Bug 40042

Summary: openjdk-7: Multiple issues (4.0)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P3 CC: gohmann
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-4-errata   
Hardware: Other   
OS: Linux   
URL: http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2015-11-19 21:16:59 CET 
New issues fixed in Debian package version 7u85-2.6.1-6~deb7u1:

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, CVE-2015-4883)

* A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)

* A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4840, CVE-2015-4842, CVE-2015-4903)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)

               -- CVE descriptions courtesy of Ubuntu.
Comment 1 Janek Walkenhorst univentionstaff 2015-12-07 19:03:48 CET 
Updated to 7u91-2.6.3-1~deb7u1
Tests (amd64): OK
Advisory: openjdk-7.yaml r66132
Comment 2 Daniel Tröder univentionstaff 2015-12-09 11:20:01 CET 
OK: DEBIAN_FRONTEND=noninteractive apt-get install -y openjdk-7-jdk
OK: advisory
OK: manual test:

# cat >>Hello.java <<__JAVA__
public class Hello {
        public static void main(String[] args) {
                System.out.println("Hello UCS");
        }
}
__JAVA__
# javac Hello.java 
# java -cp . Hello
Hello UCS
Comment 3 Janek Walkenhorst univentionstaff 2015-12-09 16:53:34 CET 
This openjdk-7 version needs lksctp-tools to be made maintained.
Comment 4 Daniel Tröder univentionstaff 2016-01-11 17:21:49 CET 
An advisory was added in r66718 and package was built in scope ucs_4.0-0-errata4.0-4.
Comment 5 Janek Walkenhorst univentionstaff 2016-01-13 15:00:07 CET 
<http://errata.software-univention.de/ucs/4.0/382.html>
Comment 6 Janek Walkenhorst univentionstaff 2016-01-13 16:04:28 CET 
<http://errata.software-univention.de/ucs/4.0/385.html>
Comment 7 Arvid Requate univentionstaff 2016-01-28 15:06:23 CET 
Note: 7u91-2.6.3-1~deb7u1 also fixed CVE-2015-4871.