[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat

David Walser luigiwalser at yahoo.com
Wed Apr 11 23:17:57 CEST 2012


The only remaining known security issues with Mageia 2 packages concern Java and Tomcat, and some expertise is needed to help close these.

The vulnerable Java package is java-1.7.0-openjdk.  It is vulnerable to a large set of CVEs which have also affected java 1.6.0, and I believe are the same ones behind the recent compromise of Mac OS X machines as well as the Windows version of Firefox automatically disabling vulnerable Java plugins.  We have just issued an update for this in Mageia 1 today, and java-1.6.0-openjdk in Cauldron was fixed on Sunday.  Since our Java plugin uses 1.6.0 instead of 1.7.0, our exposure to these vulnerabilities is reduced, but they are still there.  At the very least the "IcedTea" in the package needs updated to either 2.0.1 or 2.1.  The "OpenJDK" in the package may need to be updated as well.  D Morgan has done a really nice job maintaining this package, but has been really busy lately, so if anyone else has the ability to assist with it, it would be good.
Bugzilla reference:  https://bugs.mageia.org/show_bug.cgi?id=5300

Our tomcat5 and tomcat6 packages are unmaintained and have not been updated since before Mageia 1, and contain several vulnerabilities (both in Mageia 1 and Cauldron) that have been fixed by other distros.  There are so many CVEs I can't say off the top of my head how many, and I'm not even sure I found them all.  Hopefully just updating these packages to the newest versions would be enough to close them all.
Bugzilla references:
tomcat5 - https://bugs.mageia.org/show_bug.cgi?id=3099
tomcat6 - https://bugs.mageia.org/show_bug.cgi?id=5261

Finally, there are a number of security issues affecting Firefox in Mageia 1, and some help may be needed closing this one.  All but one of the bugs blocking this update have recently been fixed.  There are apparently some issues with Eclipse that still need to be solved, as well as a couple other packages that may still need to be rebuilt.  An update candidate for Firefox itself already exists in updates_testing.
Bugzilla reference:  https://bugs.mageia.org/show_bug.cgi?id=4405


More information about the Mageia-dev mailing list