Univention Bugzilla – Bug 41872
openjdk-7: Multiple issues (3.3)
Last modified: 2019-04-11 19:23:24 CEST
+++ This bug was initially created as a clone of Bug #41871 +++ The following issues have been reported as fixed by Oracle: * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectorsrelated to CORBA. (CVE-2016-3458) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. (CVE-2016-3500) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. (CVE-2016-3508) * Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. (CVE-2016-3550) * Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. (CVE-2016-3606)
Upstream Debian package version 7u111-2.6.7-1~deb7u1 fixes the issues above.
Upstream Debian package version 7u111-2.6.7-2~deb7u1 fixes * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to Libraries. (CVE-2016-5542) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to JMX. (CVE-2016-5554) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5582. (CVE-2016-5573) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573. (CVE-2016-5582) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality via vectors related to Networking. (CVE-2016-5597)
Upstream Debian package version 7u121-2.6.8-1~deb7u1 fixes: - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
Upstream Debian package version 7u131-2.6.9-2~deb7u1 fixes: - S8163520, CVE-2017-3509: Reuse cache entries. - S8163528, CVE-2017-3511: Better library loading. - S8169011, CVE-2017-3526: Resizing XML parse trees. - S8170222, CVE-2017-3533: Better transfers of files. - S8171121, CVE-2017-3539: Enhancing jar checking. - S8171533, CVE-2017-3544: Better email transfer.
Upstream Debian package version 7u151-2.6.11-2~deb7u2 fixes: CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295 CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348 CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356 CVE-2017-10357 CVE-2017-10388 Details: http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
Package imported to errata3.3-1 but currently no customer for extsec3.3. In case this bug get's revived: TODO: debian/rules patch 00_hardcode-debian-settings-in-lsb-detection.patch needs adjustment for wheezy/squeeze dependend switches (like --disable-system-gconf).
This issue has been filed against UCS 3.3. UCS 3.3 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.