{"id":"MGASA-2016-0359","summary":"Updated java-1.8.0-openjdk packages fix security vulnerability","details":"It was discovered that the Hotspot component of OpenJDK did not properly\ncheck arguments of the System.arraycopy() function in certain cases. An\nuntrusted Java application or applet could use this flaw to corrupt\nvirtual machine's memory and completely bypass Java sandbox restrictions\n(CVE-2016-5582).\n\nIt was discovered that the Hotspot component of OpenJDK did not properly\ncheck received Java Debug Wire Protocol (JDWP) packets. An attacker could\npossibly use this flaw to send debugging commands to a Java program\nrunning with debugging enabled if they could make victim's browser send\nHTTP requests to the JDWP port of the debugged application\n(CVE-2016-5573).\n\nIt was discovered that the Libraries component of OpenJDK did not restrict\nthe set of algorithms used for Jar integrity verification. This flaw could\nallow an attacker to modify content of the Jar file that used weak signing\nkey or hash algorithm (CVE-2016-5542).\n\nNote: After this update, MD2 hash algorithm and RSA keys with less than\n1024 bits are no longer allowed to be used for Jar integrity verification\nby default. MD5 hash algorithm is expected to be disabled by default in\nthe future updates. A newly introduced security property\njdk.jar.disabledAlgorithms can be used to control the set of disabled\nalgorithms.\n\nA flaw was found in the way the JMX component of OpenJDK handled\nclassloaders. An untrusted Java application or applet could use this flaw\nto bypass certain Java sandbox restrictions (CVE-2016-5554).\n\nA flaw was found in the way the Networking component of OpenJDK handled\nHTTP proxy authentication. A Java application could possibly expose HTTPS\nserver authentication credentials via a plain text network connection to\nan HTTP proxy if proxy asked for authentication (CVE-2016-5597).\n\nNote: After this update, Basic HTTP proxy authentication can no longer be\nused when tunneling HTTPS connection through an HTTP proxy. Newly\nintroduced system properties jdk.http.auth.proxying.disabledSchemes and\njdk.http.auth.tunneling.disabledSchemes can be used to control which\nauthentication schemes can be requested by an HTTP proxy when proxying\nHTTP and HTTPS connections respectively.\n","modified":"2026-04-16T06:25:45.885149074Z","published":"2016-10-25T23:11:42Z","upstream":["CVE-2016-5542","CVE-2016-5554","CVE-2016-5573","CVE-2016-5582","CVE-2016-5597"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0359.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19626"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2016-2079.html"}],"affected":[{"package":{"name":"java-1.8.0-openjdk","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/java-1.8.0-openjdk?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0.111-1.b16.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0359.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}