[Spacewalk-list] OpenJDK update breaks taskomatic (1.2)
Lukas Zapletal
lzap+spw at redhat.com
Tue Feb 22 08:27:25 UTC 2011
On 02/21/2011 02:51 PM, Sander Grendelman wrote:
> Hi List,
>
> Can anyone confirm that applying the latest OpenJDK security erratum
> (RHSA-2011:0281) for rhel5.6 on i386 breaks the taskomatic daemon for
> spacewalk 1.2?
>
>> From /var/log/rhn/rhn_taskomatic_daemon.log
>
The reason is probably described in the errata details:
It was found that the Java launcher provided by OpenJDK did not check
the LD_LIBRARY_PATH environment variable for insecure empty path
elements. A local attacker able to trick a user into running the Java
launcher while working from an attacker-writable directory could use
this flaw to load an untrusted library, subverting the Java security
model. (CVE-2010-4450)
The workaround would be include only one valid path in LD_LIBRARY_PATH.
There are currently both lib and lib64 paths.
LZ
--
Later,
Lukas "lzap" Zapletal
More information about the Spacewalk-list
mailing list