Univention Bugzilla – Bug 33540
openjdk-6: Multiple security issues (3.2)
Last modified: 2015-02-09 08:15:08 CET
+++ This bug was initially created as a clone of Bug #29168 +++ CVE-2012-0547 CVE-2012-1682 CVE-2012-5089 CVE-2012-5085 CVE-2012-5084 CVE-2012-5083 CVE-2012-5081 CVE-2012-5079 CVE-2012-5077 CVE-2012-5075 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5069 CVE-2012-5068 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531 Hash-Kollisionen im Murmur-Hash-Verfahren (CVE-2012-2739, CVE-2012-5373) - "Lucky 13" attack against TLS (CVE-2013-0169) - Access to MBeanServer is unsufficiently restricted (CVE-2013-1486) Crashes in image processing (CVE-2013-0809, CVE-2013-1493) CVE-2013-1480 CVE-2013-1478 CVE-2013-1476 CVE-2013-1475 CVE-2013-0450 CVE-2013-0445 CVE-2013-0443 CVE-2013-0442 CVE-2013-0441 CVE-2013-0440 CVE-2013-0435 CVE-2013-0434 CVE-2013-0433 CVE-2013-0432 CVE-2013-0429 CVE-2013-0428 CVE-2013-0427 CVE-2013-0426 CVE-2013-0425 CVE-2013-0424 CVE-2013-0401 CVE-2013-1518 CVE-2013-1537 CVE-2013-1557 CVE-2013-1558 CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2417 CVE-2013-2419 CVE-2013-2420 CVE-2013-2422 CVE-2013-2424 CVE-2013-2429 CVE-2013-2430 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473 CVE-2013-2463 CVE-2013-2464 CVE-2013-2465 CVE-2013-2469 CVE-2013-2459 CVE-2013-3743 CVE-2013-2445 CVE-2013-2448 CVE-2013-2461 CVE-2013-2407 CVE-2013-2454 CVE-2013-2444 CVE-2013-2446 CVE-2013-2457 CVE-2013-2453 CVE-2013-2443 CVE-2013-2452 CVE-2013-2455 CVE-2013-2447 CVE-2013-2450 CVE-2013-2456 CVE-2013-2412 CVE-2013-2451 CVE-2013-1500 CVE-2013-1571 CVE-2013-2412 CVE-2013-2443 CVE-2013-2453 CVE-2013-2456 CVE-2013-2457 CVE-2013-5782 CVE-2013-5830 CVE-2013-5809 CVE-2013-5829 CVE-2013-5814 CVE-2013-5817 CVE-2013-5842 CVE-2013-5850 CVE-2013-5802 CVE-2013-3829 CVE-2013-5825 CVE-2013-4002 CVE-2013-5778 CVE-2013-5820 CVE-2013-5840 CVE-2013-5774 CVE-2013-5780 CVE-2013-5849 CVE-2013-5790 CVE-2013-5784 CVE-2013-5797 CVE-2013-5772 CVE-2013-5850 CVE-2013-5823 +++ This bug was initially created as a clone of Bug #28332 +++ CVE-2012-0547 CVE-2012-1682 CVE-2012-5089 CVE-2012-5085 CVE-2012-5084 CVE-2012-5083 CVE-2012-5081 CVE-2012-5079 CVE-2012-5077 CVE-2012-5075 CVE-2012-5073 CVE-2012-5072 CVE-2012-5071 CVE-2012-5069 CVE-2012-5068 CVE-2012-3216 CVE-2012-3159 CVE-2012-3143 CVE-2012-1533 CVE-2012-1532 CVE-2012-1531
New issues: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html CVE-2013-5907 CVE-2014-0428 CVE-2014-0422 CVE-2013-5893 CVE-2014-0417 CVE-2014-0373 CVE-2013-5878 CVE-2014-0423 CVE-2013-5884 CVE-2013-5896 CVE-2014-0416 CVE-2014-0368 CVE-2014-0376 CVE-2013-5910 CVE-2014-0411
Insecure temp file handling in unpack2000 tool (CVE-2014-1876)
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html: CVE-2014-0429 CVE-2014-0457 CVE-2014-0456 CVE-2014-2421 CVE-2014-2397 CVE-2014-0461 CVE-2014-2412 CVE-2014-0451 CVE-2014-0458 CVE-2014-2423 CVE-2014-0452 CVE-2014-2414 CVE-2014-0446 CVE-2014-2427 CVE-2014-0460 CVE-2014-2403 CVE-2014-0453 CVE-2014-2398 CVE-2014-1876
