Bug 40043 – openjdk-7: Multiple issues (4.1)

Bug 40043 - openjdk-7: Multiple issues (4.1)


Summary:	openjdk-7: Multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.1-0-errata
Assigned To:	Janek Walkenhorst
QA Contact:	Daniel Tröder

URL:	http://www.oracle.com/technetwork/top...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-11-19 21:18 CET by Arvid Requate
Modified:	2016-10-05 12:46 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-11-19 21:18:03 CET

+++ This bug was initially created as a clone of Bug #40042 +++

New issues fixed in Debian package version 7u85-2.6.1-6~deb7u1:

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, CVE-2015-4883)

* A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)

* A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4840, CVE-2015-4842, CVE-2015-4903)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)

               -- CVE descriptions courtesy of Ubuntu.

Comment 1 Janek Walkenhorst

2015-12-07 19:04:02 CET

Updated to 7u91-2.6.3-1~deb7u1
Tests (i386): OK
Advisory: openjdk-7.yaml r66133

Comment 2 Daniel Tröder

2015-12-09 11:03:02 CET

OK: DEBIAN_FRONTEND=noninteractive apt-get install --reinstall -y openjdk-7-jdk
OK: advisory
OK: manual test:

# cat >>Hello.java <<__JAVA__
public class Hello {
        public static void main(String[] args) {
                System.out.println("Hello UCS");
        }
}
__JAVA__
# javac Hello.java 
# java -cp . Hello
Hello UCS

Comment 3 Janek Walkenhorst

2015-12-09 16:53:35 CET

This openjdk-7 version needs lksctp-tools to be made maintained.

Comment 4 Daniel Tröder

2016-01-11 17:22:22 CET

An advisory was added in r66715 and package was built in scope ucs_4.1-0-errata4.1-0.

Comment 5 Janek Walkenhorst

2016-01-13 13:08:01 CET

<http://errata.software-univention.de/ucs/4.1/47.html>

Comment 6 Janek Walkenhorst

2016-01-13 14:01:56 CET

<http://errata.software-univention.de/ucs/4.1/55.html>

Comment 7 Arvid Requate

2016-01-28 15:05:49 CET

Note: 7u91-2.6.3-1~deb7u1 also fixed  CVE-2015-4871