From ${URL} : Description Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a user's system. 1) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 2) An error within the Hotspot subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 3) An error within the Hotspot subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 4) An error within the Hotspot subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 5) An error within the JavaFX subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 6) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 7) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 8) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 9) An error within the JMX subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data. 10) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. 11) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. 12) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. 13) An error within the Security subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 14) An error within the Serviceability subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. 15) An error within the Swing subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 16) An error within the Security subcomponent of the client and server deployment can be exploited to cause a crash. 17) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 18) An error within the Security subcomponent of client and server deployments can be exploited to disclose, update, insert, or delete certain data. 19) An error related to the in the Diffie-Hellman key agreement within the Security subcomponent of the client and server deployment can be exploited to disclose, update, insert, or delete certain data. 20) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. The vulnerabilities are reported in the following products: * JDK and JRE 5 Update 65 and prior * JDK and JRE 6 Update 75 and prior * JDK and JRE 7 Update 60 and prior * JDK and JRE 8 Update 5 and prior Solution: Apply update. Further details available to Secunia VIM customers Provided and/or discovered by: It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for July 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Added the following to tree: oracle-{jdk,jre}-bin-1.7.0.65 oracle-{jdk,jre}-bin-1.8.0.11 Archteams please stabilize the following on amd64 and x86: oracle-{jdk,jre}-bin-1.7.0.65
*** Bug 517656 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #4) > Maintainer(s), please cleanup. Done, tho had to keep 1.7.0.60 for arm.
CVE-2014-4268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4268): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing. CVE-2014-4266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4266): Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability. CVE-2014-4265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4265): Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment. CVE-2014-4264 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4264): Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect availability via unknown vectors related to Security. CVE-2014-4263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4263): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement." CVE-2014-4262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4262): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-4252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4252): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security. CVE-2014-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4247): Unspecified vulnerability in Oracle Java SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. CVE-2014-4244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4244): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. CVE-2014-4227 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4227): Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2014-4223 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4223): Unspecified vulnerability in Oracle Java SE 7u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-2483. CVE-2014-4221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4221): Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. CVE-2014-4220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4220): Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4208. CVE-2014-4219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4219): Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-4218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4218): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries. CVE-2014-4216 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4216): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-4209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4209): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX. CVE-2014-4208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4208): Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4220. CVE-2014-2490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2490): Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2483): Unspecified vulnerability in the Java SE component in Oracle Java SE Java SE 7u60 and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-4223. NOTE: the previous information is from the July 2014 CPU. Oracle has not commented on another vendor's claim that the issue is related to improper restriction of the "use of privileged annotations."
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201502-12 at http://security.gentoo.org/glsa/glsa-201502-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