The following alternatives vanish when installing/uninstalling/installing open-xchange app: java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java* java.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/java.1.gz jexec -> /usr/lib/jvm/java-6-openjdk/jre/lib/jexec* jexec-binfmt -> /usr/lib/jvm/java-6-openjdk/jre/lib/jar.binfmt keytool -> /usr/lib/jvm/java-6-openjdk/jre/bin/keytool* keytool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/keytool.1.gz orbd -> /usr/lib/jvm/java-6-openjdk/jre/bin/orbd* orbd.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/orbd.1.gz pack200 -> /usr/lib/jvm/java-6-openjdk/jre/bin/pack200* pack200.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/pack200.1.gz policytool -> /usr/lib/jvm/java-6-openjdk/jre/bin/policytool* policytool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/policytool.1.gz rmid -> /usr/lib/jvm/java-6-openjdk/jre/bin/rmid* rmid.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/rmid.1.gz rmiregistry -> /usr/lib/jvm/java-6-openjdk/jre/bin/rmiregistry* rmiregistry.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/rmiregistry.1.gz servertool -> /usr/lib/jvm/java-6-openjdk/jre/bin/servertool* servertool.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/servertool.1.gz tnameserv -> /usr/lib/jvm/java-6-openjdk/jre/bin/tnameserv* tnameserv.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/tnameserv.1.gz unpack200 -> /usr/lib/jvm/java-6-openjdk/jre/bin/unpack200* unpack200.1.gz -> /usr/lib/jvm/java-6-openjdk/jre/man/man1/unpack200.1.gz
The alternatives handling has been fixed with the patch 20-always-update-alternatives.patch After the installation of OX from the App Center: root@master:/etc/alternatives# ls -lha java lrwxrwxrwx 1 root root 40 21. Nov 14:20 java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java After the removal of OX: root@master:/etc/alternatives# ls -lha java ls: Zugriff auf java nicht möglich: Datei oder Verzeichnis nicht gefunden After a new installation: root@master:/etc/alternatives# ls -lha java lrwxrwxrwx 1 root root 40 29. Jan 13:45 java -> /usr/lib/jvm/java-6-openjdk/jre/bin/java YAML file: 2014-06-10-openjdk-6.yaml
OK: r13137 20-always-update-alternatives.patch this patch is only relevant for the new version as the update-alternative mechanism was changed their to support MULTIARCH. The bug does not manifest with the old version. FIXED: r51029 2014-06-10-openjdk-6.yaml OK: oxseforucs FAIL: sesmem # /opt/sesam/bin/gui/sesam_gui 2014-06-13 08:59:53.813 [main] INFO - try to connect to 'mas19.phahn.qa:11401' 2014-06-13 08:59:53.849 [main] FATAL - IOException: Connection refused to host: mas19.phahn.qa; nested exception is: # lsof -i :11401 # java -version java version "1.6.0_31" OpenJDK Runtime Environment (IcedTea6 1.13.3) (6b31-1.13.3-1.72.201406101139) OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode) # aptitude install '?installed?name(openjdk)' # java -version java version "1.6.0_18" OpenJDK Runtime Environment (IcedTea6 1.8.13) (6b18-1.8.13-0.62.201207030838) OpenJDK 64-Bit Server VM (build 14.0-b16, mixed mode) # /etc/init.d/sesam restart # lsof -i :11401 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 6240 root 13u IPv6 26500 0t0 TCP *:11401 (LISTEN) java 6240 root 17u IPv6 26507 0t0 TCP mas19.phahn.qa:36029->mas19.phahn.qa:11401 (ESTABLISHED) java 6240 root 18u IPv6 26512 0t0 TCP mas19.phahn.qa:11401->mas19.phahn.qa:36029 (ESTABLISHED) Looks like <http://wiki.sepsoftware.com/wiki/index.php/JRE_Update#SEP_sesam_RMI_.28GUI.29_Server_will_not_start_up_with_Java_Version_7_Update_51> also applies to the OpenJDK-6 update.
http://errata.univention.de/ucs/3.2/128.html
This update also fixed CVE-2013-4578 (which was only recently disclosed)