Univention Bugzilla – Bug 44687
openjdk-7: Multiple issues (4.2)
Last modified: 2017-12-14 12:55:55 CET
Upstream Debian package version 7u131-2.6.9-2~deb8u1 fixes: - S8163520, CVE-2017-3509: Reuse cache entries. - S8163528, CVE-2017-3511: Better library loading. - S8169011, CVE-2017-3526: Resizing XML parse trees. - S8170222, CVE-2017-3533: Better transfers of files. - S8171121, CVE-2017-3539: Enhancing jar checking. - S8171533, CVE-2017-3544: Better email transfer.
Upstream Debian package version 7u151-2.6.11-1~deb8u1 fixes: * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10053) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10067) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10074) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java accessible data. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10081) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10087) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10089) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10090) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10096) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10101) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. While the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (CVE-2017-10102) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10107) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10108) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10109) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10110) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10115) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10116) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10118) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10135) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10176) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10193) * Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10198) * Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data and unauthorized ability to cause a partial denial of service (partial DOS) (CVE-2017-10243)
Upstream Debian package version 7u151-2.6.11-2~deb8u1 fixes: CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295 CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348 CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356 CVE-2017-10357 CVE-2017-10388 Details: http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
Imported and built. Advisory: https://git.knut.univention.de/univention/ucs/blob/4.2-3/doc/errata/staging/openjdk-7.yaml
YAML fail? http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-3/job/ErrataValidation/lastCompletedBuild/testReport/openjdk-7/
Yes, I have decided not to put any detailed CVE descriptions into the advisory to save half an hour of cut & paste & formatting. I've put the Links to the verbose release notes from Oracle. I've now added an ignore tag to relax the test criteria.
Installation: OK YAML: OK java: "Hello_World": OK Verified
<http://errata.software-univention.de/ucs/4.2/249.html>