Bug 829372 (CVE-2012-1718)

Summary:	CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
Product:	[Other] Security Response	Reporter:	Stefan Cornelius <scorneli>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	ahughes, dbhole, jvanek, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-03-12 10:12:58 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	828749, 828750, 828751, 828752, 828753, 828754, 828755, 828756, 828757, 828758, 828759, 828760, 854269, 854270, 854274, 854276, 854279, 854280, 854284, 854285, 854290, 854291, 854297, 854299, 854300, 854301, 856471, 856472, 856473
Bug Blocks:	824458

Description Stefan Cornelius 2012-06-06 14:47:18 UTC

It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.

Comment 1 Tomas Hoger 2012-06-12 20:28:48 UTC

Public now via:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

Fixed in Oracle Java 7 Update 5 and 6 Update 33.

Comment 2 Tomas Hoger 2012-06-13 09:26:04 UTC

The fix for this issue is or will be included in the following IcedTea versions:

* IcedTea6 1.10.8 
* IcedTea6 1.11.3
* IcedTea7 2.1.1
* IcedTea7 2.2.1

IcedTea6 releases announcement:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019076.html
http://blog.fuseyism.com/index.php/2012/06/12/security-icedtea6-1-10-8-1-11-3-released/

Patch:
http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/6e6d7783aabb/patches/security/20120612/7143872.patch
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.1/jdk/rev/ca9c7add5936

Comment 3 errata-xmlrpc 2012-06-13 13:10:17 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0730 https://rhn.redhat.com/errata/RHSA-2012-0730.html

Comment 4 errata-xmlrpc 2012-06-13 13:10:34 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0729 https://rhn.redhat.com/errata/RHSA-2012-0729.html

Comment 5 errata-xmlrpc 2012-06-13 20:02:39 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:0734 https://rhn.redhat.com/errata/RHSA-2012-0734.html

Comment 6 Tomas Hoger 2012-06-15 12:01:55 UTC

IcedTea7 releases announcement:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-June/019094.html
http://blog.fuseyism.com/index.php/2012/06/13/security-icedtea-2-1-1-2-2-1-released/

Comment 7 errata-xmlrpc 2012-06-20 15:15:18 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1019 https://rhn.redhat.com/errata/RHSA-2012-1019.html

Comment 8 errata-xmlrpc 2012-06-20 15:15:58 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1009 https://rhn.redhat.com/errata/RHSA-2012-1009.html

Comment 15 errata-xmlrpc 2012-09-06 16:15:18 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1238 https://rhn.redhat.com/errata/RHSA-2012-1238.html

Comment 16 errata-xmlrpc 2012-09-07 12:50:26 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:1243 https://rhn.redhat.com/errata/RHSA-2012-1243.html

Comment 17 errata-xmlrpc 2012-09-07 13:00:50 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:1245 https://rhn.redhat.com/errata/RHSA-2012-1245.html

Comment 18 errata-xmlrpc 2012-10-03 15:20:41 UTC

This issue has been addressed in following products:

  RHEL 5 for SAP
  RHEL 6 for SAP

Via RHSA-2012:1332 https://rhn.redhat.com/errata/RHSA-2012-1332.html

Comment 19 errata-xmlrpc 2012-11-15 21:08:01 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1467 https://rhn.redhat.com/errata/RHSA-2012-1467.html

Comment 20 errata-xmlrpc 2013-10-23 16:31:23 UTC

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html

Comment 21 errata-xmlrpc 2013-10-23 17:05:24 UTC

This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html