Hi All,
A security exploit has been identified in the openjdk 1.7.0 version. The server uses OpenJDK 1.8 and has already patched the exploit. However this is also present in Java SE clients. It is highly advised that you update your java.
FAQ
Are there any crucial differences between Oracle and Open JDK?
Nothing crucial. The openjdk project is mostly based on hotspot source code donated by Sun.
Moreover, openjdk was selected to be the reference implementation for java 7, and is maintained by Oracle engineers.
There's a more detailed answer to your question here, which links to this blog post:
i dont get it. if they are similar then why two?
Technical differences are a consequence of the goal of each one (OpenJDK is meant to be the reference implementation, open to the community, while Oracle is meant to be a commercial one)
They both have "almost" the same code of the classes in the Java API; but the code for the virtual machine itself is actually different, and when it comes to libraries, OpenJDK tends to use open libraries while Oracle tends to use closed ones; for instance, the font library.
Is the Server Affected?
The Server was not affected by this exploit as the server uses OpenJDK 1.8 which had this fixed.
Updated java-1.7.0-openjdk packages fix security vulnerabilities
Publication date: 15 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2005-1080 , CVE-2015-0460 , CVE-2015-0469 , CVE-2015-0477 , CVE-2015-0478 , CVE-2015-0480 , CVE-2015-0488
Description
Updated java-1.7.0 packages fix security vulnerabilities:
An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions (CVE-2015-0469).
A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460).
A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly (CVE-2015-0488).
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions (CVE-2015-0477).
A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted (CVE-2005-1080, CVE-2015-0480).
It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures
(CVE-2015-0478).
References
https://bugs.mageia.org/show_bug.cgi?id=15706
http://blog.fuseyism.com/index.php/2015/04/15/security-icedtea-2-5-5-for-openjdk-7-released/
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
https://rhn.redhat.com/errata/RHSA-2015-0806.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
I am glad that I used the Beta Version of Mageia that has updated dependencies and took the extra downtime. This would of been a nightmare to take care of. Looks like the downtime actually benefited us for once