{"id":"MGASA-2016-0149","summary":"Updated java-1.8.0-openjdk packages fix security vulnerabilities","details":"Updated java-1.8.0-openjdk packages fix security vulnerabilities:\n\nMultiple flaws were discovered in the Serialization and Hotspot components in\nOpenJDK. An untrusted Java application or applet could use these flaws to\ncompletely bypass Java sandbox restrictions (CVE-2016-0686, CVE-2016-0687).\n\nIt was discovered that the RMI server implementation in the JMX component in\nOpenJDK did not restrict which classes can be deserialized when deserializing\nauthentication credentials. A remote, unauthenticated attacker able to connect\nto a JMX port could possibly use this flaw to trigger deserialization flaws\n(CVE-2016-3427).\n\nIt was discovered that the JAXP component in OpenJDK failed to properly handle\nUnicode surrogate pairs used as part of the XML attribute values. Specially\ncrafted XML input could cause a Java application to use an excessive amount of\nmemory when parsed (CVE-2016-3425).\n\nIt was discovered that the GCM (Galois/Counter Mode) implementation in the JCE\ncomponent in OpenJDK used a non-constant time comparison when comparing GCM\nauthentication tags. A remote attacker could possibly use this flaw to\ndetermine the value of the authentication tag (CVE-2016-3426).\n\nIt was discovered that the Security component in OpenJDK failed to check the\ndigest algorithm strength when generating DSA signatures. The use of a digest\nweaker than the key strength could lead to the generation of signatures that\nwere weaker than expected (CVE-2016-0695).\n","modified":"2026-04-16T06:25:50.092496342Z","published":"2016-04-25T07:57:21Z","upstream":["CVE-2016-0686","CVE-2016-0687","CVE-2016-0695","CVE-2016-3425","CVE-2016-3426","CVE-2016-3427"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0149.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18235"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2016-0650.html"}],"affected":[{"package":{"name":"java-1.8.0-openjdk","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/java-1.8.0-openjdk?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0.91-1.b14.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0149.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}