U radu programskog paketa OpenJDK, namijenjenog operacijskim sustavima Fedora 16 i Fedora 17, uočen je i ispravljen sigurnosni propust koji je zlonamjernim napadačima omogućavao pokretanje proizvoljnog programskog koda.
Paket: | java-1.6.0-openjdk |
Operacijski sustavi: | Fedora 16, Fedora 17 |
Problem: | nepravilno rukovanje ovlastima, pogreška u programskoj komponenti |
Iskorištavanje: | udaljeno |
Posljedica: | zaobilaženje postavljenih ograničenja |
Rješenje: | programska zakrpa proizvođača |
CVE: | CVE-2012-4681 |
Izvorni ID preporuke: | FEDORA-2012-13131 |
Izvor: | Fedora |
Problem: | |
Problemi su vezani uz Java Runtime Environment (JRE) komponentu. |
|
Posljedica: | |
Propust je moguće iskoristiti za izvršavanje zlonamjernog programskog koda. |
|
Rješenje: | |
Rješenje problema sigurnosti je nadogradnja paketa na novije inačice. |
Izvorni tekst preporuke
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13131
2012-09-01 23:47:21
--------------------------------------------------------------------------------
Name : java-1.7.0-openjdk
Product : Fedora 17
Version : 1.7.0.6
Release : 2.3.1.fc17.2
URL : http://openjdk.java.net/
Summary : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.
--------------------------------------------------------------------------------
Update Information:
This update is fixing recent important security impact. A Common Vulnerability
Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE.
It was discovered that the Beans component in OpenJDK did not perform permission
checks properly. An untrusted Java application or applet could use this flaw to
use classes from restricted packages, allowing it to bypass Java sandbox
restrictions. (CVE-2012-4681)
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 30 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.1.fc17.2
- Sync with rawhide
- Updated to IcedTea-Forest 2.3.1
- Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks
removed in 6788531.
- Commented out Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch as
as already included in this Iced-Tea.
- Will be nice to verify after next upstream sync if it is still upstreamed
- Add symlink to Fedora's default soundfont rhbz#541466
* Wed Aug 22 2012 Jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.fc17.2
- ALT_STRIP_POLICY replaced by STRIP_POLICY
* Mon Aug 20 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.fc17.1
- Updated to latest IcedTea7-forest-2.3
- Current build is u6
- Added Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch to remove
jvisualvm manpages from processing
* Mon Jul 9 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.5-2.2.1.fc17.9
- Added support to build older (2.1.1/u3/hs22) version on non-jit (secondary)
arches
* Wed Jun 13 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.2.1fc17.8
- Fixed broken provides sections
* Mon Jun 11 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.2.1fc17.7
- Used newly prepared tarball with security fixes
- Bump to icedtea7-forest-2.2.1
- _mandir/man1/jcmd-name.1 added to alternatives
- Updated rhino.patch
- Modified partially upstreamed patch302 - systemtap.patch
- Temporarly disabled patch102 - java-1.7.0-openjdk-size_t.patch
- Removed already upstreamed patches 104,107,108,301
- java-1.7.0-openjdk-arm-ftbfs.patch
- java-1.7.0-openjdk-system-zlib.patch
- java-1.7.0-openjdk-remove-mimpure-opt.patch
- systemtap-alloc-size-workaround.patch
- patch 105 (java-1.7.0-openjdk-ppc-zero-jdk.patch) have become 104
- patch 106 (java-1.7.0-openjdk-ppc-zero-hotspot.patch) have become 105
- Added build requires zip, which was untill now dependence of dependence
- Access gnome brridge jar forced to be 644
* Fri May 25 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc17.7
- Miscellaneous fixes brought in from RHEL branch
- Resolves: rhbz#825255: Added ALT_STRIP_POLICY so that debug info is not
stripped
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-13138
2012-09-01 23:47:46
--------------------------------------------------------------------------------
Name : java-1.7.0-openjdk
Product : Fedora 16
Version : 1.7.0.6
Release : 2.3.1.fc16.2
URL : http://openjdk.java.net/
Summary : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.
--------------------------------------------------------------------------------
Update Information:
This update is fixing recent important security impact. A Common Vulnerability
Scoring System (CVSS) base score, which gives a detailed severity rating, is
available from the CVE.
