Bug 38928

Summary: openjdk-7: Multiple issues (4.0)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Janek Walkenhorst <walkenhorst>
Severity: normal    
Priority: P3 Flags: requate: Patch_Available+
Version: UCS 4.0   
Target Milestone: UCS 4.0-2-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2015-07-15 22:48:57 CEST 
New issues from http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html fixed in 7u85:

deserialization issue in ObjectInputStream.readSerialData() (CVE-2015-2590)
unspecified vulnerability in the hotspot component (CVE-2015-2596)
non-constant time comparisons in crypto code (CVE-2015-2601)
NSS/JCE: missing EC parameter validation in ECDH_Derive() (CVE-2015-2613)
unspecified vulnerability in the 2D component (CVE-2015-2619)
incorrect code permission checks in RMIConnectionImpl (CVE-2015-2621)
name for reverse DNS lookup used in certificate identity check (CVE-2015-2625)
IIOPInputStream type confusion vulnerability (CVE-2015-2628)
ICU: integer overflow in LETableReference verifyLength() (CVE-2015-2632)
unspecified vulnerability in the 2D component (CVE-2015-2637)
unspecified vulnerability in the 2D component (CVE-2015-2638)
SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher (CVE-2015-2808)
LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks (CVE-2015-4000)
improper permission checks in MBeanServerInvocationHandler (CVE-2015-4731)
insufficient context checks during object deserialization (CVE-2015-4732)
RemoteObjectInvocationHandler allows calling finalize() (CVE-2015-4733)
incorrect OCSP nextUpdate checking (CVE-2015-4748)
DnsClient fails to release request information after error (CVE-2015-4749)
ICU: missing boundary checks in layout engine (CVE-2015-4760)
Comment 1 Arvid Requate univentionstaff 2015-08-04 17:46:50 CEST 
Fix available upstream Debian package version 7u79-2.5.6-1~deb7u1
Comment 2 Arvid Requate univentionstaff 2015-08-05 12:55:34 CEST 
Upstream version imported and built in errata4.0-2.

Advisory: 2015-08-05-openjdk-7.yaml
Comment 3 Janek Walkenhorst univentionstaff 2015-08-05 14:09:26 CEST 
Advisory: OK
Tests (amd64): OK
Comment 4 Janek Walkenhorst univentionstaff 2015-08-06 19:26:17 CEST 
<http://errata.univention.de/ucs/4.0/281.html>
Comment 5 Arvid Requate univentionstaff 2015-08-14 10:38:09 CEST 
For the record: this has also been fixed with his update:

* MIME type registration for JAR files in the Debian OpenJDK packages enable user-initiated remote code execution (CVE-2014-8873)