1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Mageia%202%20security%20updates%3A%20help%20needed%20with%20Java%0A%09and%20Tomcat&In-Reply-To=%3Cjmcgd6%24hhh%242%40dough.gmane.org%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="014167.html">
<LINK REL="Next" HREF="014273.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat</H1>
<B>David Walser</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Mageia%202%20security%20updates%3A%20help%20needed%20with%20Java%0A%09and%20Tomcat&In-Reply-To=%3Cjmcgd6%24hhh%242%40dough.gmane.org%3E"
TITLE="[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat">luigiwalser at yahoo.com
</A><BR>
<I>Sat Apr 14 20:41:42 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="014167.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI>Next message: <A HREF="014273.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14268">[ date ]</a>
<a href="thread.html#14268">[ thread ]</a>
<a href="subject.html#14268">[ subject ]</a>
<a href="author.html#14268">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Can anyone help with these? One of the tomcat6 packages is installed on almost every system as it's required by LibreOffice.
David Walser wrote:
><i> The only remaining known security issues with Mageia 2 packages concern Java and Tomcat, and some expertise is needed to help close these.
</I>><i>
</I>><i> The vulnerable Java package is java-1.7.0-openjdk. It is vulnerable to a large set of CVEs which have also affected java 1.6.0, and I
</I>believe are the same ones behind the recent compromise of Mac OS X machines as well as the Windows version of Firefox automatically disabling
vulnerable Java plugins. We have just issued an update for this in Mageia 1 today, and java-1.6.0-openjdk in Cauldron was fixed on Sunday.
Since our Java plugin uses 1.6.0 instead of 1.7.0, our exposure to these vulnerabilities is reduced, but they are still there. At the very
least the "IcedTea" in the package needs updated to either 2.0.1 or 2.1. The "OpenJDK" in the package may need to be updated as well. D
Morgan has done a really nice job maintaining this package, but has been really busy lately, so if anyone else has the ability to assist with
it, it would be good.
><i> Bugzilla reference: <A HREF="https://bugs.mageia.org/show_bug.cgi?id=5300">https://bugs.mageia.org/show_bug.cgi?id=5300</A>
</I>><i>
</I>><i> Our tomcat5 and tomcat6 packages are unmaintained and have not been updated since before Mageia 1, and contain several vulnerabilities
</I>(both in Mageia 1 and Cauldron) that have been fixed by other distros. There are so many CVEs I can't say off the top of my head how many,
and I'm not even sure I found them all. Hopefully just updating these packages to the newest versions would be enough to close them all.
><i> Bugzilla references:
</I>><i> tomcat5 - <A HREF="https://bugs.mageia.org/show_bug.cgi?id=3099">https://bugs.mageia.org/show_bug.cgi?id=3099</A>
</I>><i> tomcat6 - <A HREF="https://bugs.mageia.org/show_bug.cgi?id=5261">https://bugs.mageia.org/show_bug.cgi?id=5261</A>
</I>><i>
</I>><i> Finally, there are a number of security issues affecting Firefox in Mageia 1, and some help may be needed closing this one. All but one of
</I>the bugs blocking this update have recently been fixed. There are apparently some issues with Eclipse that still need to be solved, as well
as a couple other packages that may still need to be rebuilt. An update candidate for Firefox itself already exists in updates_testing.
><i> Bugzilla reference: <A HREF="https://bugs.mageia.org/show_bug.cgi?id=4405">https://bugs.mageia.org/show_bug.cgi?id=4405</A>
</I>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="014167.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI>Next message: <A HREF="014273.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14268">[ date ]</a>
<a href="thread.html#14268">[ thread ]</a>
<a href="subject.html#14268">[ subject ]</a>
<a href="author.html#14268">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
