Bug 1018785 - (CVE-2013-5780) CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071)
CVE-2013-5780 OpenJDK: key data leak via toString() methods (Libraries, 8011071)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131015,repor...
: Security
Depends On:
Blocks: 1017595 1017632
  Show dependency treegraph
 
Reported: 2013-10-14 08:05 EDT by Tomas Hoger
Modified: 2014-04-17 07:36 EDT (History)
4 users (show)

See Also:
Fixed In Version: icedtea 2.4.3, icedtea 1.11.14, icedtea 1.12.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-08 17:23:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2013-10-14 08:05:16 EDT
It was discovered that various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods.  If a Java application called the toString() method on any of the affected classes, it could possibly lead to an unexpected exposure of sensitive key data.
Comment 1 Stefan Cornelius 2013-10-16 02:45:12 EDT
External References:

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Comment 2 Tomas Hoger 2013-10-16 04:38:28 EDT
Fixed in Oracle Java SE 7u45 and 6u65.

OpenJDK upstream commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c8d67d9e6d3
Comment 3 errata-xmlrpc 2013-10-17 13:40:26 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2013:1440 https://rhn.redhat.com/errata/RHSA-2013-1440.html
Comment 4 errata-xmlrpc 2013-10-21 13:45:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1447 https://rhn.redhat.com/errata/RHSA-2013-1447.html
Comment 5 errata-xmlrpc 2013-10-22 13:20:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1451 https://rhn.redhat.com/errata/RHSA-2013-1451.html
Comment 6 errata-xmlrpc 2013-11-05 13:06:01 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1505 https://rhn.redhat.com/errata/RHSA-2013-1505.html
Comment 7 errata-xmlrpc 2013-11-07 11:57:54 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2013:1509 https://rhn.redhat.com/errata/RHSA-2013-1509.html
Comment 8 errata-xmlrpc 2013-11-07 12:02:50 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:1508 https://rhn.redhat.com/errata/RHSA-2013-1508.html
Comment 9 errata-xmlrpc 2013-11-07 12:09:36 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:1507 https://rhn.redhat.com/errata/RHSA-2013-1507.html
Comment 10 errata-xmlrpc 2013-12-05 12:41:42 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2013:1793 https://rhn.redhat.com/errata/RHSA-2013-1793.html
Comment 12 errata-xmlrpc 2014-04-17 07:36:48 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html

Note You need to log in before you can comment on or make changes to this bug.