LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2013:183: java-1.7.0-openjdk Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Updated java-1.7.0-openjdk packages fix multiple security vulnerabilities Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:183
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.7.0-openjdk
 Date    : June 27, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.7.0-openjdk packages fix multiple security
 vulnerabilities
 
 Multiple flaws were discovered in the ImagingLib and the image
 attribute, channel, layout and raster processing in the 2D
 component. An untrusted Java application or applet could possibly
 use these flaws to trigger Java Virtual Machine memory corruption
 (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,
 CVE-2013-2463, CVE-2013-2465, CVE-2013-2469).
 
 Integer overflow flaws were found in the way AWT processed certain
 input. An attacker could use these flaws to execute arbitrary code
 with the privileges of the user running an untrusted Java applet or
 application (CVE-2013-2459).
 
 Multiple improper permission check issues were discovered in the Sound,
 JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An
 untrusted Java application or applet could use these flaws to bypass
 Java sandbox restrictions (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458,
 CVE-2013-2457, CVE-2013-2453, CVE-2013-2460).
 
 Multiple flaws in the Serialization, Networking, Libraries and CORBA
 components can be exploited by an untrusted Java application or applet
 to gain access to potentially sensitive information (CVE-2013-2456,
 CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,
 CVE-2013-2446).
 
 It was discovered that the Hotspot component did not properly handle
 out-of-memory errors. An untrusted Java application or applet could
 possibly use these flaws to terminate the Java Virtual Machine
 (CVE-2013-2445).
 
 It was discovered that the AWT component did not properly manage
 certain resources and that the ObjectStreamClass of the Serialization
 component did not properly handle circular references. An untrusted
 Java application or applet could possibly use these flaws to cause
 a denial of service (CVE-2013-2444, CVE-2013-2450).
 
 It was discovered that the Libraries component contained certain errors
 related to XML security and the class loader. A remote attacker could
 possibly exploit these flaws to bypass intended security mechanisms
 or disclose potentially sensitive information and cause a denial of
 service (CVE-2013-2407, CVE-2013-2461).
 
 It was discovered that JConsole did not properly inform the user when
 establishing an SSL connection failed. An attacker could exploit
 this flaw to gain access to potentially sensitive information
 (CVE-2013-2412).
 
 It was discovered that GnomeFileTypeDetector did not check for read
 permissions when accessing files. An untrusted Java application or
 applet could possibly use this flaw to disclose potentially sensitive
 information (CVE-2013-2449).
 
 It was found that documentation generated by Javadoc was vulnerable to
 a frame injection attack. If such documentation was accessible over
 a network, and a remote attacker could trick a user into visiting a
 specially-crafted URL, it would lead to arbitrary web content being
 displayed next to the documentation. This could be used to perform a
 phishing attack by providing frame content that spoofed a login form
 on the site hosting the vulnerable documentation (CVE-2013-1571).
 
 It was discovered that the 2D component created shared memory segments
 with insecure permissions. A local attacker could use this flaw to
 read or write to the shared memory segment (CVE-2013-1500).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
 http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
 https://rhn.redhat.com/errata/RHSA-2013-0957.html
 https://rhn.redhat.com/errata/RHBA-2013-0959.html
 http://advisories.mageia.org/MGASA-2013-0185.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 fd8f5721936e7c29126613de15aa5fe3  mbs1/x86_64/java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mbs1.x86_64.rpm
 547217947f5ca79737aaea54ffcf4e6c  mbs1/x86_64/java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mbs1.x86_64.rpm
 4bd7e932f9e151caa891c66e3c49a7b5  mbs1/x86_64/java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mbs1.x86_64.rpm
 ad203c238d0dd809b203072580abe150  mbs1/x86_64/java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mbs1.noarch.rpm
 e8cc98c70fbc9f313eaa29c6fb45de0b  mbs1/x86_64/java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mbs1.x86_64.rpm 
 5c3c075f362ceac543801a72a27c8028  mbs1/SRPMS/java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers encrypted the entire City of Detroit DataBase & demanded ransom of 2000 bitcoins ($803,500)
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.