Univention Bugzilla – Bug 38929
openjdk-6: Multiple security issues (3.2)
Last modified: 2015-11-19 13:30:44 CET
New issues from http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html: deserialization issue in ObjectInputStream.readSerialData() (CVE-2015-2590) non-constant time comparisons in crypto code (CVE-2015-2601) NSS/JCE: missing EC parameter validation in ECDH_Derive() (CVE-2015-2613) unspecified vulnerability in the 2D component (CVE-2015-2619) incorrect code permission checks in RMIConnectionImpl (CVE-2015-2621) name for reverse DNS lookup used in certificate identity check (CVE-2015-2625) IIOPInputStream type confusion vulnerability (CVE-2015-2628) ICU: integer overflow in LETableReference verifyLength() (CVE-2015-2632) unspecified vulnerability in the 2D component (CVE-2015-2637) unspecified vulnerability in the 2D component (CVE-2015-2638) SSL/TLS: "Invariance Weakness" vulnerability in RC4 stream cipher (CVE-2015-2808) LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks (CVE-2015-4000) improper permission checks in MBeanServerInvocationHandler (CVE-2015-4731) insufficient context checks during object deserialization (CVE-2015-4732) RemoteObjectInvocationHandler allows calling finalize() (CVE-2015-4733) incorrect OCSP nextUpdate checking (CVE-2015-4748) DnsClient fails to release request information after error (CVE-2015-4749) ICU: missing boundary checks in layout engine (CVE-2015-4760)
Fixed in upstream Debian package version 6b36-1.13.8-1.
Rather: 6b36-1.13.8-1~deb6u1
$ repo_admin.py -U -p openjdk-6 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7 Package: openjdk-6 Version: 6b36-1.13.8-1.78.201510261342 Branch: ucs_3.2-0 Scope: errata3.2-7 r64864 | Bug #38929: OpenJDK-6 errata3.2-7 YAML 2015-10-26-openjdk-6.yaml $ cat >>Hello.java <<__JAVA__ public class Hello { public static void main(String[] args) { System.out.println("Hello UCS"); } } __JAVA__ $ javac Hello.java $ java -cp . Hello Hello UCS
OK: DEBIAN_FRONTEND=noninteractive apt-get install -y openjdk-6-jdk OK: 2015-10-26-openjdk-6.yaml OK: Test: "Hello UCS" The sheer amount of open security bugs (incl. remote exploitable) is astonishing.
<http://errata.software-univention.de/ucs/3.2/378.html>