LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2013:196: java-1.6.0-openjdk Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Updated java-1.6.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:196
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : java-1.6.0-openjdk
 Date    : July 15, 2013
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Updated java-1.6.0-openjdk packages fix security vulnerabilities:
 
 Multiple flaws were discovered in the ImagingLib and the image
 attribute, channel, layout and raster processing in the 2D
 component. An untrusted Java application or applet could possibly
 use these flaws to trigger Java Virtual Machine memory corruption
 (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473,
 CVE-2013-2463, CVE-2013-2465, CVE-2013-2469).
 
 Integer overflow flaws were found in the way AWT processed certain
 input. An attacker could use these flaws to execute arbitrary code
 with the privileges of the user running an untrusted Java applet or
 application (CVE-2013-2459).
 
 Multiple improper permission check issues were discovered in the
 Sound and JMX components in OpenJDK. An untrusted Java application
 or applet could use these flaws to bypass Java sandbox restrictions
 (CVE-2013-2448, CVE-2013-2457, CVE-2013-2453).
 
 Multiple flaws in the Serialization, Networking, Libraries and CORBA
 components can be exploited by an untrusted Java application or applet
 to gain access to potentially sensitive information (CVE-2013-2456,
 CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443,
 CVE-2013-2446).
 
 It was discovered that the Hotspot component did not properly handle
 out-of-memory errors. An untrusted Java application or applet could
 possibly use these flaws to terminate the Java Virtual Machine
 (CVE-2013-2445).
 
 It was discovered that the AWT component did not properly manage
 certain resources and that the ObjectStreamClass of the Serialization
 component did not properly handle circular references. An untrusted
 Java application or applet could possibly use these flaws to cause
 a denial of service (CVE-2013-2444, CVE-2013-2450).
 
 It was discovered that the Libraries component contained certain errors
 related to XML security and the class loader. A remote attacker could
 possibly exploit these flaws to bypass intended security mechanisms
 or disclose potentially sensitive information and cause a denial of
 service (CVE-2013-2407, CVE-2013-2461).
 
 It was discovered that JConsole did not properly inform the user when
 establishing an SSL connection failed. An attacker could exploit
 this flaw to gain access to potentially sensitive information
 (CVE-2013-2412).
 
 It was found that documentation generated by Javadoc was vulnerable to
 a frame injection attack. If such documentation was accessible over
 a network, and a remote attacker could trick a user into visiting a
 specially-crafted URL, it would lead to arbitrary web content being
 displayed next to the documentation. This could be used to perform a
 phishing attack by providing frame content that spoofed a login form
 on the site hosting the vulnerable documentation (CVE-2013-1571).
 
 It was discovered that the 2D component created shared memory segments
 with insecure permissions. A local attacker could use this flaw to
 read or write to the shared memory segment (CVE-2013-1500).
 
 It was discovered that the Networking component did not properly
 enforce exclusive port binding. A local attacker could exploit this
 flaw to bind to ports intended to be exclusively bound (CVE-2013-2451).
 
 This updates IcedTea6 to version 1.11.12, which fixes these issues,
 as well as several other bugs.
 
 Additionally, this OpenJDK update causes icedtea-web, the Java browser
 plugin, to crash, so icedtea-web has been patched to fix this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
 https://rhn.redhat.com/errata/RHSA-2013-1014.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 3ae552d38d7cd10be746e4703279f789  mes5/i586/icedtea-web-1.3.2-0.4mdvmes5.2.i586.rpm
 cb106d5fa87dcb272347ccc6ff4c1c24  mes5/i586/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.i586.rpm
 2ae9cb967329a454731c3c5c50118fb5  mes5/i586/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 05afab461704f00714707dd22f4811be  mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 dc372b36845109db264de4d33301d9e5  mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 55cdf45405844e373f60c3bcac1c3fbc  mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm
 48653ecc4f9b945fafbf43e972465a18  mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.i586.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 6ffbc522ac4a2db8212ac963de525576  mes5/x86_64/icedtea-web-1.3.2-0.4mdvmes5.2.x86_64.rpm
 2bc2c2b9ce03a4785ef061ca66156aaa  mes5/x86_64/icedtea-web-javadoc-1.3.2-0.4mdvmes5.2.x86_64.rpm
 841d31717e695fd649290fd561400a4d  mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 51bd267b7c1b2efe641e080deb68fe96  mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 68fb561cd1b10758db8d9d6aa7d24487  mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 775811371aca053a714df2d570c19720  mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm
 7ce118640d8e59d659b020febe513427  mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-35.b24.6mdvmes5.2.x86_64.rpm 
 6652ab0958ffe2b11b061f8281c3e5a7  mes5/SRPMS/icedtea-web-1.3.2-0.4mdvmes5.2.src.rpm
 977e2c2d131ba350b6dd15cfd1bbf14c  mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-35.b24.6mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
How to weed out the next Heartbleed bug: ENISA details crypto worries
Attackers Using Compromised Web Plug-Ins in CryptoPHP Blackhat SEO Campaign
Finally, a New Clue to Solve the CIA’s Mysterious Kryptos Sculpture
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.