[Mageia-dev] Mageia 2 security updates: help needed with Java and Tomcat

David Walser luigiwalser at yahoo.com
Sat Apr 14 20:41:42 CEST 2012


Can anyone help with these?  One of the tomcat6 packages is installed on almost every system as it's required by LibreOffice.

David Walser wrote:
> The only remaining known security issues with Mageia 2 packages concern Java and Tomcat, and some expertise is needed to help close these.
> 
> The vulnerable Java package is java-1.7.0-openjdk.  It is vulnerable to a large set of CVEs which have also affected java 1.6.0, and I 
believe are the same ones behind the recent compromise of Mac OS X machines as well as the Windows version of Firefox automatically disabling 
vulnerable Java plugins.  We have just issued an update for this in Mageia 1 today, and java-1.6.0-openjdk in Cauldron was fixed on Sunday.  
Since our Java plugin uses 1.6.0 instead of 1.7.0, our exposure to these vulnerabilities is reduced, but they are still there.  At the very 
least the "IcedTea" in the package needs updated to either 2.0.1 or 2.1.  The "OpenJDK" in the package may need to be updated as well.  D 
Morgan has done a really nice job maintaining this package, but has been really busy lately, so if anyone else has the ability to assist with 
it, it would be good.
> Bugzilla reference:  https://bugs.mageia.org/show_bug.cgi?id=5300
> 
> Our tomcat5 and tomcat6 packages are unmaintained and have not been updated since before Mageia 1, and contain several vulnerabilities 
(both in Mageia 1 and Cauldron) that have been fixed by other distros.  There are so many CVEs I can't say off the top of my head how many, 
and I'm not even sure I found them all.  Hopefully just updating these packages to the newest versions would be enough to close them all.
> Bugzilla references:
> tomcat5 - https://bugs.mageia.org/show_bug.cgi?id=3099
> tomcat6 - https://bugs.mageia.org/show_bug.cgi?id=5261
> 
> Finally, there are a number of security issues affecting Firefox in Mageia 1, and some help may be needed closing this one.  All but one of 
the bugs blocking this update have recently been fixed.  There are apparently some issues with Eclipse that still need to be solved, as well 
as a couple other packages that may still need to be rebuilt.  An update candidate for Firefox itself already exists in updates_testing.
> Bugzilla reference:  https://bugs.mageia.org/show_bug.cgi?id=4405




More information about the Mageia-dev mailing list