exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2015-212

Mandriva Linux Security Advisory 2015-212
Posted Apr 28, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-212 - An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions. A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted. It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.

tags | advisory, java, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2005-1080, CVE-2015-0460, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488
SHA-256 | 5d632c802729d6afa088371dd777ff906d4a5f0bfbcccd4d11559d46754410c2

Mandriva Linux Security Advisory 2015-212

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:212
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : java-1.7.0-openjdk
Date : April 27, 2015
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

Updated java-1.7.0 packages fix security vulnerabilities:

An off-by-one flaw, leading to a buffer overflow, was found in the
font parsing code in the 2D component in OpenJDK. A specially crafted
font file could possibly cause the Java Virtual Machine to execute
arbitrary code, allowing an untrusted Java application or applet to
bypass Java sandbox restrictions (CVE-2015-0469).

A flaw was found in the way the Hotspot component in OpenJDK
handled phantom references. An untrusted Java application or applet
could use this flaw to corrupt the Java Virtual Machine memory and,
possibly, execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0460).

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE
to raise an exception, possibly causing an application using JSSE to
exit unexpectedly (CVE-2015-0488).

A flaw was discovered in the Beans component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions (CVE-2015-0477).

A directory traversal flaw was found in the way the jar tool extracted
JAR archive files. A specially crafted JAR archive could cause jar
to overwrite arbitrary files writable by the user running jar when
the archive was extracted (CVE-2005-1080, CVE-2015-0480).

It was found that the RSA implementation in the JCE component in
OpenJDK did not follow recommended practices for implementing RSA
signatures (CVE-2015-0478).
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
http://advisories.mageia.org/MGASA-2015-0158.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
65ed5762e704150c083edeb68138f17c mbs1/x86_64/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
db45d488531f88df789dd99fc91f08a3 mbs1/x86_64/java-1.7.0-openjdk-accessibility-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
317fc70a3d0d14e0e4ecdc643619b1be mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
e1af37f571aa22905b3203eb1f2575df mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
2ff58c8c02ad00b6847e19bdceee610b mbs1/x86_64/java-1.7.0-openjdk-headless-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
26479b11ee458639fe6b9b1853d899a2 mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.5.1.mbs1.noarch.rpm
80f9a48ed77c6b28cf18f1b25b3e8e74 mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.65-2.5.5.1.mbs1.x86_64.rpm
72b8836e9d3816d590296010e250f7a5 mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.65-2.5.5.1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVPl29mqjQ0CJFipgRAvNjAKC9WYFSv2z9oowJwdg3VBR1+3mzKgCg1HL7
/Cjkp/gkYi1/GbAEfYCvIGE=
=TR1x
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close