Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <updates <at> fedoraproject.org>
Subject: [SECURITY] Fedora 19 Update: java-1.7.0-openjdk-1.7.0.19-2.3.9.6.fc19
Newsgroups: gmane.linux.redhat.fedora.package.announce
Date: Thursday 25th April 2013 14:19:39 UTC (over 3 years ago)
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2013-6368
2013-04-23 16:31:08
--------------------------------------------------------------------------------

Name        : java-1.7.0-openjdk
Product     : Fedora 19
Version     : 1.7.0.19
Release     : 2.3.9.6.fc19
URL         : http://openjdk.java.net/
Summary     : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.

--------------------------------------------------------------------------------
Update Information:

This update is fixing - https://admin.fedoraproject.org/updates/FEDORA-2013-5861/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.fc19

So except the expected inherited fixes listed below, it contains new
accessibility package:
package accessibility
Summary: OpenJDK accessibility connector
Requires: java-atk-wrapper
Requires: java-1.7.0-openjdk-1.7.0.19-2.3.9.6.fc19

description
Enables accessibility support in OpenJDK by using java-at-wrapper. This
allows compatible at-spi2 based accessibility programs to work for AWT and
Swing-based programs.
Please note, the java-atk-wrapper is still in beta, and also OpenJDK itself
is still in phase of tuning to be working with accessibility features.
Although working pretty fine, there are known issues with accessibility on,
so do not rather install this package unless you really need.

Also the alternative archs tarball is updated.

Inherited fixes:

    - updated to updated IcedTea  2.3.9 with fix to one of security fixes
      -  fixed font glyph offset
arm...)builds!
    - added client to ghosted classes.jsa
    - updated to IcedTea  2.3.9 with latest security patches
      - 920245 CVE-2013-0401 OpenJDK: unspecified sandbox bypass
(CanSecWest 2013, AWT)
      - 920247 CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest
2013, Libraries)
      - 952387 CVE-2013-1537 OpenJDK: remote code loading enabled by
default (RMI, 8001040)
      - 952389 CVE-2013-2415 OpenJDK: temporary files created with insecure
permissions (JAX-WS, 8003542)
      - 952398 CVE-2013-2423 OpenJDK: incorrect setter access checks in
MethodHandles (Hostspot, 8009677)
      - 952509 CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class
access checks (JMX, 8006435)
      - 952521 CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption
(ImageIO, 8007918)
      - 952524 CVE-2013-2430 OpenJDK: JPEGImageReader state corruption
(ImageIO, 8007667)
      - 952550 CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type
checks (Libraries, 8009049)
      - 952638 CVE-2013-2420 OpenJDK: image processing vulnerability (2D,
8007617)
      - 952640 CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing
restrictions (Beans, 7200507)
      - 952642 CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect
restrictions (Libraries, 8009857)
      - 952645 CVE-2013-2431 OpenJDK: Hotspot intrinsic frames
vulnerability (Hotspot, 8004336)
      - 952646 CVE-2013-1518 OpenJDK: JAXP missing security restrictions
(JAXP, 6657673)
      - 952648 CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing
security restrictions (RMI, 8001329)
      - 952649 CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error
(Hotspot, 8009699)
      - 952653 CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls
defaultReadObject() method (Libraries, 8009063)
      - 952656 CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
      - 952657 CVE-2013-2417 OpenJDK: Network InetAddress serialization
information disclosure (Networking, 8000724)
      - 952708 CVE-2013-2383 OpenJDK: font layout and glyph table errors
(2D, 8004986)
      - 952709 CVE-2013-2384 OpenJDK: font layout and glyph table errors
(2D, 8004987)
      - 952711 CVE-2013-1569 OpenJDK: font layout and glyph table errors
(2D, 8004994)
    - buildver sync to b19
    - rewritten java-1.7.0-openjdk-java-access-bridge-security.patch
    - fixed priority (one zero deleted)
    - unapplied patch2
    - added patch107 abrt_friendly_hs_log_jdk7.patch
    - removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch
    - removed redundant rm of classes.jsa, ghost is handling it correctly
Fix FTBFS on Secondary Arches
    - updated to updated IcedTea  2.3.9 with fix to one of security fixes
      -  fixed font glyph offset
    WARNING     - this build have not yet updated not-hotspot
(arm...)builds!
    - added client to ghosted classes.jsa
    - updated to IcedTea  2.3.9 with latest security patches
      - 920245 CVE-2013-0401 OpenJDK: unspecified sandbox bypass
(CanSecWest 2013, AWT)
      - 920247 CVE-2013-1488 OpenJDK: unspecified sanbox bypass (CanSecWest
2013, Libraries)
      - 952387 CVE-2013-1537 OpenJDK: remote code loading enabled by
default (RMI, 8001040)
      - 952389 CVE-2013-2415 OpenJDK: temporary files created with insecure
permissions (JAX-WS, 8003542)
      - 952398 CVE-2013-2423 OpenJDK: incorrect setter access checks in
MethodHandles (Hostspot, 8009677)
      - 952509 CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class
access checks (JMX, 8006435)
      - 952521 CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption
(ImageIO, 8007918)
      - 952524 CVE-2013-2430 OpenJDK: JPEGImageReader state corruption
(ImageIO, 8007667)
      - 952550 CVE-2013-2436 OpenJDK: Wrapper.convert insufficient type
checks (Libraries, 8009049)
      - 952638 CVE-2013-2420 OpenJDK: image processing vulnerability (2D,
8007617)
      - 952640 CVE-2013-1558 OpenJDK: java.beans.ThreadGroupContext missing
restrictions (Beans, 7200507)
      - 952642 CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect
restrictions (Libraries, 8009857)
      - 952645 CVE-2013-2431 OpenJDK: Hotspot intrinsic frames
vulnerability (Hotspot, 8004336)
      - 952646 CVE-2013-1518 OpenJDK: JAXP missing security restrictions
(JAXP, 6657673)
      - 952648 CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing
security restrictions (RMI, 8001329)
      - 952649 CVE-2013-2421 OpenJDK: Hotspot MethodHandle lookup error
(Hotspot, 8009699)
      - 952653 CVE-2013-2426 OpenJDK: ConcurrentHashMap incorrectly calls
defaultReadObject() method (Libraries, 8009063)
      - 952656 CVE-2013-2419 OpenJDK: font processing errors (2D, 8001031)
      - 952657 CVE-2013-2417 OpenJDK: Network InetAddress serialization
information disclosure (Networking, 8000724)
      - 952708 CVE-2013-2383 OpenJDK: font layout and glyph table errors
(2D, 8004986)
      - 952709 CVE-2013-2384 OpenJDK: font layout and glyph table errors
(2D, 8004987)
      - 952711 CVE-2013-1569 OpenJDK: font layout and glyph table errors
(2D, 8004994)
    - buildver sync to b19
    - rewritten java-1.7.0-openjdk-java-access-bridge-security.patch
    - fixed priority (one zero deleted)
    - unapplied patch2
    - added patch107 abrt_friendly_hs_log_jdk7.patch
    - removed patch2 java-1.7.0-openjdk-java-access-bridge-idlj.patch
    - removed redundant rm of classes.jsa, ghost is handling it correctly

--------------
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on
the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/package-announce
 
CD: 3ms