Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Ubuntu 14.04 LTS USN-3275-3: OpenJDK 7 TLS Regression Correction

ubuntu
Calendar Grey May 18, 2017
Dist Ubuntu Esm H88
Following the recent update, Ubuntu 14.04 LTS encounters issues with OpenJDK 7, specifically affecting the functionality of TLS handshakes and necessitating a resolution.
USN-3275-2 introduced a regression in OpenJDK 7.

Summary

USN-3275-2 introduced a regression in OpenJDK 7.

Software Description:

- openjdk-7: Open Source Java implementation

Details:

USN-3275-2 fixed vulnerabilities in OpenJDK 7. Unfortunately, the

update introduced a regression when handling TLS handshakes. This

update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that OpenJDK improperly re-used cached NTLM

connections in some situations. A remote attacker could possibly

use this to cause a Java application to perform actions with the

credentials of a different user. (CVE-2017-3509)

It was discovered that an untrusted library search path flaw existed

in the Java Cryptography Extension (JCE) component of OpenJDK. A

local attacker could possibly use this to gain the privileges of a

Java application. (CVE-2017-3511)

It was discovered that the Java API for XML Processing (JAXP) component

in OpenJDK did not properly enforce size limits when parsing XML

documents. An atta...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  icedtea-7-jre-jamvm             7u131-2.6.9-0ubuntu0.14.04.2
  openjdk-7-jre                   7u131-2.6.9-0ubuntu0.14.04.2
  openjdk-7-jre-headless          7u131-2.6.9-0ubuntu0.14.04.2
  openjdk-7-jre-lib               7u131-2.6.9-0ubuntu0.14.04.2
  openjdk-7-jre-zero              7u131-2.6.9-0ubuntu0.14.04.2

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3275-3

https://ubuntu.com/security/notices/USN-3275-1

https://bugs.launchpad.net/ubuntu/trusty/+source/openjdk-7/+bug/1691126, https://ubuntu.com/security/notices/USN-3275-2

Severity
important
Lowest
Low
Medium
High
Critical

May 18, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.