Ubuntu

openjdk-6 6b23~pre11-0ubuntu1.11.10 breaks Raritan Dominion KVM console access

Reported by James Page on 2011-11-17
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openjdk-6 (Ubuntu)
Medium
Unassigned

Bug Description

I upgraded to the most recent openjdk-6 packages this morning; as a result the Java plugin based console access provided by Raritan Dominion KVM remote console access no longer works - it fails with a 'Client disconnect from remote console' error message.

I confirmed this by reverting to the 6b23~pre10-0ubuntu5.

I'll see if I can raise this with Raritan as well (but might not get far there).

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: openjdk-6-jdk 6b23~pre11-0ubuntu1.11.10
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
NonfreeKernelModules: fglrx
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Thu Nov 17 14:10:35 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110426)
SourcePackage: openjdk-6
UpgradeStatus: Upgraded to oneiric on 2011-09-09 (69 days ago)

James Page (james-page) wrote :
Steve Beattie (sbeattie) wrote :

Hi James,

Do you have any idea how the console is connecting to the KVM? There's a few different things in the update here that could be affecting it:

  - the fix for CVE-2011-3552 dropped the default number of allowed open UDP connections to 25
  - there were a couple of different issues around RMI where the restrictions were tightened (CVE-2011-3556, CVE-2011-3557)
  - the HttpsURLConnection class in some situations wasn't doing Security checks and thus was allowing connections that it shouldn't have been (CVE-2011-3560)

I can try to prepare some test packages with various fixes dropped to see if we can isolate it.

Changed in openjdk-6 (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
James Page (james-page) wrote :

Hi Steve

I think that its probably using a HTTPS connection to connect to the KVM; its web based.

I had to confirm a security exception in firefox to access the KVM as the default cert is self signed - I guess this might be the problem if HttpsURLConnection is now doing more stringent checks.

Happy to try stuff to try to isolate the issue.

Changed in openjdk-6 (Ubuntu):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-6 (Ubuntu):
status: New → Confirmed
Steve Beattie (sbeattie) wrote :

Hi James,

I've gone ahead and created test packages in my PPA that drop the patch to address CVE-2011-3560; can you or one of the other people affected by this bug try them out and report back here? They're available from https://launchpad.net/~sbeattie/+archive/ppa . Thanks!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 15/12/11 07:15, Steve Beattie wrote:
> I've gone ahead and created test packages in my PPA that drop the
> patch to address CVE-2011-3560; can you or one of the other people
> affected by this bug try them out and report back here? They're
> available from https://launchpad.net/~sbeattie/+archive/ppa .
> Thanks!

I've tried this and I still get the same error; however I did have to
try this package on precise which is not ideal as I don't have a handy
oneiric install kicking around

- --
James Page
Ubuntu Core Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJO6b2EAAoJEL/srsug59jDtq4P/0Y5/Zy19gzdAc2XUFkSUQ8t
tnh2hqC/WhnzfyGw4zGwlxHN8ApfXHvPmvWU267TdRrjZR3+4oxAM6tH5Lj6MCEY
jq9A+wnlw7GQMJ52X8r5G9Fstylxx4fz99kZZ4BdBR203GahMCXFXrZEW041TDIV
jOw6AVrxZVgqyCHQq7DgzJ2G62bqnXqPLwDvcosKT+bOSDWjOqcVRVUE2fwof3gn
AtxLEkucOUvJQcrzdyTrtyugFI6GvnwCbDOybDckxb9O6RD41Dcn0OpiBEf6nox1
qhwZbKwS7qg5G8jjhbKV7XJ+y+yD3ggfOBFQ3zbIqUvA+AIwd47fNgkK1pavztgI
v+p2CbgDU8IOsnmEkfqchVCsn1rz40Deh09x4WsMFyKj2V3W2vkrfKoRtmzRcnkZ
lXeNh1wqjai52XtmtWLafvF648COgZEeD68vY0jQs+JiAqkL6EXmVphu/1F+MvvU
F8JVGTcPmg9tiYlgytpS2HzLEO/QBgT5VXOMVy2yPpCloTXysSI8LOyK2KE4N4go
kY2yzAv5DycOC5QnRbEWJSVyejwoqe6D+0F9vbrCyVhEQI9Q/+0JsOs4cpmWnDHe
2L5V07OIwtgyshzTbpEpP0f01VGzAfNHgN9hcFoyur8VWm5Xlr0RiCptL9TFVQL9
xBqjqBJPNGACR5njRzNM
=not8
-----END PGP SIGNATURE-----

Jean-Baptiste Lallement (jibel) wrote :

I tried it this morning and it works now on Precise with 6b24~pre3-0ubuntu1.

Could someone confirm so we can close the dev task. Thanks

C de-Avillez (hggdh2) wrote :

Confirmed working as of today.

Steve Beattie (sbeattie) wrote :

The most recent icedtea (non-security) release includes a fix for http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725 which sounds like a suspiciously similar problem. I've cherry-picked the patch for just that issue and have submitted a test openjdk-6 oneiric build to my ppa (https://launchpad.net/~sbeattie/+archive/ppa). If someone would like to test them out for me once they've built, that'd be great; otherwise I'll try to test them myself tomorrow.

Thanks for you patience!

Steve Beattie (sbeattie) wrote :

I've confirmed and had independent confirmation (thanks!) that the cherry-picked patch indeed does solve the issue with the Raritan KVM. I'll prepare a regression updates to include this fix for lucid through oneiric.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openjdk-6 - 6b20-1.9.10-0ubuntu1~10.04.3

---------------
openjdk-6 (6b20-1.9.10-0ubuntu1~10.04.3) lucid-security; urgency=low

  * debian/patches/openjdk-7103725-ssl_beast_regression.patch:
    Add regression fix for broken ssl connectivity when using
    TLS_DH_anon_WITH_AES_128_CBC_SHA (LP: #891761)
 -- Steve Beattie <email address hidden> Fri, 20 Jan 2012 10:36:28 -0800

Changed in openjdk-6 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers