User: Password:
|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2013-5958 (java-1.7.0-openjdk)

From:  updates@fedoraproject.org
To:  package-announce@lists.fedoraproject.org
Subject:  [SECURITY] Fedora 18 Update: java-1.7.0-openjdk-1.7.0.19-2.3.9.1.fc18
Date:  Thu, 18 Apr 2013 02:47:29 +0000
Message-ID:  <20130418024729.E98B52639F@bastion01.phx2.fedoraproject.org>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2013-5958 2013-04-18 01:37:17 -------------------------------------------------------------------------------- Name : java-1.7.0-openjdk Product : Fedora 18 Version : 1.7.0.19 Release : 2.3.9.1.fc18 URL : http://openjdk.java.net/ Summary : OpenJDK Runtime Environment Description : The OpenJDK runtime environment. -------------------------------------------------------------------------------- Update Information: - updated to updated IcedTea 2.3.9 with fix to one of security fixes - fixed font glyph offset WARNING - this build have not yet updated not-hotspot (arm...)builds! - added client to ghosted classes.jsa - updated to IcedTea 2.3.9 with latest security patches - 920245 CVE-2013-0401 OpenJDK: unspecified sandbox bypass (CanSecWest 2013, AWT) - 920247 CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest 2013, Libraries) - 952387 CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040) - 952389 CVE-2013-2415 OpenJDK: temporary files created with insecure permissions (JAX-WS, 8003542) - 952398 CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677) - 952509 CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435) - 952521 CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918) - 952524 CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667) - 952550 CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049) - 952638 CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617) - 952640 CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing restrictions (Beans, 7200507) - 952642 CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857) - 952645 CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability (Hotspot, 8004336) - 952646 CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP, 6657673) - 952648 CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329) - 952649 CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error (Hotspot, 8009699) - 952653 CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls defaultReadObject() method (Libraries, 8009063) - 952656 CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031) - 952657 CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724) - 952708 CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D, 8004986) - 952709 CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D, 8004987) - 952711 CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D, 8004994) - buildver sync to b19 - rewritten java-1.7.0-openjdk-java-access-bridge-security.patch - fixed priority (one zero deleted) - unapplied patch2 - added patch107 abrt_friendly_hs_log_jdk7.patch - removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch - removed redundant rm of classes.jsa, ghost is handling it correctly -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 16 2013 Jiri Vanek <jvanek@redhat.com - 1.7.0.19-2.3.9.1.fc18 - updated to updated IcedTea 2.3.9 with fix to one of security fixes - fixed font glyph offset - added client to ghosted classes.jsa * Thu Apr 11 2013 Jiri Vanek <jvanek@redhat.com - 1.7.0.9-2.3.9.0.fc18 - updated to IcedTea 2.3.9 with latest security patches - buildver sync to b19 - rewritten java-1.7.0-openjdk-java-access-bridge-security.patch * Wed Apr 10 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.4.fc18 - fixed priority (one zero deleted) - unapplied patch2 * Thu Apr 4 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.4.fc18 - added patch107 abrt_friendly_hs_log_jdk7.patch - removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch - removed redundant rm of classes.jsa, ghost is handling it correctly * Tue Mar 26 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.3.fc18 - added manual deletion of classes.jsa - ghost classes.jsa restricted to jitarches and to full path - zlib in BuildReq restricted for 1.2.3-7 or higher - see https://bugzilla.redhat.com/show_bug.cgi?id=904231 - Removed a -icedtea tag from the version - package have less and less connections to icedtea7 - Added link to nss as noreplace bug to previous changelog item * Mon Mar 25 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.1.fc18 - Bumped release - Added and applied patch500 java-1.7.0-openjdk-fixZeroAllocFailure.patch - to fix not-jit arches build - is already in upstreamed icedtea 2.1 - Added gcc-c++ build dependence. Sometimes caused troubles during rpm -bb - Added (Build)Requires for fontconfig and xorg-x11-fonts-Type1 - see https://bugzilla.redhat.com/show_bug.cgi?id=721033 for details - Removed all fonconfig files. Fonts are now handled differently in JDK and those files are redundant. This is going to be usptreamed. - see https://bugzilla.redhat.com/show_bug.cgi?id=902227 for details - logging.properties marked as config(noreplace) - see https://bugzilla.redhat.com/show_bug.cgi?id=679180 for details - classes.jsa marked as ghost - see https://bugzilla.redhat.com/show_bug.cgi?id=918172 for details - nss.cfg was marked as config(noreplace) * Mon Mar 4 2013 Omair Majid <omajid@redhat.com> - 1.7.0.9-2.3.8.fc18 - Updated to icedtea7 2.3.8 (forest) - Removed upstreamed patches contained in extra tarball. * Sat Feb 16 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.7.fc18 - Updated to 2.3.7 icedtea7 tarball - Updated the 2.1.6 icedtea7 tarball for arm - Removed testing - mauve was outdated and - jtreg was icedtea relict - Added java -Xshare:dump to post (see 513605) fo jitarchs * Thu Feb 14 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.6.fc17 - Updated to 2.3.6 - Updated the 2.1.5 tarball - Removed upstreamed patches * Mon Feb 11 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.4.fc18 - Updated secondary arch tarball to 2.1.5 - Made Patch100* jit-arch specific-only (not needed for 2.1.5) * Thu Feb 7 2013 Omair Majid <omajid@redhat.com> - 1.7.0.9-2.3.5.3.fc18 - Sync logging fixes with upstream (icedtea7-forest and jdk7u) * Thu Feb 7 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.1.fc18 - Added patch for 8005615 to fix regression caused by fix for 6664509 * Wed Feb 6 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.fc18.1 - Backed out 6664509 and 7201064.patch which cause regressions * Sun Feb 3 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.fc18 - Updated to 2.3.5 - Removed unnecessary GENSRCDIR flag * Sun Feb 3 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.4.2.fc18 - Bumped to 2.3.5pre (2.3.4 + Feb. 2013 CPU) * Wed Jan 16 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.4.1.fc18 - Added idlj slave to javac - Added jcmd slave to javac - Release incremented * Mon Jan 14 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.4.fc18 - Updated to 2.3.4 * Thu Dec 6 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.2.fc18.2 - introduced tmp-patches source tarball - added kerberos fix (see rhbz#871771) - added OpenOffice crusher fix (see oracle's 8004344) -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update java-1.7.0-openjdk' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list package-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/package-...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds