[SECURITY] Fedora 16 Update: java-1.7.0-openjdk-

updates at fedoraproject.org updates at fedoraproject.org
Mon Sep 3 22:54:30 UTC 2012

Fedora Update Notification
2012-09-01 23:47:46

Name        : java-1.7.0-openjdk
Product     : Fedora 16
Version     :
Release     : 2.3.1.fc16.2
URL         : http://openjdk.java.net/
Summary     : OpenJDK Runtime Environment
Description :
The OpenJDK runtime environment.

Update Information:

This update is fixing recent important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE.

It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions. (CVE-2012-4681)
Updated to latest IcedTea7 2.3 based on latest build of OpenJDK u6.


* Thu Aug 30 2012 jiri Vanek <jvanek at redhat.com> -
- Updated to IcedTea-Forest 2.3.1
- Resolves rhbz#RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks 
  removed in 6788531.
- Commented out Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch as
  as already included in this Iced-Tea.
- Will be nice to verify after next upstream sync if it is still upstreamed
* Wed Aug 22 2012 Jiri Vanek <jvanek at redhat.com> -
* Fri Aug 17 2012 jiri Vanek <jvanek at redhat.com> -
- Updated to latest IcedTea7-forest-2.3
- Current build is u6
- Added Patch500, java-1.7.0-openjdk-removing_jvisualvm_man.patch to remove 
  jvisualvm manpages from processing
* Mon Jun 11 2012 jiri Vanek <jvanek at redhat.com> -
- Used newly prepared tarball with security fixes
- Bump to icedtea7-forest-2.2.1
- _mandir/man1/jcmd-name.1 added to alternatives
- Updated rhino.patch
- Modified partially upstreamed patch302 - systemtap.patch
- Temporarly disabled patch102 - java-1.7.0-openjdk-size_t.patch
- Removed already upstreamed patches 104,107,108,301
  - java-1.7.0-openjdk-arm-ftbfs.patch
  - java-1.7.0-openjdk-system-zlib.patch
  - java-1.7.0-openjdk-remove-mimpure-opt.patch
  - systemtap-alloc-size-workaround.patch
- patch 105 (java-1.7.0-openjdk-ppc-zero-jdk.patch) have become 104
- patch 106 (java-1.7.0-openjdk-ppc-zero-hotspot.patch) have become 105
- Access gnome brridge jar forced to be 644
* Fri May 25 2012 Deepak Bhole <dbhole at redhat.com> -
- Miscellaneous fixes brought in from RHEL branch
- Resolves: rhbz#825255: Added ALT_STRIP_POLICY so that debug info is not stripped
- Moved Patch #7 (usage of system zlib) to #107
* Tue May  1 2012 Deepak Bhole <dbhole at redhat.com> -
- Removed VisualVM requirements
* Mon Mar 26 2012 Deepak Bhole <dbhole at redhat.com> -
- Merged with F17 branch
* Wed Mar 21 2012 Deepak Bhole <dbhole at redhat.com> -
- Reverted fix for rh740762
* Mon Mar 12 2012 Deepak Bhole <dbhole at redhat.com> -
- Resolved rh740762: java.library.path is missing some paths
* Fri Feb 24 2012 Deepak Bhole <dbhole at redhat.com> -
- Added flag so that debuginfo is built into classfiles (rhbz# 796400) 
- Updated rhino.patch to build scripting support (rhbz# 796398)
* Tue Feb 14 2012 Deepak Bhole <dbhole at redhat.com> -
- Updated to OpenJDK7u3/IcedTea7 2.1
- Security fixes:
  - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
  - S7082299, CVE-2011-3571: AtomicReferenceArray insufficient array type check
  - S7110687, CVE-2012-0503: Unrestricted use of TimeZone.setDefault
  - S7110700, CVE-2012-0505: Incomplete info in the deserialization exception
  - S7110683, CVE-2012-0502: KeyboardFocusManager focus stealing
  - S7088367, CVE-2011-3563: JavaSound incorrect bounds check
  - S7126960, CVE-2011-5035: Add property to limit number of request headers to the HTTP Server
  - S7118283, CVE-2012-0501: Off-by-one bug in ZIP reading code
  - S7110704, CVE-2012-0506: CORBA fix
- Add patch to fix compilation with GCC 4.7
* Tue Nov 15 2011 Deepak Bhole <dbhole at redhat.com> -
- Added patch to fix bug in jdk_generic_profile.sh
- Compile with generic profile to use system libraries
- Made remove-intree-libraries.sh more robust
- Added lcms requirement
- Added patch to fix glibc name clash
- Updated java version to include -icedtea
* Sun Nov  6 2011 Deepak Bhole <dbhole at redhat.com> -
- Added missing changelog entry
* Sun Nov  6 2011 Deepak Bhole <dbhole at redhat.com> -
- Updated to IcedTea 2.0 tag in the IcedTea OpenJDK7 forest
- Removed obsoleted patches
- Added system timezone support
- Revamp version/release naming scheme to make it proper
- Security fixes
  - S7000600, CVE-2011-3547: InputStream skip() information leak
  - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
  - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
  - S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
  - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
  - S7055902, CVE-2011-3521: IIOP deserialization code execution
  - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
  - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
  - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer
  - S7077466, CVE-2011-3556: RMI DGC server remote code execution
  - S7083012, CVE-2011-3557: RMI registry privileged code execution
  - S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection

This update can be installed with the "yum" update program.  Use 
su -c 'yum update java-1.7.0-openjdk' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list