{ "schema_version": "1.7.0", "id": "MGASA-2014-0292", "published": "2014-07-26T11:03:50Z", "modified": "2014-07-26T11:02:33Z", "summary": "Updated java-1.7.0-openjdk packages fix multiple vulnerabilities", "details": "Updated java-1.7.0-openjdk packages fix security vulnerabilities:\n\nIt was discovered that the Hotspot component in OpenJDK did not properly\nverify bytecode from the class files. An untrusted Java application or\napplet could possibly use these flaws to bypass Java sandbox restrictions\n(CVE-2014-4216, CVE-2014-4219).\n\nA format string flaw was discovered in the Hotspot component event logger\nin OpenJDK. An untrusted Java application or applet could use this flaw to\ncrash the Java Virtual Machine or, potentially, execute arbitrary code with\nthe privileges of the Java Virtual Machine (CVE-2014-2490).\n\nMultiple improper permission check issues were discovered in the Libraries\ncomponent in OpenJDK. An untrusted Java application or applet could use\nthese flaws to bypass Java sandbox restrictions (CVE-2014-4223,\nCVE-2014-4262, CVE-2014-2483).\n\nMultiple flaws were discovered in the JMX, Libraries, Security, and\nServiceability components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass certain Java sandbox restrictions\n(CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266).\n\nIt was discovered that the RSA algorithm in the Security component in\nOpenJDK did not sufficiently perform blinding while performing operations\nthat were using private keys. An attacker able to measure timing\ndifferences of those operations could possibly leak information about the\nused keys (CVE-2014-4244).\n\nThe Diffie-Hellman (DH) key exchange algorithm implementation in the\nSecurity component in OpenJDK failed to validate public DH parameters\nproperly. This could cause OpenJDK to accept and use weak parameters,\nallowing an attacker to recover the negotiated key (CVE-2014-4263).\n\nThis update is based on IcedTea version 2.5.1, which fixes these issues, as\nwell as several others.\n", "upstream": [ "CVE-2014-2483", "CVE-2014-2490", "CVE-2014-4209", "CVE-2014-4216", "CVE-2014-4218", "CVE-2014-4219", "CVE-2014-4221", "CVE-2014-4223", "CVE-2014-4244", "CVE-2014-4252", "CVE-2014-4262", "CVE-2014-4263", "CVE-2014-4266" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2014-0292.html" }, { "type": "WEB", "url": "http://blog.fuseyism.com/index.php/2014/06/24/icedtea-2-5-0-for-openjdk-7-released-power-to-the-people/" }, { "type": "WEB", "url": "http://blog.fuseyism.com/index.php/2014/07/16/security-icedtea-2-5-1-for-openjdk-7-released/" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2014-0889.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=13754" } ], "affected": [ { "package": { "ecosystem": "Mageia:3", "name": "java-1.7.0-openjdk", "purl": "pkg:rpm/mageia/java-1.7.0-openjdk?arch=source&distro=mageia-3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.0.65-2.5.1.1.mga3" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "java-1.7.0-openjdk", "purl": "pkg:rpm/mageia/java-1.7.0-openjdk?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.0.65-2.5.1.1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }