Bug 853228 (CVE-2012-0547)
| Summary: | CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ahughes, dbhole, jon.vanalten, jvanek, lkundrak, lwhatley, mjw, mmatejov, omajid |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-24 09:43:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 852299, 852300, 852301, 852302, 852303, 852304, 853114, 853116, 853345, 853346, 854890, 854891, 856471 | ||
| Bug Blocks: | 852098 | ||
|
Description
Tomas Hoger
2012-08-30 19:37:45 UTC
Mitre description, pointing out that hardening fixes are not expected to have CVE assigned: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. Upstream fix, as applied in IcedTea 7 2.3 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6df0f825c24e OpenJDK7 repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c5704b02468 This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1221 https://rhn.redhat.com/errata/RHSA-2012-1221.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1222 https://rhn.redhat.com/errata/RHSA-2012-1222.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html Fixed in IcedTea versions: 2.1.2, 2.2.2 and 2.3.2 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020127.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020144.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020151.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html I see that java-1.6.0-openjdk was updated for RHEL5 to address this. Any plans to also update java-1.6.0-sun? The primary reason to update java-1.6.0-openjdk packages was the CVE-2012-1682 (bug #853097) issues. That issue did not affect Oracle Java SE 6, but it did affect OpenJDK 6. As explained in the following Oracle blog post (also linked from comment #0): https://blogs.oracle.com/security/entry/security_alert_for_cve_20121 the CVE-2012-0547 was used to refer to a security-in-depth, or hardening, fix, that has no security impact by itself (it was rated as having CVSSv2 score of 0 by Oracle). Hence we do not plan to release a security update with only this hardening fix as the next scheduled update fixing security issues is planned to be released in 4 weeks (Oct 16). This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html Thanks for the explanation! I was unaware that there was a second CVE that affected only java-1.6.0-openjdk, and thought that the openjdk update was just for CVE-2012-0547. Waiting for the October 16 update for java-1.6.0-sun seems reasonable. This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2012:1466 https://rhn.redhat.com/errata/RHSA-2012-1466.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html |