openjdk-6 6b23~pre11-0ubuntu1.11.10 breaks Raritan Dominion KVM console access

Hi James,

Do you have any idea how the console is connecting to the KVM? There's a few different things in the update here that could be affecting it:

  - the fix for CVE-2011-3552 dropped the default number of allowed open UDP connections to 25
  - there were a couple of different issues around RMI where the restrictions were tightened (CVE-2011-3556, CVE-2011-3557)
  - the HttpsURLConnection class in some situations wasn't doing Security checks and thus was allowing connections that it shouldn't have been (CVE-2011-3560)

I can try to prepare some test packages with various fixes dropped to see if we can isolate it.

Hi Steve

I think that its probably using a HTTPS connection to connect to the KVM; its web based.

I had to confirm a security exception in firefox to access the KVM as the default cert is self signed - I guess this might be the problem if HttpsURLConnection is now doing more stringent checks.

Happy to try stuff to try to isolate the issue.

Status changed to 'Confirmed' because the bug affects multiple users.

Hi James,

I've gone ahead and created test packages in my PPA that drop the patch to address CVE-2011-3560; can you or one of the other people affected by this bug try them out and report back here? They're available from https://launchpad.net/~sbeattie/+archive/ppa . Thanks!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 15/12/11 07:15, Steve Beattie wrote:
> I've gone ahead and created test packages in my PPA that drop the
> patch to address CVE-2011-3560; can you or one of the other people
> affected by this bug try them out and report back here? They're
> available from https://launchpad.net/~sbeattie/+archive/ppa .
> Thanks!

I've tried this and I still get the same error; however I did have to
try this package on precise which is not ideal as I don't have a handy
oneiric install kicking around

- --
James Page
Ubuntu Core Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJO6b2EAAoJEL/srsug59jDtq4P/0Y5/Zy19gzdAc2XUFkSUQ8t
tnh2hqC/WhnzfyGw4zGwlxHN8ApfXHvPmvWU267TdRrjZR3+4oxAM6tH5Lj6MCEY
jq9A+wnlw7GQMJ52X8r5G9Fstylxx4fz99kZZ4BdBR203GahMCXFXrZEW041TDIV
jOw6AVrxZVgqyCHQq7DgzJ2G62bqnXqPLwDvcosKT+bOSDWjOqcVRVUE2fwof3gn
AtxLEkucOUvJQcrzdyTrtyugFI6GvnwCbDOybDckxb9O6RD41Dcn0OpiBEf6nox1
qhwZbKwS7qg5G8jjhbKV7XJ+y+yD3ggfOBFQ3zbIqUvA+AIwd47fNgkK1pavztgI
v+p2CbgDU8IOsnmEkfqchVCsn1rz40Deh09x4WsMFyKj2V3W2vkrfKoRtmzRcnkZ
lXeNh1wqjai52XtmtWLafvF648COgZEeD68vY0jQs+JiAqkL6EXmVphu/1F+MvvU
F8JVGTcPmg9tiYlgytpS2HzLEO/QBgT5VXOMVy2yPpCloTXysSI8LOyK2KE4N4go
kY2yzAv5DycOC5QnRbEWJSVyejwoqe6D+0F9vbrCyVhEQI9Q/+0JsOs4cpmWnDHe
2L5V07OIwtgyshzTbpEpP0f01VGzAfNHgN9hcFoyur8VWm5Xlr0RiCptL9TFVQL9
xBqjqBJPNGACR5njRzNM
=not8
-----END PGP SIGNATURE-----

I tried it this morning and it works now on Precise with 6b24~pre3-0ubuntu1.

Could someone confirm so we can close the dev task. Thanks

Confirmed working as of today.

The most recent icedtea (non-security) release includes a fix for http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725 which sounds like a suspiciously similar problem. I've cherry-picked the patch for just that issue and have submitted a test openjdk-6 oneiric build to my ppa (https://launchpad.net/~sbeattie/+archive/ppa). If someone would like to test them out for me once they've built, that'd be great; otherwise I'll try to test them myself tomorrow.

Thanks for you patience!

I've confirmed and had independent confirmation (thanks!) that the cherry-picked patch indeed does solve the issue with the Raritan KVM. I'll prepare a regression updates to include this fix for lucid through oneiric.

This bug was fixed in the package openjdk-6 - 6b20-1.9.10-0ubuntu1~10.04.3

---------------
openjdk-6 (6b20-1.9.10-0ubuntu1~10.04.3) lucid-security; urgency=low

  * debian/patches/openjdk-7103725-ssl_beast_regression.patch:
    Add regression fix for broken ssl connectivity when using
    TLS_DH_anon_WITH_AES_128_CBC_SHA (LP: #891761)
 -- Steve Beattie <email address hidden> Fri, 20 Jan 2012 10:36:28 -0800

Published as http://www.ubuntu.com/usn/usn-1263-2/ .