Login


 
Newsletter
Werbung
Sicherheit: Mehrere Probleme in java-1.7.0-openjdk
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in java-1.7.0-openjdk
ID: FEDORA-2013-6303
Distribution: Fedora
Plattformen: Fedora 17
Datum: Di, 7. Mai 2013, 22:48
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4681
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2436

Originalnachricht

Name        : java-1.7.0-openjdk
Product : Fedora 17
Version : 1.7.0.19
Release : 2.3.9.3.fc17
URL : http://openjdk.java.net/
Summary : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.

-------------------------------------------------------------------------------
-
Update Information:

Fix FTBFS on Secondary Arches
- updated to updated IcedTea 2.3.9 with fix to one of security fixes
- fixed font glyph offset
WARNING - this build have not yet updated not-hotspot (arm...)builds!
- added client to ghosted classes.jsa
- updated to IcedTea 2.3.9 with latest security patches
- 920245 CVE-2013-0401 OpenJDK: unspecified sandbox bypass (CanSecWest
2013, AWT)
- 920247 CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest
2013, Libraries)
- 952387 CVE-2013-1537 OpenJDK: remote code loading enabled by default
(RMI, 8001040)
- 952389 CVE-2013-2415 OpenJDK: temporary files created with insecure
permissions (JAX-WS, 8003542)
- 952398 CVE-2013-2423 OpenJDK: incorrect setter access checks in
MethodHandles (Hostspot, 8009677)
- 952509 CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class
access checks (JMX, 8006435)
- 952521 CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption
(ImageIO, 8007918)
- 952524 CVE-2013-2430 OpenJDK: JPEGImageReader state corruption
(ImageIO, 8007667)
- 952550 CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type checks
(Libraries, 8009049)
- 952638 CVE-2013-2420 OpenJDK: image processing vulnerability (2D,
8007617)
- 952640 CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing
restrictions (Beans, 7200507)
- 952642 CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect
restrictions (Libraries, 8009857)
- 952645 CVE-2013-2431 OpenJDK: Hotspot intrinsic frames vulnerability
(Hotspot, 8004336)
- 952646 CVE-2013-1518 OpenJDK: JAXP missing security restrictions (JAXP,
6657673)
- 952648 CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing
security restrictions (RMI, 8001329)
- 952649 CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error
(Hotspot, 8009699)
- 952653 CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls
defaultReadObject() method (Libraries, 8009063)
- 952656 CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
- 952657 CVE-2013-2417 OpenJDK: Network InetAddress serialization
information disclosure (Networking, 8000724)
- 952708 CVE-2013-2383 OpenJDK: font layout and glyph table errors (2D,
8004986)
- 952709 CVE-2013-2384 OpenJDK: font layout and glyph table errors (2D,
8004987)
- 952711 CVE-2013-1569 OpenJDK: font layout and glyph table errors (2D,
8004994)
- buildver sync to b19
- rewritten java-1.7.0-openjdk-java-access-bridge-security.patch
- fixed priority (one zero deleted)
- unapplied patch2
- added patch107 abrt_friendly_hs_log_jdk7.patch
- removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch
- removed redundant rm of classes.jsa, ghost is handling it correctly
-------------------------------------------------------------------------------
-
ChangeLog:

