Mandriva Linux Security Advisory 2011-170 - Security issues were identified and fixed in openjdk (Icedtea6) and icedtea-web. IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. IcedTea6 prior to 1.10.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
e2c7f52186f217d479f8d33ec72b7002da0b148f003d9142d6a982774c54a2e1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:170
https://www.mandriva.com/security/
_______________________________________________________________________
Package : java-1.6.0-openjdk
Date : November 11, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Security issues were identified and fixed in openjdk (icedtea6)
and icedtea-web:
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to Networking (CVE-2011-3547).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
integrity, and availability, related to AWT (CVE-2011-3548).
IcedTea6 prior to 1.10.4 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors
related to 2D (CVE-2011-3551).
IcedTea6 prior to 1.10.4 allows remote attackers to affect integrity
via unknown vectors related to Networking (CVE-2011-3552).
IcedTea6 prior to 1.10.4 allows remote authenticated users to affect
confidentiality, related to JAXWS (CVE-2011-3553).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
integrity, and availability via unknown vectors related to Scripting
(CVE-2011-3544).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
integrity, and availability via unknown vectors related to
Deserialization (CVE-2011-3521).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality,
integrity, and availability via unknown vectors (CVE-2011-3554).
A flaw was found in the way the SSL 3 and TLS 1.0 protocols used
block ciphers in cipher-block chaining (CBC) mode. An attacker able
to perform a chosen plain text attack against a connection mixing
trusted and untrusted data could use this flaw to recover portions
of the trusted data sent over the connection (CVE-2011-3389).
Note: This update mitigates the CVE-2011-3389 issue by splitting
the first application data record byte to a separate SSL/TLS
protocol record. This mitigation may cause compatibility issues
with some SSL/TLS implementations and can be disabled using the
jsse.enableCBCProtection boolean property. This can be done on the
command line by appending the flag -Djsse.enableCBCProtection=false
to the java command.
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
via unknown vectors related to HotSpot (CVE-2011-3558).
IcedTea6 prior to 1.10.4 allows remote attackers to affect
confidentiality, integrity, and availability, related to RMI
(CVE-2011-3556).
IcedTea6 prior to 1.10.4 allows remote attackers to affect
confidentiality, integrity, and availability, related to RMI
(CVE-2011-3557).
IcedTea6 prior to 1.10.4 allows remote untrusted Java Web Start
applications and untrusted Java applets to affect confidentiality
and integrity, related to JSSE (CVE-2011-3560).
Deepak Bhole discovered a flaw in the Same Origin Policy (SOP)
implementation in the IcedTea project Web browser plugin. A
malicious applet could use this flaw to bypass SOP protection and
open connections to any sub-domain of the second-level domain of
the applet's origin, as well as any sub-domain of the domain that
is the suffix of the origin second-level domain. For example,
IcedTea-Web plugin allowed applet from some.host.example.com to
connect to other.host.example.com, www.example.com, and example.com,
as well as www.ample.com or ample.com. (CVE-2011-3377).
_______________________________________________________________________
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3377
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
2881c71d1da084f6c7a136335f5383d6 2010.1/i586/icedtea-web-1.0.6-0.1mdv2010.2.i586.rpm
415d7598363639aecbafd380827b7ab2 2010.1/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
27d2d84f2a00e4d18cb68e8c8ecd1626 2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
8b4b727a2139d866d0e88ff720de9b57 2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
8084b3aaeac98db2ddf89913db805725 2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
f5c32405224455a5065d85ecbba6f1f2 2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.i586.rpm
45fd80b86f46b8e9ca3711c47d4fbb40 2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm
6bbb0d8c0e0ce847b86d9145ca12e211 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
899e54445bf4ad65ea254e835006ce27 2010.1/x86_64/icedtea-web-1.0.6-0.1mdv2010.2.x86_64.rpm
7da63e6b6d83974f32f6580c4de53929 2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
859e838ff8583b814f1270c36d0bf248 2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
8da61ef538893c8b7766e868e369f400 2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
3b56e8612ba71e92e728e3e1a9fef319 2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
23eea5b9bf1a2ee3db0ebf0c6927234a 2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdv2010.2.x86_64.rpm
45fd80b86f46b8e9ca3711c47d4fbb40 2010.1/SRPMS/icedtea-web-1.0.6-0.1mdv2010.2.src.rpm
6bbb0d8c0e0ce847b86d9145ca12e211 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdv2010.2.src.rpm
Mandriva Linux 2011:
b585d6580568d064d9e99ab2d8898dbb 2011/i586/icedtea-web-1.0.6-0.1-mdv2011.0.i586.rpm
17ea4db995836efdb63f62370adc21f3 2011/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
b5b625dd4b96e479ce532f2d578650bb 2011/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
3bc34e225ec9e6b38dd1876a5c5ffe6d 2011/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
050f5c111f9e65c0ea06f80e4ffff35d 2011/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
3d5eed0e210b9d4e38a6dcd74929f0dd 2011/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.i586.rpm
0579fb909e08a0f420183284ba7061e9 2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm
128cec9fdd9fd0e0d921341f178be9a1 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm
Mandriva Linux 2011/X86_64:
aa77ab19c7746723530e3a696fd4355a 2011/x86_64/icedtea-web-1.0.6-0.1-mdv2011.0.x86_64.rpm
467cc14261ed055450afbf1a2a5fe483 2011/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
2850bfa26b1f992dff3c2c1ac3f1326b 2011/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
50053850cfdd573a9469aa0b5783cc82 2011/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
04ba44e392bf335e86fdc2c66d03bdf3 2011/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
678776c021e19498a6e201c9b0ef6513 2011/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1-mdv2011.0.x86_64.rpm
0579fb909e08a0f420183284ba7061e9 2011/SRPMS/icedtea-web-1.0.6-0.1.src.rpm
128cec9fdd9fd0e0d921341f178be9a1 2011/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1.src.rpm
Mandriva Enterprise Server 5:
c6af60f8fac7b8fb91a79983e4c68364 mes5/i586/icedtea-web-1.0.6-0.1mdvmes5.2.i586.rpm
00295911ed1610030bd0b39680c2fb20 mes5/i586/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
bdcd904e1e04d57f8205904b84dd5971 mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
960da26357c48af97ca8e9cdb4245692 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
8cf1ac9ad06eddba1916d8e4e2b3cedf mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
f0a00b845915e25e7b4bc9802914aee4 mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.i586.rpm
3860e9d27e8bc15ea72a57deb811c961 mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm
b0701aff2a8ffdcc27a6cd7560d0d099 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
765023a21377d664c2ba05e98147dd1b mes5/x86_64/icedtea-web-1.0.6-0.1mdvmes5.2.x86_64.rpm
f0b699b476a124eb0a1b2f5187101de9 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
249ffd15ed12d64798ff39431e402d69 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
d747f2b1361c0a67d4d85824a94d0a69 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
d50d63017beb08a2f23d08138a17c992 mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
dd36ff4d9b91a541dfa86bb46288bbe0 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-24.b22.1mdvmes5.2.x86_64.rpm
3860e9d27e8bc15ea72a57deb811c961 mes5/SRPMS/icedtea-web-1.0.6-0.1mdvmes5.2.src.rpm
b0701aff2a8ffdcc27a6cd7560d0d099 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-24.b22.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
https://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOvSWxmqjQ0CJFipgRAnk1AKDUddZYCqwkfhoUpLxEL0BT3mDf0ACfbuTI
aaF2JGTyfceBABs92un/yVA=
=yPsD
-----END PGP SIGNATURE-----