Bug 44687 - openjdk-7: Multiple issues (4.2)
openjdk-7: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P3 normal (vote)
: UCS 4.2-3-errata
Assigned To: Arvid Requate
Jürn Brodersen
http://www.oracle.com/technetwork/sec...
:
Depends on:
Blocks: 44726
  Show dependency treegraph
 
Reported: 2017-05-24 13:53 CEST by Arvid Requate
Modified: 2017-12-14 12:55 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-05-24 13:53:04 CEST
Upstream Debian package version 7u131-2.6.9-2~deb8u1 fixes:

    - S8163520, CVE-2017-3509: Reuse cache entries.
    - S8163528, CVE-2017-3511: Better library loading.
    - S8169011, CVE-2017-3526: Resizing XML parse trees.
    - S8170222, CVE-2017-3533: Better transfers of files.
    - S8171121, CVE-2017-3539: Enhancing jar checking.
    - S8171533, CVE-2017-3544: Better email transfer.
Comment 1 Arvid Requate univentionstaff 2017-09-08 13:13:00 CEST
Upstream Debian package version 7u151-2.6.11-1~deb8u1 fixes:

* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10053)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10067)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10074)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java accessible data. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10081)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10087)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10089)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10090)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10096)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10101)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. While the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (CVE-2017-10102)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10107)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10108)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10109)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10110)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10115)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10116)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10118)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10135)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10176)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10193)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10198)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data and unauthorized ability to cause a partial denial of service (partial DOS) (CVE-2017-10243)
Comment 2 Arvid Requate univentionstaff 2017-12-11 11:58:46 CET
Upstream Debian package version 7u151-2.6.11-2~deb8u1 fixes:

CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295
CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348
CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356
CVE-2017-10357 CVE-2017-10388

Details: http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
Comment 3 Arvid Requate univentionstaff 2017-12-11 16:34:04 CET
Imported and built.

Advisory: https://git.knut.univention.de/univention/ucs/blob/4.2-3/doc/errata/staging/openjdk-7.yaml
Comment 5 Arvid Requate univentionstaff 2017-12-12 11:49:40 CET
Yes, I have decided not to put any detailed CVE descriptions into the advisory to save half an hour of cut & paste & formatting. I've put the Links to the verbose release notes from Oracle. I've now added an ignore tag to relax the test criteria.
Comment 6 Jürn Brodersen univentionstaff 2017-12-12 13:23:44 CET
Installation: OK
YAML: OK
java: "Hello_World": OK

Verified
Comment 7 Arvid Requate univentionstaff 2017-12-14 12:55:55 CET
<http://errata.software-univention.de/ucs/4.2/249.html>