Univention Bugzilla – Bug 41871
openjdk-7: Multiple issues (4.1)
Last modified: 2017-02-01 12:07:17 CET
The following issues have been reported as fixed by Oracle: * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectorsrelated to CORBA. (CVE-2016-3458) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. (CVE-2016-3500) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. (CVE-2016-3508) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. (CVE-2016-3550) * Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. (CVE-2016-3606)
Upstream Debian package version 7u111-2.6.7-1~deb7u1 fixes the issues above.
Upstream Debian package version 7u111-2.6.7-2~deb7u1 fixes * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to Libraries. (CVE-2016-5542) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to JMX. (CVE-2016-5554) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5582. (CVE-2016-5573) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573. (CVE-2016-5582) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality via vectors related to Networking. (CVE-2016-5597)
r75458: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #41871)
Upstream Debian package version 7u121-2.6.8-1~deb7u1 fixes: - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
Imported and building. Advisory: openjdk-7.yaml
Tests (amd64): OK Advisory: Some CVE seem to be not listed?
> Advisory: Some CVE seem to be not listed? Yes, thanks to Oracle, no relevant details available.
(In reply to Arvid Requate from comment #7) > > Advisory: Some CVE seem to be not listed? > > Yes, thanks to Oracle, no relevant details available. OK
<http://errata.software-univention.de/ucs/4.1/381.html>