* Fri Apr 19 2013 Deepak Bhole <dbhole@redhat.com> -
1.7.0.19-2.3.9.3.fc17
- Updated 2.1.8 tarball
* Thu Apr 18 2013 Deepak Bhole <dbhole@redhat.com> -
1.7.0.19-2.3.9.2.fc17
- Updated secondary arches to 2.1.8
- Removed upstreamed Zero allocation patch
* Tue Apr 16 2013 Jiri Vanek <jvanek@redhat.com - 1.7.0.19-2.3.9.1.fc17
- updated to updated IcedTea 2.3.9 with fix to one of security fixes
- fixed font glyph offset
- added client to ghosted classes.jsa
* Thu Apr 11 2013 Jiri Vanek <jvanek@redhat.com - 1.7.0.9-2.3.9.0.fc17
- updated to IcedTea 2.3.9 with latest security patches
- buildver sync to b19
- rewritten java-1.7.0-openjdk-java-access-bridge-security.patch
* Wed Apr 10 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.4.fc17
- fixed priority (one zero deleted)
- unapplied patch2
* Thu Apr 4 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.4.fc17
- added patch107 abrt_friendly_hs_log_jdk7.patch
- removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch
- removed redundant rm of classes.jsa, ghost is handling it correctly
* Tue Mar 26 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.3.fc17
- added manual deletion of classes.jsa
- ghost classes.jsa restricted to jitarches and to full path
- zlib in BuildReq restricted for 1.2.3-7 or higher
- see https://bugzilla.redhat.com/show_bug.cgi?id=904231
- Removed a -icedtea tag from the version
- package have less and less connections to icedtea7
- Added link to nss as noreplace bug to previous changelog item
* Mon Mar 25 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.8.1.fc17
- Bumped release
- Added and applied patch500 java-1.7.0-openjdk-fixZeroAllocFailure.patch
- to fix not-jit arches build
- is already in upstreamed icedtea 2.1
- Added gcc-c++ build dependence. Sometimes caused troubles during rpm -bb
- Added (Build)Requires for fontconfig and xorg-x11-fonts-Type1
- see https://bugzilla.redhat.com/show_bug.cgi?id=721033 for details
- Removed all fonconfig files. Fonts are now handled differently in JDK
and those files are redundant. This is going to be usptreamed.
- see https://bugzilla.redhat.com/show_bug.cgi?id=902227 for details
- logging.properties marked as config(noreplace)
- see https://bugzilla.redhat.com/show_bug.cgi?id=679180 for details
- classes.jsa marked as ghost
- see https://bugzilla.redhat.com/show_bug.cgi?id=918172 for details
- nss.cfg was marked as config(noreplace)
* Mon Mar 4 2013 Omair Majid <omajid@redhat.com> -1.7.0.9-2.3.8.fc17
- Update to icedtea7-forest-2.3.8 tarball
- Remove SOURCE11. All upstreamed.
* Sat Feb 16 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.7.fc17
- Updated to 2.3.7 icedtea7 tarball
- Updated the 2.1.6 icedtea7 tarball for arm
- Removed testing
- mauve was outdated
- jtreg was icedtea relict
- Added java -Xshare:dump to post (see 513605) fo jitarchs
* Thu Feb 14 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.6.fc17
- Updated to 2.3.6
- Updated the 2.1.5 tarball
- Removed upstreamed patches
* Mon Feb 11 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.4.fc17
- Updated secondary arch tarball to 2.1.5
- Made Patch100* jit-arch specific-only (not needed for 2.1.5)
* Thu Feb 7 2013 Omair Majid <omajid@redhat.com> - 1.7.0.9-2.3.5.3.fc19
- Sync logging fixes with upstream (icedtea7-forest and jdk7u)
* Thu Feb 7 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.1.fc17
- Added patch for 8005615 to fix regression caused by fix for 6664509
* Wed Feb 6 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.fc17.1
- Backed out 6664509 and 7201064.patch which cause regressions
* Sun Feb 3 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.5.fc17
- Updated to 2.3.5
- Removed unnecessary GENSRCDIR flag
* Sun Feb 3 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.4.2.fc17
- Updated to 2.3.5pre (2.3.4 + Feb. 2013 CPU)
* Wed Jan 16 2013 Jiri Vanek <jvanek@redhat.com> - 1.7.0.9-2.3.4.1.fc17
- Added idlj slave to javac
- Added jcmd slave to javac
- Release incremented
* Mon Jan 14 2013 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.4.fc17
- Updated to 2.3.4
* Thu Dec 6 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.2.fc17.2
- introduced tmp-patches source tarball
- added kerberos fix (see rhbz#871771)
- added OpenOffice crusher fix (see oracle's 8004344)
* Wed Oct 17 2012 Dan Horák <dan[at]danny.cz> - 1.7.0.9-2.3.3.fc17.1
- change the permission of sa-jdi.jar only on jit_arches
* Fri Oct 12 2012 Deepak Bhole <dbhole@redhat.com> - 1.7.0.9-2.3.3.fc17
- Updated to IcedTea7-forest 2.3.3 primary arches
- Updated to IcedTea7-forest 2.1.3 for secondary arches
- Change permission of sa-jdi.jar to 644 (upstream for future)
- Resolves rhbz#s 856124, 865346, 865348, 865350, 865352, 865354, 865357,
865359, 865363, 865365, 865370, 865428, 865471, 865434, 865511, 865514,
865519, 865531, 865541, 865568
* Wed Sep 19 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.2.fc17.1
- Updated to latest IcedTea7-forest 2.3
* Fri Sep 7 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.1.fc17.3
- Not-jit-archs source tarball updated to openjdk-icedtea-2.1.2.tar.gz
* Thu Aug 30 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.1.fc17.2
- Sync with rawhide
- Updated to IcedTea-Forest 2.3.1
- Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks
removed in 6788531.
- Commented out Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch as
as already included in this Iced-Tea.
- Will be nice to verify after next upstream sync if it is still upstreamed
- Add symlink to Fedora's default soundfont rhbz#541466
* Wed Aug 22 2012 Jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.fc17.2
- ALT_STRIP_POLICY replaced by STRIP_POLICY
* Mon Aug 20 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.6-2.3.fc17.1
- Updated to latest IcedTea7-forest-2.3
- Current build is u6
- Added Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch to remove
jvisualvm manpages from processing
* Mon Jul 9 2012 Deepak Bhole <dbhole@redhat.com> - 1.7.0.5-2.2.1.fc17.9
- Added support to build older (2.1.1/u3/hs22) version on non-jit (secondary)
arches
* Wed Jun 13 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.3-2.2.1fc17.8
- Fixed broken provides sections
* Mon Jun 11 2012 jiri Vanek <jvanek@redhat.com> - 1.7.0.3-2.2.1fc17.7
- Used newly prepared tarball with security fixes
- Bump to icedtea7-forest-2.2.1
- _mandir/man1/jcmd-name.1 added to alternatives
- Updated rhino.patch
- Modified partially upstreamed patch302 - systemtap.patch
- Temporarly disabled patch102 - java-1.7.0-openjdk-size_t.patch
- Removed already upstreamed patches 104,107,108,301
- java-1.7.0-openjdk-arm-ftbfs.patch
- java-1.7.0-openjdk-system-zlib.patch
- java-1.7.0-openjdk-remove-mimpure-opt.patch
- systemtap-alloc-size-workaround.patch
- patch 105 (java-1.7.0-openjdk-ppc-zero-jdk.patch) have become 104
- patch 106 (java-1.7.0-openjdk-ppc-zero-hotspot.patch) have become 105
- Added build requires zip, which was untill now dependence of dependence
- Access gnome brridge jar forced to be 644
* Fri May 25 2012 Deepak Bhole <dbhole@redhat.com> - 1.7.0.3-2.1.fc17.7
- Miscellaneous fixes brought in from RHEL branch
- Resolves: rhbz#825255: Added ALT_STRIP_POLICY so that debug info is not
stripped
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #953257 - java-1.7.0-openjdk-1.7.0.19-2.3.9.1 is FTBFS on ARM
https://bugzilla.redhat.com/show_bug.cgi?id=953257
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Frohe Weihnachten Fest!
Neue Nachrichten
Werbung