Bug 38928 - openjdk-7: Multiple issues (4.0)
openjdk-7: Multiple issues (4.0)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.0
Other Linux
: P3 normal (vote)
: UCS 4.0-2-errata
Assigned To: Arvid Requate
Janek Walkenhorst
Depends on:
  Show dependency treegraph
Reported: 2015-07-15 22:48 CEST by Arvid Requate
Modified: 2015-08-14 10:38 CEST (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-07-15 22:48:57 CEST
New issues from http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html fixed in 7u85:

deserialization issue in ObjectInputStream.readSerialData() (CVE-2015-2590)
unspecified vulnerability in the hotspot component (CVE-2015-2596)
non-constant time comparisons in crypto code (CVE-2015-2601)
NSS/JCE: missing EC parameter validation in ECDH_Derive() (CVE-2015-2613)
unspecified vulnerability in the 2D component (CVE-2015-2619)
incorrect code permission checks in RMIConnectionImpl (CVE-2015-2621)
name for reverse DNS lookup used in certificate identity check (CVE-2015-2625)
IIOPInputStream type confusion vulnerability (CVE-2015-2628)
ICU: integer overflow in LETableReference verifyLength() (CVE-2015-2632)
unspecified vulnerability in the 2D component (CVE-2015-2637)
unspecified vulnerability in the 2D component (CVE-2015-2638)
SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher (CVE-2015-2808)
LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks (CVE-2015-4000)
improper permission checks in MBeanServerInvocationHandler (CVE-2015-4731)
insufficient context checks during object deserialization (CVE-2015-4732)
RemoteObjectInvocationHandler allows calling finalize() (CVE-2015-4733)
incorrect OCSP nextUpdate checking (CVE-2015-4748)
DnsClient fails to release request information after error (CVE-2015-4749)
ICU: missing boundary checks in layout engine (CVE-2015-4760)
Comment 1 Arvid Requate univentionstaff 2015-08-04 17:46:50 CEST
Fix available upstream Debian package version 7u79-2.5.6-1~deb7u1
Comment 2 Arvid Requate univentionstaff 2015-08-05 12:55:34 CEST
Upstream version imported and built in errata4.0-2.

Advisory: 2015-08-05-openjdk-7.yaml
Comment 3 Janek Walkenhorst univentionstaff 2015-08-05 14:09:26 CEST
Advisory: OK
Tests (amd64): OK
Comment 4 Janek Walkenhorst univentionstaff 2015-08-06 19:26:17 CEST
Comment 5 Arvid Requate univentionstaff 2015-08-14 10:38:09 CEST
For the record: this has also been fixed with his update:

* MIME type registration for JAR files in the Debian OpenJDK packages enable user-initiated remote code execution (CVE-2014-8873)