First Last Prev Next    This bug is not in your last search results.
Bug 33540 - openjdk-6: Multiple security issues (3.2)
openjdk-6: Multiple security issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.0
Other Linux
: P1 normal (vote)
: UCS 3.2-2-errata
Assigned To: Moritz Muehlenhoff
Philipp Hahn
:
Depends on: 29168
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-22 15:05 CET by Moritz Muehlenhoff
Modified: 2015-02-09 08:15 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2013-11-22 15:05:22 CET 
+++ This bug was initially created as a clone of Bug #29168 +++

CVE-2012-0547
CVE-2012-1682 
CVE-2012-5089
CVE-2012-5085
CVE-2012-5084
CVE-2012-5083
CVE-2012-5081
CVE-2012-5079
CVE-2012-5077
CVE-2012-5075
CVE-2012-5073
CVE-2012-5072
CVE-2012-5071
CVE-2012-5069
CVE-2012-5068
CVE-2012-3216
CVE-2012-3159
CVE-2012-3143
CVE-2012-1533
CVE-2012-1532
CVE-2012-1531
Hash-Kollisionen im Murmur-Hash-Verfahren (CVE-2012-2739, CVE-2012-5373)
- "Lucky 13" attack against TLS (CVE-2013-0169)
- Access to MBeanServer is unsufficiently restricted (CVE-2013-1486)
Crashes in image processing (CVE-2013-0809, CVE-2013-1493)
CVE-2013-1480
CVE-2013-1478
CVE-2013-1476
CVE-2013-1475
CVE-2013-0450
CVE-2013-0445
CVE-2013-0443
CVE-2013-0442
CVE-2013-0441
CVE-2013-0440
CVE-2013-0435
CVE-2013-0434
CVE-2013-0433
CVE-2013-0432
CVE-2013-0429
CVE-2013-0428
CVE-2013-0427
CVE-2013-0426
CVE-2013-0425
CVE-2013-0424
CVE-2013-0401
CVE-2013-1518
CVE-2013-1537
CVE-2013-1557
CVE-2013-1558
CVE-2013-1569
CVE-2013-2383
CVE-2013-2384
CVE-2013-2417
CVE-2013-2419
CVE-2013-2420
CVE-2013-2422
CVE-2013-2424
CVE-2013-2429
CVE-2013-2430
CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-2463 
CVE-2013-2464 CVE-2013-2465 CVE-2013-2469 CVE-2013-2459 CVE-2013-3743 CVE-2013-2445 CVE-2013-2448 CVE-2013-2461 CVE-2013-2407 CVE-2013-2454 CVE-2013-2444 CVE-2013-2446 CVE-2013-2457 CVE-2013-2453 CVE-2013-2443 CVE-2013-2452 CVE-2013-2455 CVE-2013-2447 CVE-2013-2450 CVE-2013-2456 CVE-2013-2412 CVE-2013-2451 CVE-2013-1500
CVE-2013-1571
CVE-2013-2412
CVE-2013-2443
CVE-2013-2453
CVE-2013-2456
CVE-2013-2457
CVE-2013-5782 CVE-2013-5830 CVE-2013-5809 CVE-2013-5829 CVE-2013-5814 CVE-2013-5817 CVE-2013-5842 CVE-2013-5850
CVE-2013-5802 CVE-2013-3829 CVE-2013-5825 CVE-2013-4002 CVE-2013-5778 CVE-2013-5820 CVE-2013-5840 CVE-2013-5774
CVE-2013-5780 CVE-2013-5849 CVE-2013-5790 CVE-2013-5784 CVE-2013-5797 CVE-2013-5772
CVE-2013-5850
CVE-2013-5823

























+++ This bug was initially created as a clone of Bug #28332 +++

CVE-2012-0547

CVE-2012-1682 

CVE-2012-5089
CVE-2012-5085
CVE-2012-5084
CVE-2012-5083
CVE-2012-5081
CVE-2012-5079
CVE-2012-5077
CVE-2012-5075
CVE-2012-5073
CVE-2012-5072
CVE-2012-5071
CVE-2012-5069
CVE-2012-5068
CVE-2012-3216
CVE-2012-3159
CVE-2012-3143
CVE-2012-1533
CVE-2012-1532
CVE-2012-1531
Comment 1 Moritz Muehlenhoff univentionstaff 2014-01-15 09:14:08 CET 
New issues:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

CVE-2013-5907
CVE-2014-0428
CVE-2014-0422
CVE-2013-5893
CVE-2014-0417
CVE-2014-0373
CVE-2013-5878
CVE-2014-0423
CVE-2013-5884
CVE-2013-5896
CVE-2014-0416
CVE-2014-0368
CVE-2014-0376
CVE-2013-5910
CVE-2014-0411
Comment 2 Moritz Muehlenhoff univentionstaff 2014-02-13 12:01:32 CET 
Insecure temp file handling in unpack2000 tool (CVE-2014-1876)
Comment 3 Moritz Muehlenhoff univentionstaff 2014-04-16 08:49:52 CEST 
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html:

