Univention Bugzilla – Bug 41952
icu: Multiple issues (4.1)
Last modified: 2017-04-19 16:50:21 CEST
Upstream Debian package version 4.8.1.1-12+deb7u4 fixes these issues: * Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (CVE-2015-2632) * Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2015-4844) * Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2016-0494) These issues found in java also affect the International Components for Unicode (icu).
CVE-2015-2632: CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2015-4844: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2016-0494: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
4.8.1.1-12+deb7u5: CVE-2016-6293 The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Upstream Debian package version 4.8.1.1-12+deb7u6 fixes these issues: * buffer overflow problem in uresbund.c (CVE-2014-9911) * stack-based buffer overflow in the Locale class via a long locale string (CVE-2016-7415)
Advisory: icu.yaml
OK - 4.8.1.1-12+deb7u6 with - CVE-2015-2632 - CVE-2015-4844 - CVE-2016-0494 - CVE-2016-6293 - CVE-2014-9911 - CVE-2016-7415 OK - update OK - YAML
<http://errata.software-univention.de/ucs/4.1/364.html>