Univention Bugzilla – Full Text Bug Listing |
Summary: | openjdk-7: Multiple issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P3 | CC: | botner, gohmann, walkenhorst |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 41872 |
Description
Arvid Requate
2016-07-28 18:29:00 CEST
Upstream Debian package version 7u111-2.6.7-1~deb7u1 fixes the issues above. Upstream Debian package version 7u111-2.6.7-2~deb7u1 fixes * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to Libraries. (CVE-2016-5542) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect integrity via vectors related to JMX. (CVE-2016-5554) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5582. (CVE-2016-5573) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot, a different vulnerability than CVE-2016-5573. (CVE-2016-5582) * Unspecified vulnerability in Oracle Java SE 7u111 allows remote attackers to affect confidentiality via vectors related to Networking. (CVE-2016-5597) r75458: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #41871) Upstream Debian package version 7u121-2.6.8-1~deb7u1 fixes: - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA Imported and building. Advisory: openjdk-7.yaml Tests (amd64): OK Advisory: Some CVE seem to be not listed? > Advisory: Some CVE seem to be not listed?
Yes, thanks to Oracle, no relevant details available.
(In reply to Arvid Requate from comment #7) > > Advisory: Some CVE seem to be not listed? > > Yes, thanks to Oracle, no relevant details available. OK |