Univention Bugzilla – Bug 40044
openjdk-6: Multiple security issues (3.2)
Last modified: 2016-06-01 16:12:06 CEST
New issues from http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html : * Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4881, CVE-2015-4883) * A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806) * A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872) * Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4842, CVE-2015-4903) * Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. An attacker could exploit these to cause a denial of service. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911) -- CVE descriptions courtesy of Ubuntu.
New security vulnerabilities have been discovered in OpenJDK-6: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA The current version in UCS 3.2-8 is affected by these: - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8133962, CVE-2016-0466: More general limits - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8143185: Cleanup for handling proxies
Upsteam Debian package version 6b37-1.13.9-1~deb6u1 fixed these issues: - S8048030, CVE-2015-4734: Expectations should be consistent - S8068842, CVE-2015-4803: Better JAXP data handling - S8076339, CVE-2015-4903: Better handling of remote object invocation - S8076383, CVE-2015-4835: Better CORBA exception handling - S8076387, CVE-2015-4882: Better CORBA value handling - S8076392, CVE-2015-4881: Improve IIOPInputStream consistency - S8076413, CVE-2015-4883: Better JRMP message handling - S8078427, CVE-2015-4842: More supportive home environment - S8078440: Safer managed types - S8080541: More direct property handling - S8080688, CVE-2015-4860: Service for DGC services - S8081760: Better group dynamics - S8086733, CVE-2015-4893: Improve namespace handling - S8087350: Improve array conversions - S8103671, CVE-2015-4805: More objective stream classes - S8103675: Better Binary searches - S8130078, CVE-2015-4911: Document better processing - S8130193, CVE-2015-4806: Improve HTTP connections - S8130864: Better server identity handling - S8130891, CVE-2015-4843: (bf) More direct buffering - S8131291, CVE-2015-4872: Perfect parameter patterning - S8132042, CVE-2015-4844: Preserve layout presentation
Upsteam Debian package version 6b38-1.13.10-1~deb6u1 fixes these issues: - S8059054, CVE-2016-0402: Better URL processing - S8130710, CVE-2016-0448: Better attributes processing - S8133962, CVE-2016-0466: More general limits - S8137060: JMX memory management improvements - S8139012: Better font substitutions - S8139017, CVE-2016-0483: More stable image decoding - S8140543, CVE-2016-0494: Arrange font actions - S8143185: Cleanup for handling proxies - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays - CVE-2015-7575: Very difficult to exploit vulnerability allows successful unauthenticated network attacks via multiple protocols.
dtroeder@dimma:~$ repo_admin.py -U -r 3.2-0-0 -s errata3.2-8 -d squeeze-lts -p openjdk-6 dtroeder@dimma:~$ repo_stat.py openjdk-6 6b38-1.13.10-1~deb6u1 imported on 2016-02-05 11:46:17.742412 Included in scope errata3.2-8 for release tag 3.2-0-0 (77858) dtroeder@dimma:~$ b32-scope errata3.2-8 openjdk-6 The following patches will be applied: 00_hardcode-debian-settings-in-lsb-detection.patch 10_icedtea-plugin-transition.patch 20-always-update-alternatives.patch r67236: openjdk-6.yaml
Note: 6b38-1.13.10-1~deb6u1 corresponds to JDK 6u111: https://blogs.oracle.com/thejavatutorials/entry/jdk_8u71_released root@master30:~# java --version java version "1.6.0_38" OpenJDK Runtime Environment (IcedTea6 1.13.10) (6b38-1.13.10-1.79.201602051147) OpenJDK 64-Bit Server VM (build 23.25-b01, mixed mode) Verified: * Installable * Advisory: Minor adjustments (reference Re: IcedTea removed, JDK version added)
<http://errata.software-univention.de/ucs/3.2/429.html>