{"id":"MGASA-2014-0023","summary":"Updated java-1.7.0-openjdk package fixes multiple security vulnerabilities","details":"Updated java-1.7.0-openjdk packages fix security vulnerabilities:\n\nAn input validation flaw was discovered in the font layout engine in the 2D\ncomponent. A specially crafted font file could trigger Java Virtual Machine\nmemory corruption when processed. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions\n(CVE-2013-5907).\n\nMultiple improper permission check issues were discovered in the CORBA,\nJNDI, and Libraries components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions\n(CVE-2014-0428, CVE-2014-0422, CVE-2013-5893).\n\nMultiple improper permission check issues were discovered in the\nServiceability, Security, CORBA, JAAS, JAXP, and Networking components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\nbypass certain Java sandbox restrictions (CVE-2014-0373, CVE-2013-5878,\nCVE-2013-5910, CVE-2013-5896, CVE-2013-5884, CVE-2014-0416, CVE-2014-0376,\nCVE-2014-0368).\n\nIt was discovered that the Beans component did not restrict processing of\nXML external entities. This flaw could cause a Java application using Beans\nto leak sensitive information, or affect application availability\n(CVE-2014-0423).\n\nIt was discovered that the JSSE component could leak timing information\nduring the TLS/SSL handshake. This could possibly lead to disclosure of\ninformation about the used encryption keys (CVE-2014-0411).\n","modified":"2026-04-16T06:23:36.319416289Z","published":"2014-01-21T16:22:18Z","upstream":["CVE-2013-5878","CVE-2013-5884","CVE-2013-5893","CVE-2013-5896","CVE-2013-5907","CVE-2013-5910","CVE-2014-0368","CVE-2014-0373","CVE-2014-0376","CVE-2014-0411","CVE-2014-0416","CVE-2014-0422","CVE-2014-0423","CVE-2014-0428"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0023.html"},{"type":"WEB","url":"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html"},{"type":"WEB","url":"http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2014-0026.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=12317"}],"affected":[{"package":{"name":"java-1.7.0-openjdk","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/java-1.7.0-openjdk?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.0.60-2.4.4.1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0023.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}