Summary: | dev-java/oracle-{jdk,jre}-bin-1.8.0.51: Multiple vulnerabilities (CVE-2015-{2590,2601,2613,2619,2621,2625,2627,2628,2632,2637,2638,2659,2664,2808,4000,4729,4731,4732,4733,4736,4748,4760}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Bezrukov <phmagic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ago, ap, chewi, ct85711, gentoo, java, monsieurp, wyvern5 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/ | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Alexander Bezrukov
2015-07-14 12:10:05 UTC
(In reply to Alexander Bezrukov from comment #0) > Researchers from Trend Micro found a new exploit hosted on some web-servers > on the Internet, which allows for arbitrary code execution (driven by > download). 1.8.0.45 is affected, j{dk,re}-1.7* are not. While payload being > distributed is targeting Windows computers, it is unclear whether the > vulnerability allowing for execution of arbitrary code exists in JRE/JDK > distriburion for other OSes too, or not. Thanks for the report. Since this source (${URL}) is public, is there a reason for submitting it as a classified / restricted bug report? or should this bug be made public? (In reply to Kristian Fiskerstrand from comment #1) > Thanks for the report. Since this source (${URL}) is public, is there a > reason for submitting it as a classified / restricted bug report? or should > this bug be made public? Perhaps it should be made public. AFAIK, there is no CVE assigned yet and Oracle is silent about this vulnerability. So marking it private I shifted the responsibility for this to Gentoo security :) (In reply to Alexander Bezrukov from comment #2) > (In reply to Kristian Fiskerstrand from comment #1) > > Thanks for the report. Since this source (${URL}) is public, is there a > > reason for submitting it as a classified / restricted bug report? or should > > this bug be made public? > > Perhaps it should be made public. AFAIK, there is no CVE assigned yet and > Oracle is silent about this vulnerability. So marking it private I shifted > the responsibility for this to Gentoo security :) Thanks for the clarification. Since the source is public I'm lifting the restriction. *** Bug 554930 has been marked as a duplicate of this bug. *** This issue is adressed in java-8u51 *** Bug 555022 has been marked as a duplicate of this bug. *** Please state the package name entirely or everyone will file a duplicate. 1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks! (In reply to wyvern5 from comment #8) > 1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks! I was overseas for my grandfather's funeral when this came up. I have also taken the opportunity to address many issues with the current ebuild, some of which has resulted in bugs being filed. I have been working on it all week and hope to finish it tonight or tomorrow. I think the ebuilds are ready now but there's been some USE flag changes that will require me to adjust several Portage profiles. They really need cleaning up anyway; several still refer to sun-jdk and sun-jre, for example. It's late now and I don't want to risk fucking this up so I'll wait till tomorrow. *** Bug 556022 has been marked as a duplicate of this bug. *** Job done. Arch teams, please stabilize: dev-java/oracle-jdk-bin-1.8.0.51 dev-java/oracle-jre-bin-1.8.0.51 dev-java/java-sdk-docs-1.8.0.51 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Clean up done. ping Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11 by GLSA coordinator Kristian Fiskerstrand (K_F). |