CVE-2014-0429 CVE-2014-0457 CVE-2014-0456 CVE-2014-2421 CVE-2014-2397 CVE-2014-0461 CVE-2014-2412 CVE-2014-0451 CVE-2014-0458 CVE-2014-2423 CVE-2014-0452 CVE-2014-2414 CVE-2014-0446 CVE-2014-2427 CVE-2014-0460 CVE-2014-2403 CVE-2014-0453 CVE-2014-2398 CVE-2014-1876
Comment 4 Janek Walkenhorst univentionstaff 2014-05-30 12:56:24 CEST 
The following alternatives vanish when installing/uninstalling/installing open-xchange app:

java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java*
java.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/java.1.gz
jexec -> /usr/lib/jvm/java-6-openjdk/jre/lib/jexec*
jexec-binfmt -> /usr/lib/jvm/java-6-openjdk/jre/lib/jar.binfmt
keytool -> /usr/lib/jvm/java-6-openjdk/jre/bin/keytool*
keytool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/keytool.1.gz
orbd -> /usr/lib/jvm/java-6-openjdk/jre/bin/orbd*
orbd.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/orbd.1.gz
pack200 -> /usr/lib/jvm/java-6-openjdk/jre/bin/pack200*
pack200.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/pack200.1.gz
policytool -> /usr/lib/jvm/java-6-openjdk/jre/bin/policytool*
policytool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/policytool.1.gz
rmid -> /usr/lib/jvm/java-6-openjdk/jre/bin/rmid*
rmid.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/rmid.1.gz
rmiregistry -> /usr/lib/jvm/java-6-openjdk/jre/bin/rmiregistry*
rmiregistry.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/rmiregistry.1.gz
servertool -> /usr/lib/jvm/java-6-openjdk/jre/bin/servertool*
servertool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/servertool.1.gz
tnameserv -> /usr/lib/jvm/java-6-openjdk/jre/bin/tnameserv*
tnameserv.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/tnameserv.1.gz
unpack200 -> /usr/lib/jvm/java-6-openjdk/jre/bin/unpack200*
unpack200.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/unpack200.1.gz
Comment 5 Moritz Muehlenhoff univentionstaff 2014-06-11 14:45:36 CEST 
The alternatives handling has been fixed with the patch 20-always-update-alternatives.patch

After the installation of OX from the App Center:

root@master:/etc/alternatives# ls -lha java
lrwxrwxrwx 1 root root 40 21. Nov 14:20 java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java

After the removal of OX:

root@master:/etc/alternatives# ls -lha java
ls: Zugriff auf java nicht möglich: Datei oder Verzeichnis nicht gefunden

After a new installation:

root@master:/etc/alternatives# ls -lha java
lrwxrwxrwx 1 root root 40 29. Jan 13:45 java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java


YAML file: 2014-06-10-openjdk-6.yaml
Comment 6 Philipp Hahn univentionstaff 2014-06-13 10:25:27 CEST 
OK: r13137 20-always-update-alternatives.patch
    this patch is only relevant for the new version as the update-alternative mechanism was changed their to support MULTIARCH. The bug does not manifest with the old version.
FIXED: r51029 2014-06-10-openjdk-6.yaml
OK: oxseforucs
FAIL: sesmem

# /opt/sesam/bin/gui/sesam_gui
2014-06-13 08:59:53.813 [main] INFO  - try to connect to 'mas19.phahn.qa:11401'
2014-06-13 08:59:53.849 [main] FATAL - IOException: Connection refused to host: mas19.phahn.qa; nested exception is:
# lsof -i :11401
# java -version
java version "1.6.0_31"
OpenJDK Runtime Environment (IcedTea6 1.13.3) (6b31-1.13.3-1.72.201406101139)
OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)

# aptitude install '?installed?name(openjdk)'
# java -version
java version "1.6.0_18"
OpenJDK Runtime Environment (IcedTea6 1.8.13) (6b18-1.8.13-0.62.201207030838)
OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode)
# /etc/init.d/sesam restart
# lsof -i :11401
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    6240 root   13u  IPv6  26500      0t0  TCP *:11401 (LISTEN)
java    6240 root   17u  IPv6  26507      0t0  TCP mas19.phahn.qa:36029->mas19.phahn.qa:11401 (ESTABLISHED)
java    6240 root   18u  IPv6  26512      0t0  TCP mas19.phahn.qa:11401->mas19.phahn.qa:36029 (ESTABLISHED)


Looks like <http://wiki.sepsoftware.com/wiki/index.php/JRE_Update#SEP_sesam_RMI_.28GUI.29_Server_will_not_start_up_with_Java_Version_7_Update_51> also applies to the OpenJDK-6 update.
Comment 7 Moritz Muehlenhoff univentionstaff 2014-06-27 13:12:37 CEST 
http://errata.univention.de/ucs/3.2/128.html
Comment 8 Moritz Muehlenhoff univentionstaff 2015-02-09 08:15:08 CET 
This update also fixed CVE-2013-4578 (which was only recently disclosed)
First Last Prev Next    This bug is not in your last search results.