1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Mageia%202%20security%20updates%3A%20help%20needed%20with%20Java%20and%0A%09Tomcat&In-Reply-To=%3C1334179077.41869.YahooMailClassic%40web160505.mail.bf1.yahoo.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="014166.html">
<LINK REL="Next" HREF="014268.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat</H1>
<B>David Walser</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Mageia%202%20security%20updates%3A%20help%20needed%20with%20Java%20and%0A%09Tomcat&In-Reply-To=%3C1334179077.41869.YahooMailClassic%40web160505.mail.bf1.yahoo.com%3E"
TITLE="[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat">luigiwalser at yahoo.com
</A><BR>
<I>Wed Apr 11 23:17:57 CEST 2012</I>
<P><UL>
<LI>Previous message: <A HREF="014166.html">[Mageia-dev] freeze push - drakx-installer-help 2.5
</A></li>
<LI>Next message: <A HREF="014268.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14167">[ date ]</a>
<a href="thread.html#14167">[ thread ]</a>
<a href="subject.html#14167">[ subject ]</a>
<a href="author.html#14167">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>The only remaining known security issues with Mageia 2 packages concern Java and Tomcat, and some expertise is needed to help close these.
The vulnerable Java package is java-1.7.0-openjdk. It is vulnerable to a large set of CVEs which have also affected java 1.6.0, and I believe are the same ones behind the recent compromise of Mac OS X machines as well as the Windows version of Firefox automatically disabling vulnerable Java plugins. We have just issued an update for this in Mageia 1 today, and java-1.6.0-openjdk in Cauldron was fixed on Sunday. Since our Java plugin uses 1.6.0 instead of 1.7.0, our exposure to these vulnerabilities is reduced, but they are still there. At the very least the "IcedTea" in the package needs updated to either 2.0.1 or 2.1. The "OpenJDK" in the package may need to be updated as well. D Morgan has done a really nice job maintaining this package, but has been really busy lately, so if anyone else has the ability to assist with it, it would be good.
Bugzilla reference: <A HREF="https://bugs.mageia.org/show_bug.cgi?id=5300">https://bugs.mageia.org/show_bug.cgi?id=5300</A>
Our tomcat5 and tomcat6 packages are unmaintained and have not been updated since before Mageia 1, and contain several vulnerabilities (both in Mageia 1 and Cauldron) that have been fixed by other distros. There are so many CVEs I can't say off the top of my head how many, and I'm not even sure I found them all. Hopefully just updating these packages to the newest versions would be enough to close them all.
Bugzilla references:
tomcat5 - <A HREF="https://bugs.mageia.org/show_bug.cgi?id=3099">https://bugs.mageia.org/show_bug.cgi?id=3099</A>
tomcat6 - <A HREF="https://bugs.mageia.org/show_bug.cgi?id=5261">https://bugs.mageia.org/show_bug.cgi?id=5261</A>
Finally, there are a number of security issues affecting Firefox in Mageia 1, and some help may be needed closing this one. All but one of the bugs blocking this update have recently been fixed. There are apparently some issues with Eclipse that still need to be solved, as well as a couple other packages that may still need to be rebuilt. An update candidate for Firefox itself already exists in updates_testing.
Bugzilla reference: <A HREF="https://bugs.mageia.org/show_bug.cgi?id=4405">https://bugs.mageia.org/show_bug.cgi?id=4405</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="014166.html">[Mageia-dev] freeze push - drakx-installer-help 2.5
</A></li>
<LI>Next message: <A HREF="014268.html">[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#14167">[ date ]</a>
<a href="thread.html#14167">[ thread ]</a>
<a href="subject.html#14167">[ subject ]</a>
<a href="author.html#14167">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|