Bug 40044 - openjdk-6: Multiple security issues (3.2)
openjdk-6: Multiple security issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P3 normal (vote)
: UCS 3.2-8-errata
Assigned To: Daniel Tröder
Arvid Requate
http://www.oracle.com/technetwork/top...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-19 21:35 CET by Arvid Requate
Modified: 2016-06-01 16:12 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-11-19 21:35:12 CET
New issues from http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html :

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883)

* A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806)

* A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4842, CVE-2015-4903)

* Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911)

               -- CVE descriptions courtesy of Ubuntu.
Comment 1 Arvid Requate univentionstaff 2016-01-28 14:56:45 CET
New security vulnerabilities have been discovered in OpenJDK-6:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA

The current version in UCS 3.2-8 is affected by these:

 - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays
 - S8059054, CVE-2016-0402: Better URL processing
 - S8130710, CVE-2016-0448: Better attributes processing
 - S8133962, CVE-2016-0466: More general limits
 - S8139017, CVE-2016-0483: More stable image decoding
 - S8140543, CVE-2016-0494: Arrange font actions
 - S8137060: JMX memory management improvements
 - S8139012: Better font substitutions
 - S8143185: Cleanup for handling proxies
Comment 2 Arvid Requate univentionstaff 2016-01-28 15:10:49 CET
Upsteam Debian package version 6b37-1.13.9-1~deb6u1 fixed these issues:

 - S8048030, CVE-2015-4734: Expectations should be consistent
 - S8068842, CVE-2015-4803: Better JAXP data handling
 - S8076339, CVE-2015-4903: Better handling of remote object invocation
 - S8076383, CVE-2015-4835: Better CORBA exception handling
 - S8076387, CVE-2015-4882: Better CORBA value handling
 - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency
 - S8076413, CVE-2015-4883: Better JRMP message handling
 - S8078427, CVE-2015-4842: More supportive home environment
 - S8078440: Safer managed types
 - S8080541: More direct property handling
 - S8080688, CVE-2015-4860: Service for DGC services
 - S8081760: Better group dynamics
 - S8086733, CVE-2015-4893: Improve namespace handling
 - S8087350: Improve array conversions
 - S8103671, CVE-2015-4805: More objective stream classes
 - S8103675: Better Binary searches
 - S8130078, CVE-2015-4911: Document better processing
 - S8130193, CVE-2015-4806: Improve HTTP connections
 - S8130864: Better server identity handling
 - S8130891, CVE-2015-4843: (bf) More direct buffering
 - S8131291, CVE-2015-4872: Perfect parameter patterning
 - S8132042, CVE-2015-4844: Preserve layout presentation
Comment 3 Arvid Requate univentionstaff 2016-02-04 18:42:28 CET
Upsteam Debian package version 6b38-1.13.10-1~deb6u1 fixes these issues:

     - S8059054, CVE-2016-0402: Better URL processing
     - S8130710, CVE-2016-0448: Better attributes processing
     - S8133962, CVE-2016-0466: More general limits
     - S8137060: JMX memory management improvements
     - S8139012: Better font substitutions
     - S8139017, CVE-2016-0483: More stable image decoding
     - S8140543, CVE-2016-0494: Arrange font actions
     - S8143185: Cleanup for handling proxies
     - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays
     - CVE-2015-7575: Very difficult to exploit vulnerability allows successful
       unauthenticated network attacks via multiple protocols.
Comment 4 Daniel Tröder univentionstaff 2016-02-05 13:55:22 CET
dtroeder@dimma:~$ repo_admin.py -U -r 3.2-0-0 -s errata3.2-8 -d squeeze-lts -p openjdk-6

dtroeder@dimma:~$ repo_stat.py openjdk-6
6b38-1.13.10-1~deb6u1 imported on 2016-02-05 11:46:17.742412
 Included in scope errata3.2-8 for release tag 3.2-0-0 (77858)

dtroeder@dimma:~$ b32-scope errata3.2-8 openjdk-6
The following patches will be applied:
 00_hardcode-debian-settings-in-lsb-detection.patch
 10_icedtea-plugin-transition.patch
 20-always-update-alternatives.patch

r67236: openjdk-6.yaml
Comment 5 Arvid Requate univentionstaff 2016-05-31 17:11:11 CEST
Note: 6b38-1.13.10-1~deb6u1 corresponds to JDK 6u111:

https://blogs.oracle.com/thejavatutorials/entry/jdk_8u71_released

root@master30:~# java --version
java version "1.6.0_38"
OpenJDK Runtime Environment (IcedTea6 1.13.10) (6b38-1.13.10-1.79.201602051147)
OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode)


Verified:
* Installable
* Advisory: Minor adjustments (reference Re: IcedTea removed, JDK version added)
Comment 6 Janek Walkenhorst univentionstaff 2016-06-01 16:12:06 CEST
<http://errata.software-univention.de/ucs/3.2/429.html>