Advisories ยป MGASA-2014-0023

Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities

Publication date: 21 Jan 2014
Modification date: 21 Jan 2014
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-5878 , CVE-2013-5884 , CVE-2013-5893 , CVE-2013-5896 , CVE-2013-5907 , CVE-2013-5910 , CVE-2014-0368 , CVE-2014-0373 , CVE-2014-0376 , CVE-2014-0411 , CVE-2014-0416 , CVE-2014-0422 , CVE-2014-0423 , CVE-2014-0428

Description

Updated java-1.7.0-openjdk packages fix security vulnerabilities:

An input validation flaw was discovered in the font layout engine in the 2D
component. A specially crafted font file could trigger Java Virtual Machine
memory corruption when processed. An untrusted Java application or applet
could possibly use this flaw to bypass Java sandbox restrictions
(CVE-2013-5907).

Multiple improper permission check issues were discovered in the CORBA,
JNDI, and Libraries components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions
(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893).

Multiple improper permission check issues were discovered in the
Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in
OpenJDK. An untrusted Java application or applet could use these flaws to
bypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878,
CVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,
CVE-2014-0368).

It was discovered that the Beans component did not restrict processing of
XML external entities. This flaw could cause a Java application using Beans
to leak sensitive information, or affect application availability
(CVE-2014-0423).

It was discovered that the JSSE component could leak timing information
during the TLS/SSL handshake. This could possibly lead to disclosure of
information about the used encryption keys (CVE-2014-0411).
                

References

SRPMS

3/core