-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:169 http://www.mandriva.com/security/ _______________________________________________________________________ Package : java-1.6.0-openjdk Date : November 1, 2012 Affected: 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple security issues were identified and fixed in OpenJDK (icedtea6): * S6631398, CVE-2012-3216: FilePermission improved path checking * S7093490: adjust package access in rmiregistry * S7143535, CVE-2012-5068: ScriptEngine corrected permissions * S7167656, CVE-2012-5077: Multiple Seeders are being created * S7169884, CVE-2012-5073: LogManager checks do not work correctly for sub-types * S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI connector * S7172522, CVE-2012-5072: Improve DomainCombiner checking * S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC * S7189103, CVE-2012-5069: Executors needs to maintain state * S7189490: More improvements to DomainCombiner checking * S7189567, CVE-2012-5085: java net obselete protocol * S7192975, CVE-2012-5071: Conditional usage check is wrong * S7195194, CVE-2012-5084: Better data validation for Swing * S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be improved * S7195919, CVE-2012-5979: (sl) ServiceLoader can throw CCE without needing to create instance * S7198296, CVE-2012-5089: Refactor classloader usage * S7158800: Improve storage of symbol tables * S7158801: Improve VM CompileOnly option * S7158804: Improve config file parsing * S7176337: Additional changes needed for 7158801 fix * S7198606, CVE-2012-4416: Improve VM optimization The updated packages provides icedtea6-1.11.5 which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416 http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020556.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: b0b8d9c220ca7c5fd6679d6848de69eb 2011/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 45ea196c75b18bef9ecb5bc97615c1f3 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm f33ac952a55cdb585a59e6021367482f 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 6ad5fcabc72830cd332cd9e5243be609 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 49008a850c545e90a0ebb002902528eb 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1-mdv2011.0.i586.rpm 06e7da198f48cd281fe905deed67fd5c 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1.src.rpm Mandriva Linux 2011/X86_64: debfb115214191ac94d4282463962909 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 09e81180ede0595f8068ef9baeb2da22 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm d93f958ff56643adf973770ace599211 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 3a65468343ff92731e0a408f85d7e304 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm ee4cf446eac536bf729eabf15a88867d 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1-mdv2011.0.x86_64.rpm 06e7da198f48cd281fe905deed67fd5c 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1.src.rpm Mandriva Enterprise Server 5: bcf38e820f1aa357fa0d64c50d323599 mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 7b79269ef163cab203f9b815f5216926 mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 24068e420773723a130cff03ae1ef47b mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 5e3611c799dcfdf1471a327ec5955ac7 mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm d7ecadb7be4bfed8502367a5fc4ace40 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1mdvmes5.2.i586.rpm 62663a8650988b3fdfb56b67c17e0970 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: d4fcb3225426ce983273bf6d6730d5bb mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.1mdvmes5.2.x86_64.rpm 237544fc49a02cba3438506d52e0392d mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.1mdvmes5.2.x86_64.rpm 32b6e494b5f8f26d0be80ce8114d7738 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.1mdvmes5.2.x86_64.rpm fc520c63a052179c93611e4686fa0127 mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.1mdvmes5.2.x86_64.rpm abc7f180d25764804f217a7b7ef2f0c4 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.1mdvmes5.2.x86_64.rpm 62663a8650988b3fdfb56b67c17e0970 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQklqImqjQ0CJFipgRAiNOAJ4qA9L2NTdql1htD7pQDNJrDlPnUgCguupW xu3AOptE+B1OsUdPAeTUH5o= =2CFK -----END PGP SIGNATURE-----