2014-0023.html
Type: security
Affected Mageia releases: 3
CVE: CVE-2013-5878,
     CVE-2013-5884,
     CVE-2013-5893,
     CVE-2013-5896,
     CVE-2013-5907,
     CVE-2013-5910,
     CVE-2014-0368,
     CVE-2014-0373,
     CVE-2014-0376,
     CVE-2014-0411,
     CVE-2014-0416,
     CVE-2014-0422,
     CVE-2014-0423,
     CVE-2014-0428

Description:
Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An input validation flaw was discovered in the font layout engine in the 2D
component. A specially crafted font file could trigger Java Virtual Machine
memory corruption when processed. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2013-5907).

Multiple improper permission check issues were discovered in the CORBA,
JNDI, and Libraries components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions
(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893).

Multiple improper permission check issues were discovered in the
Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878,
CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,
CVE-2014-0368).

It was discovered that the Beans component did not restrict processing of
XML external entities. This flaw could cause a Java application using Beans
to leak sensitive information, or affect application availability
(CVE-2014-0423).

It was discovered that the JSSE component could leak timing information
during the TLS/SSL handshake. This could possibly lead to disclosure of
information about the used encryption keys (CVE-2014-0411).

References:
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/201...
- http://www.oracle.com/technetwork/topics/security/cpujan2...
- https://rhn.redhat.com/errata/RHSA-2014-0026.html
- https://bugs.mageia.org/show_bug.cgi?id=12317
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428

SRPMS:
- 3/core/java-1.7.0-openjdk-1.7.0.60-2.4.4.1.mga3