Univention Bugzilla – Bug 38928
openjdk-7: Multiple issues (4.0)
Last modified: 2015-08-14 10:38:09 CEST
New issues from http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html fixed in 7u85: deserialization issue in ObjectInputStream.readSerialData() (CVE-2015-2590) unspecified vulnerability in the hotspot component (CVE-2015-2596) non-constant time comparisons in crypto code (CVE-2015-2601) NSS/JCE: missing EC parameter validation in ECDH_Derive() (CVE-2015-2613) unspecified vulnerability in the 2D component (CVE-2015-2619) incorrect code permission checks in RMIConnectionImpl (CVE-2015-2621) name for reverse DNS lookup used in certificate identity check (CVE-2015-2625) IIOPInputStream type confusion vulnerability (CVE-2015-2628) ICU: integer overflow in LETableReference verifyLength() (CVE-2015-2632) unspecified vulnerability in the 2D component (CVE-2015-2637) unspecified vulnerability in the 2D component (CVE-2015-2638) SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher (CVE-2015-2808) LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks (CVE-2015-4000) improper permission checks in MBeanServerInvocationHandler (CVE-2015-4731) insufficient context checks during object deserialization (CVE-2015-4732) RemoteObjectInvocationHandler allows calling finalize() (CVE-2015-4733) incorrect OCSP nextUpdate checking (CVE-2015-4748) DnsClient fails to release request information after error (CVE-2015-4749) ICU: missing boundary checks in layout engine (CVE-2015-4760)
Fix available upstream Debian package version 7u79-2.5.6-1~deb7u1
Upstream version imported and built in errata4.0-2. Advisory: 2015-08-05-openjdk-7.yaml
Advisory: OK Tests (amd64): OK
<http://errata.univention.de/ucs/4.0/281.html>
For the record: this has also been fixed with his update: * MIME type registration for JAR files in the Debian OpenJDK packages enable user-initiated remote code execution (CVE-2014-8873)