Become a premium member to remove ads
Search the Community
Showing results for tags 'Security'.
-
Hi All, A security exploit has been identified in the openjdk 1.7.0 version. The server uses OpenJDK 1.8 and has already patched the exploit. However this is also present in Java SE clients. It is highly advised that you update your java. FAQ Are there any crucial differences between Oracle and Open JDK? Nothing crucial. The openjdk project is mostly based on hotspot source code donated by Sun. Moreover, openjdk was selected to be the reference implementation for java 7, and is maintained by Oracle engineers. There's a more detailed answer to your question here, which links to this blog post: Q : What is the difference between the source code found in the OpenJDK repository, and the code you use to build the Oracle JDK? A : It is very close - our build process for Oracle JDK releases builds on OpenJDK 7 by adding just a couple of pieces, like the deployment code, which includes Oracle's implementation of the Java Plugin and Java WebStart, as well as some closed source third party components like a graphics rasterizer, some open source third party components, like Rhino, and a few bits and pieces here and there, like additional documentation or third party fonts. Moving forward, our intent is to open source all pieces of the Oracle JDK except those that we consider commercial features such as JRockit Mission Control (not yet available in Oracle JDK), and replace encumbered third party components with open source alternatives to achieve closer parity between the code bases. i dont get it. if they are similar then why two? Technical differences are a consequence of the goal of each one (OpenJDK is meant to be the reference implementation, open to the community, while Oracle is meant to be a commercial one) They both have "almost" the same code of the classes in the Java API; but the code for the virtual machine itself is actually different, and when it comes to libraries, OpenJDK tends to use open libraries while Oracle tends to use closed ones; for instance, the font library. Is the Server Affected? The Server was not affected by this exploit as the server uses OpenJDK 1.8 which had this fixed. Updated java-1.7.0-openjdk packages fix security vulnerabilities Publication date: 15 Apr 2015 Type: security Affected Mageia releases : 4 CVE: CVE-2005-1080 , CVE-2015-0460 , CVE-2015-0469 , CVE-2015-0477 , CVE-2015-0478 , CVE-2015-0480 , CVE-2015-0488 Description Updated java-1.7.0 packages fix security vulnerabilities: An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions (CVE-2015-0469). A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460). A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly (CVE-2015-0488). A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions (CVE-2015-0477). A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted (CVE-2005-1080, CVE-2015-0480). It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures (CVE-2015-0478). References https://bugs.mageia.org/show_bug.cgi?id=15706 http://blog.fuseyism.com/index.php/2015/04/15/security-icedtea-2-5-5-for-openjdk-7-released/ http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html https://rhn.redhat.com/errata/RHSA-2015-0806.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488 I am glad that I used the Beta Version of Mageia that has updated dependencies and took the extra downtime. This would of been a nightmare to take care of. Looks like the downtime actually benefited us for once