1 |
type: security |
2 |
subject: Updated java-1.6.0-openjdk packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2013-1500 |
5 |
- CVE-2013-1571 |
6 |
- CVE-2013-2407 |
7 |
- CVE-2013-2412 |
8 |
- CVE-2013-2443 |
9 |
- CVE-2013-2444 |
10 |
- CVE-2013-2445 |
11 |
- CVE-2013-2446 |
12 |
- CVE-2013-2447 |
13 |
- CVE-2013-2448 |
14 |
- CVE-2013-2450 |
15 |
- CVE-2013-2451 |
16 |
- CVE-2013-2452 |
17 |
- CVE-2013-2453 |
18 |
- CVE-2013-2455 |
19 |
- CVE-2013-2456 |
20 |
- CVE-2013-2457 |
21 |
- CVE-2013-2459 |
22 |
- CVE-2013-2461 |
23 |
- CVE-2013-2463 |
24 |
- CVE-2013-2465 |
25 |
- CVE-2013-2469 |
26 |
- CVE-2013-2470 |
27 |
- CVE-2013-2471 |
28 |
- CVE-2013-2472 |
29 |
- CVE-2013-2473 |
30 |
src: |
31 |
2: |
32 |
core: |
33 |
- java-1.6.0-openjdk-1.6.0.0-42.b24.1.mga2 |
34 |
- icedtea-web-1.3.2-1.1.mga2 |
35 |
description: | |
36 |
Multiple flaws were discovered in the ImagingLib and the image attribute, |
37 |
channel, layout and raster processing in the 2D component. An untrusted |
38 |
Java application or applet could possibly use these flaws to trigger Java |
39 |
Virtual Machine memory corruption (CVE-2013-2470, CVE-2013-2471, |
40 |
CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469). |
41 |
|
42 |
Integer overflow flaws were found in the way AWT processed certain input. |
43 |
An attacker could use these flaws to execute arbitrary code with the |
44 |
privileges of the user running an untrusted Java applet or application |
45 |
(CVE-2013-2459). |
46 |
|
47 |
Multiple improper permission check issues were discovered in the Sound and |
48 |
JMX components in OpenJDK. An untrusted Java application or applet could |
49 |
use these flaws to bypass Java sandbox restrictions (CVE-2013-2448, |
50 |
CVE-2013-2457, CVE-2013-2453). |
51 |
|
52 |
Multiple flaws in the Serialization, Networking, Libraries and CORBA |
53 |
components can be exploited by an untrusted Java application or applet to |
54 |
gain access to potentially sensitive information (CVE-2013-2456, |
55 |
CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446). |
56 |
|
57 |
It was discovered that the Hotspot component did not properly handle |
58 |
out-of-memory errors. An untrusted Java application or applet could |
59 |
possibly use these flaws to terminate the Java Virtual Machine |
60 |
(CVE-2013-2445). |
61 |
|
62 |
It was discovered that the AWT component did not properly manage certain |
63 |
resources and that the ObjectStreamClass of the Serialization component |
64 |
did not properly handle circular references. An untrusted Java application |
65 |
or applet could possibly use these flaws to cause a denial of service |
66 |
(CVE-2013-2444, CVE-2013-2450). |
67 |
|
68 |
It was discovered that the Libraries component contained certain errors |
69 |
related to XML security and the class loader. A remote attacker could |
70 |
possibly exploit these flaws to bypass intended security mechanisms or |
71 |
disclose potentially sensitive information and cause a denial of service |
72 |
(CVE-2013-2407, CVE-2013-2461). |
73 |
|
74 |
It was discovered that JConsole did not properly inform the user when |
75 |
establishing an SSL connection failed. An attacker could exploit this flaw |
76 |
to gain access to potentially sensitive information (CVE-2013-2412). |
77 |
|
78 |
It was found that documentation generated by Javadoc was vulnerable to a |
79 |
frame injection attack. If such documentation was accessible over a |
80 |
network, and a remote attacker could trick a user into visiting a |
81 |
specially-crafted URL, it would lead to arbitrary web content being |
82 |
displayed next to the documentation. This could be used to perform a |
83 |
phishing attack by providing frame content that spoofed a login form on |
84 |
the site hosting the vulnerable documentation (CVE-2013-1571). |
85 |
|
86 |
It was discovered that the 2D component created shared memory segments with |
87 |
insecure permissions. A local attacker could use this flaw to read or write |
88 |
to the shared memory segment (CVE-2013-1500). |
89 |
|
90 |
It was discovered that the Networking component did not properly enforce |
91 |
exclusive port binding. A local attacker could exploit this flaw to bind to |
92 |
ports intended to be exclusively bound (CVE-2013-2451). |
93 |
|
94 |
This updates IcedTea6 to version 1.11.12, which fixes these issues, as well |
95 |
as several other bugs. |
96 |
|
97 |
Additionally, this OpenJDK update causes icedtea-web, the Java browser |
98 |
plugin, to crash, so icedtea-web has been patched to fix this on Mageia 2. |
99 |
references: |
100 |
- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html |
101 |
- http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/ |
102 |
- http://blog.fuseyism.com/index.php/2013/07/10/security-icedtea-1-11-12-1-12-6-for-openjdk-6-released/ |
103 |
- https://rhn.redhat.com/errata/RHSA-2013-1014.html |
104 |
- https://bugzilla.redhat.com/show_bug.cgi?id=975146 |
105 |
- https://rhn.redhat.com/errata/RHBA-2013-0959.html |
106 |
- https://bugs.mageia.org/show_bug.cgi?id=10054 |
107 |
ID: MGASA-2013-0208 |