It was discovered that the Beans component in OpenJDK did not perform permission
checks properly. An untrusted Java application or applet could use this flaw to
use classes from restricted packages, allowing it to bypass Java sandbox
restrictions. (CVE-2012-4681)
Updated to latest IcedTea7 2.3 based on latest build of OpenJDK u6.
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 30 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.1.fc16.2
- Updated to IcedTea-Forest 2.3.1
- Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks
removed in 6788531.
- Commented out Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch as
as already included in this Iced-Tea.
- Will be nice to verify after next upstream sync if it is still upstreamed
* Wed Aug 22 2012 Jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.fc16.3
- ALT_STRIP_POLICY replaced by STRIP_POLICY
* Fri Aug 17 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.6-2.3.fc16.1
- Updated to latest IcedTea7-forest-2.3
- Current build is u6
- Added Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch to remove
jvisualvm manpages from processing
* Mon Jun 11 2012 jiri Vanek <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.2.1fc16.7
- Used newly prepared tarball with security fixes
- Bump to icedtea7-forest-2.2.1
- _mandir/man1/jcmd-name.1 added to alternatives
- Updated rhino.patch
- Modified partially upstreamed patch302 - systemtap.patch
- Temporarly disabled patch102 - java-1.7.0-openjdk-size_t.patch
- Removed already upstreamed patches 104,107,108,301
- java-1.7.0-openjdk-arm-ftbfs.patch
- java-1.7.0-openjdk-system-zlib.patch
- java-1.7.0-openjdk-remove-mimpure-opt.patch
- systemtap-alloc-size-workaround.patch
- patch 105 (java-1.7.0-openjdk-ppc-zero-jdk.patch) have become 104
- patch 106 (java-1.7.0-openjdk-ppc-zero-hotspot.patch) have become 105
- Access gnome brridge jar forced to be 644
* Fri May 25 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.6
- Miscellaneous fixes brought in from RHEL branch
- Resolves: rhbz#825255: Added ALT_STRIP_POLICY so that debug info is not
stripped
- Moved Patch #7 (usage of system zlib) to #107
* Tue May 1 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.5
- Removed VisualVM requirements
* Mon Mar 26 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.4
- Merged with F17 branch
* Wed Mar 21 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.3
- Reverted fix for rh740762
* Mon Mar 12 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.2
- Resolved rh740762: java.library.path is missing some paths
* Fri Feb 24 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1.fc16.1
- Added flag so that debuginfo is built into classfiles (rhbz# 796400)
- Updated rhino.patch to build scripting support (rhbz# 796398)
* Tue Feb 14 2012 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.3-2.1
- Updated to OpenJDK7u3/IcedTea7 2.1
- Security fixes:
- S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
- S7082299, CVE-2011-3571: AtomicReferenceArray insufficient array type check
- S7110687, CVE-2012-0503: Unrestricted use of TimeZone.setDefault
- S7110700, CVE-2012-0505: Incomplete info in the deserialization exception
- S7110683, CVE-2012-0502: KeyboardFocusManager focus stealing
- S7088367, CVE-2011-3563: JavaSound incorrect bounds check
- S7126960, CVE-2011-5035: Add property to limit number of request headers to
the HTTP Server
- S7118283, CVE-2012-0501: Off-by-one bug in ZIP reading code
- S7110704, CVE-2012-0506: CORBA fix
- Add patch to fix compilation with GCC 4.7
* Tue Nov 15 2011 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.1-2.0.3
- Added patch to fix bug in jdk_generic_profile.sh
- Compile with generic profile to use system libraries
- Made remove-intree-libraries.sh more robust
- Added lcms requirement
- Added patch to fix glibc name clash
- Updated java version to include -icedtea
* Sun Nov 6 2011 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.1-2.0.2
- Added missing changelog entry
* Sun Nov 6 2011 Deepak Bhole <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 1.7.0.1-2.0.1
- Updated to IcedTea 2.0 tag in the IcedTea OpenJDK7 forest
- Removed obsoleted patches
- Added system timezone support
- Revamp version/release naming scheme to make it proper
- Security fixes
- S7000600, CVE-2011-3547: InputStream skip() information leak
- S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
- S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
- S7032417, CVE-2011-3552: excessive default UDP socket limit under
SecurityManager
- S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
- S7055902, CVE-2011-3521: IIOP deserialization code execution
- S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error
checks
- S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against
SSL/TLS (BEAST)
- S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
- S7077466, CVE-2011-3556: RMI DGC server remote code execution
- S7083012, CVE-2011-3557: RMI registry privileged code execution
- S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke