Bug 766802

Summary: VUL-0: java-1_6_0-openjdk: multiple vulnerabilities (tracker bug)
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: behlert, security-team, tyuan, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp1:47853
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2012-06-13 08:36:49 UTC 
There have recently been multiple vulnerabilities reported in java-1_6_0-openjdk:

1) CVE-2012-1725: insufficient invokespecial <init> verification
(HotSpot, 7160757)

2) CVE-2012-1723: insufficient field accessibility checks
(HotSpot, 7152811)

3) CVE-2012-1713: fontmanager layout lookup code memory corruption
(2D, 7143617)

4) CVE-2012-1716: SynthLookAndFeel application context bypass
(Swing, 7143614)

5) CVE-2012-1711: improper protection of CORBA data models
(CORBA, 7079902)

6) CVE-2012-1724: XML parsing infinite loop (JAXP, 7157609)

7) CVE-2012-1719: mutable repository identifiers in generated stub code
(CORBA, 7143851)

8) CVE-2012-1717: insecure temporary file permissions (JRE, 7143606)
Comment 1 Swamp Workflow Management 2012-06-13 08:56:41 UTC 
The SWAMPID for this issue is 47828.
This issue was rated as important.
Please submit fixed packages until 2012-06-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Ludwig Nussel 2012-06-14 07:26:40 UTC 
*** Bug 767021 has been marked as a duplicate of this bug. ***
Comment 3 Michal Vyskocil 2012-06-14 12:26:51 UTC 
packages has been submitted

sled: 19713
11.4: 124943
12.1: 124938

factory: 124698 (delete request)

@wolfgang, evergreen versions are in home:branches:mvyskocil:OBS_Maintained:java-1_6_0-openjdk
Comment 4 Michal Vyskocil 2012-06-14 12:27:15 UTC 
 * fortgot to reassign *
Comment 5 Michal Vyskocil 2012-06-14 12:37:35 UTC 
argh, Ludwig points me there were no bnc number in chages, fixed by 

sled: 19717
11.4: 124966
12.1: 124968
Comment 6 Bernhard Wiedemann 2012-06-14 13:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (766802) was mentioned in
https://build.opensuse.org/request/show/124973 Evergreen:11.1 / java-1_6_0-openjdk
Comment 9 Swamp Workflow Management 2012-06-19 17:00:15 UTC 
Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-src
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
Comment 10 Bernhard Wiedemann 2012-06-19 18:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (766802) was mentioned in
https://build.opensuse.org/request/show/125468 Evergreen:11.1 / java-1_6_0-openjdk
Comment 15 Sebastian Krahmer 2012-07-04 06:56:56 UTC 
done
Comment 16 Swamp Workflow Management 2012-07-04 07:09:16 UTC 
openSUSE-SU-2012:0828-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 766802
CVE References: CVE-2012-1711,CVE-2012-1713,CVE-2012-1716,CVE-2012-1717,CVE-2012-1718,CVE-2012-1719,CVE-2012-1723,CVE-2012-1724,CVE-2012-1725
Sources used:
openSUSE 12.1 (src):    java-1_6_0-openjdk-1.6.0.0_b24.1.11.3-6.2
openSUSE 11.4 (src):    java-1_6_0-openjdk-1.6.0.0_b24.1.11.3-0.11.2
Comment 17 Bernhard Wiedemann 2012-07-13 08:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (766802) was mentioned in
https://build.opensuse.org/request/show/127800 Evergreen:11.2 / java-1_6_0-openjdk