From ${URL} : Description Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to manipulate certain data and gain escalated privileges and by malicious people to disclose certain sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 2) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 3) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 4) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 5) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 6) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 7) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 8) An unspecified error in the Beans component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 9) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 10) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 11) An unspecified error in the Hotspot component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 12) An unspecified error in the Install component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 13) An unspecified error in the JAXP component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 14) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 15) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 16) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 17) An unspecified error in the Libraries component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 18) An unspecified error in the RMI component of the client and server deployment can be exploited to potentially execute arbitrary code. 19) An unspecified error in the RMI component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 20) An unspecified error in the HotSpot component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 21) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 22) An unspecified error in the Libraries component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 23) An unspecified error in the Libraries component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 24) An unspecified error in the Libraries component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 25) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 26) An unspecified error in the ImageIO component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 27) An unspecified error in the ImageIO component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 28) An unspecified error in the Install component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to potentially execute arbitrary code. 29) An unspecified error in the Install component of the client deployment can be exploited by a local user to gain escalated privileges. 30) An unspecified error in the AWT component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose and manipulate certain data. 31) An unspecified error in the 2D component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to cause a DoS. 32) An unspecified error in the JMX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 33) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 34) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 35) An unspecified error in the JavaFX component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 36) An unspecified error in the Networking component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to cause a DoS. 37) An unspecified error in the Deployment component of the client deployment can be exploited by a local user to gain escalated privileges. 38) An unspecified error in the Deployment component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 39) An unspecified error in the Network component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 40) An unspecified error in the Network component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 41) An unspecified error in the Hotspot component of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to manipulate certain data. 42) An unspecified error in the JAX-WS component of the client and server deployment can be exploited by local users to manipulate certain data. The vulnerabilities are reported in the following products: * JDK and JRE 7 Update 17 and prior * JDK and JRE 6 Update 43 and prior * JDK and JRE 5.0 Update 41 and prior Solution Apply updates. Further details available to Secunia VIM customers Provided and/or discovered by It is currently unclear who reported the vulnerabilities as the Oracle Java SE Critical Patch Update for April 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information. Original Advisory http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html http://www.oracle.com/technetwork/topics/security/javacpuapr2013verbose-1928687.html @maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Version bumps are now in tree. The following need to be stabilized on amd64: =app-emulation/emul-linux-x86-java-1.6.0.45 =dev-java/sun-jdk-1.6.0.45 =dev-java/sun-jre-bin-1.6.0.45 The following need to be stabilized on x86: =dev-java/sun-jdk-1.6.0.45 =dev-java/sun-jre-bin-1.6.0.45 =dev-java/oracle-jdk-bin-1.7.0.21 =dev-java/oracle-jre-bin-1.7.0.21
CVE-2013-2440 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2440): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2435. CVE-2013-2439 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2439): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Install. CVE-2013-2438 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2438): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to JavaFX. CVE-2013-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2436): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-1488 and CVE-2013-2426. CVE-2013-2435 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2435): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2440. CVE-2013-2434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2434): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2013-2433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2433): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-1540. CVE-2013-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2432): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2394 and CVE-2013-1491. CVE-2013-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2431): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. CVE-2013-2430 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2430): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. CVE-2013-2429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2429): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO. CVE-2013-2428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2428): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX, a different vulnerability than CVE-2013-0402, CVE-2013-2414, and CVE-2013-2427. CVE-2013-2427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2427): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX, a different vulnerability than CVE-2013-0402, CVE-2013-2414, and CVE-2013-2428. CVE-2013-2426 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2426): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-1488 and CVE-2013-2436. CVE-2013-2425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2425): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. CVE-2013-2424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2424): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality via vectors related to JMX. CVE-2013-2423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2423): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to HotSpot. CVE-2013-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2422): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2013-2421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2421): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. CVE-2013-2420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2420): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2384. CVE-2013-2419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2419): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect availability via unknown vectors related to 2D. CVE-2013-2418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2418): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2013-2417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2417): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect availability via unknown vectors related to Networking. CVE-2013-2416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2416): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment. CVE-2013-2415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2415): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows local users to affect confidentiality via vectors related to JAX-WS. CVE-2013-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2414): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX, a different vulnerability than CVE-2013-0402, CVE-2013-2427, and CVE-2013-2428. CVE-2013-2394 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2394): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2432 and CVE-2013-1491. CVE-2013-2384 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2384): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2383, and CVE-2013-2420. CVE-2013-2383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2383): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-1569, CVE-2013-2384, and CVE-2013-2420. CVE-2013-1569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1569): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2383, CVE-2013-2384, and CVE-2013-2420. CVE-2013-1564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1564): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect integrity via unknown vectors related to JavaFX. CVE-2013-1563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1563): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. CVE-2013-1561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1561): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality via unknown vectors related to JavaFX. CVE-2013-1558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1558): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. CVE-2013-1557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1557): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. CVE-2013-1540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1540): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and 6 Update 43 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2433. CVE-2013-1537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1537): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. CVE-2013-1518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1518): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP. CVE-2013-1491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1491): The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, 5.0 Update 41 and earlier, and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via vectors related to 2D, as demonstrated by Joshua Drake during a Pwn2Own competition at CanSecWest 2013. CVE-2013-1488 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1488): The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to execute arbitrary code via unspecified vectors involving reflection and Libraries, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013. CVE-2013-0402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0402): Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013. CVE-2013-0401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0401): The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013.
amd64 stable
x86 stable
This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle).
