525464 – <dev-java/oracle-{jre,jdk}-bin-1.7.0.71, <app-emulation/emul-linux-x86-java-1.7.0.71: multiple vulnerabilities (CVE-2014-{4288,6456,6457,6458,6466,6468,6476,6485,6492,6493,6502,6503,6504,6506,6511,6512,6513,6515,6517,6519,6527,6531,6532,6558,6562})

Bug 525464 - <dev-java/oracle-{jre,jdk}-bin-1.7.0.71, <app-emulation/emul-linux-x86-java-1.7.0.71: multiple vulnerabilities (CVE-2014-{4288,6456,6457,6458,6466,6468,6476,6485,6492,6493,6502,6503,6504,6506,6511,6512,6513,6515,6517,6519,6527,6531,6532,6558,6562})

Summary: <dev-java/oracle-{jre,jdk}-bin-1.7.0.71, <app-emulation/emul-linux-x86-java-1...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://www.oracle.com/technetwork/top...
Whiteboard:	A2 [glsa]
Keywords:

Duplicates (2):	526086 527280 (view as bug list)
Depends on:
Blocks:

Reported:	2014-10-15 08:02 UTC by Agostino Sarubbo
Modified:	2015-02-15 14:50 UTC (History)
CC List:	3 users (show)

See Also:	519182
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-10-15 08:02:50 UTC

See ${URL} for details.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2014-10-20 10:17:30 UTC

Don't forget to bump dev-java/java-sdk-docs and dev-java/oracle-jre-bin

Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-10-21 09:21:50 UTC

*** Bug 526086 has been marked as a duplicate of this bug. ***

Comment 3 Johann Schmitz (ercpe) (RETIRED) gentoo-dev

2014-11-01 07:10:53 UTC

+*java-sdk-docs-1.7.0.71 (01 Nov 2014)
+
+  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org> +java-sdk-docs-1.7.0.71.ebuild:
+  Java SDK update to latest cpu release


+*oracle-jre-bin-1.7.0.71 (01 Nov 2014)
+
+  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jre-bin-1.7.0.71.ebuild, oracle-jre-bin-1.7.0.65.ebuild:
+  Oracle JRE update to latest cpu release

+*oracle-jdk-bin-1.7.0.71 (01 Nov 2014)
+
+  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jdk-bin-1.7.0.71.ebuild:
+  Oracle JDK update to latest cpu release

Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-11-01 12:50:12 UTC

(In reply to Johann Schmitz (ercpe) from comment #3)
> +*java-sdk-docs-1.7.0.71 (01 Nov 2014)
> +
> +  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org>
> +java-sdk-docs-1.7.0.71.ebuild:
> +  Java SDK update to latest cpu release
> 
> 
> +*oracle-jre-bin-1.7.0.71 (01 Nov 2014)
> +
> +  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org>
> +  +oracle-jre-bin-1.7.0.71.ebuild, oracle-jre-bin-1.7.0.65.ebuild:
> +  Oracle JRE update to latest cpu release
> 
> +*oracle-jdk-bin-1.7.0.71 (01 Nov 2014)
> +
> +  01 Nov 2014; Johann Schmitz <ercpe@gentoo.org>
> +  +oracle-jdk-bin-1.7.0.71.ebuild:
> +  Oracle JDK update to latest cpu release

Please stabilize all of those. ppc/64 has just the java-sdk-docs but maybe we can stabilize it without testing there anyway, as it's just docs

Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-11-01 13:16:42 UTC

Add app-emulation/emul-linux-x86-java-1.7.0.71.ebuild for amd64 stabilization, thx.

Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-11-01 15:16:28 UTC

*** Bug 527280 has been marked as a duplicate of this bug. ***

Comment 7 Agostino Sarubbo gentoo-dev

2014-11-01 17:01:01 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2014-11-02 09:21:03 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2014-11-02 09:23:30 UTC

ppc and ppc64 will drop.

I don't understand at all why we have keywords for java-sdk-docs while oracle-{jdk,jre}⁻bin is only for amd64 and x86.

Feel free to leave ~arch for ppc/ppc64.

Comment 10 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-11-02 12:25:39 UTC

(In reply to Agostino Sarubbo from comment #8)
> x86 stable

Not for java-sdk-docs :/

Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2014-11-02 13:18:39 UTC

(In reply to Vlastimil Babka (Caster) from comment #10)
> (In reply to Agostino Sarubbo from comment #8)
> > x86 stable
> 
> Not for java-sdk-docs :/

Added with ago's permission. Cleanup done.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2015-01-04 03:13:16 UTC

CVE-2014-6562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6562):
  Unspecified vulnerability in Oracle Java SE 8u20 allows remote attackers to
  affect confidentiality, integrity, and availability via unknown vectors
  related to Libraries.

CVE-2014-6558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6558):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20;
  Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote
  attackers to affect integrity via unknown vectors related to Security.

CVE-2014-6532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6532):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503.

CVE-2014-6531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6531):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20,
  and Java SE Embedded 7u60, allows remote attackers to affect confidentiality
  via unknown vectors related to Libraries.

CVE-2014-6527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6527):
  Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote
  attackers to affect integrity via unknown vectors related to Deployment, a
  different vulnerability than CVE-2014-6476.

CVE-2014-6519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6519):
  Unspecified vulnerability in Oracle Java SE 7u67 and 8u20, and Java SE
  Embedded 7u60, allows remote attackers to affect integrity via unknown
  vectors related to Hotspot.

CVE-2014-6517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6517):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20; Java SE
  Embedded 7u60; and Jrockit R27.8.3 and R28.3.3 allows remote attackers to
  affect confidentiality via vectors related to JAXP.

CVE-2014-6515 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6515):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  remote attackers to affect integrity via unknown vectors related to
  Deployment.

CVE-2014-6513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6513):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java
  SE Embedded 7u60, allows remote attackers to affect confidentiality,
  integrity, and availability via vectors related to AWT.

CVE-2014-6512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6512):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20;
  Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote
  attackers to affect integrity via unknown vectors related to Libraries.

CVE-2014-6511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6511):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20
  allows remote attackers to affect confidentiality via unknown vectors
  related to 2D.

CVE-2014-6506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6506):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20,
  and Java SE Embedded 7u60, allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Libraries.

CVE-2014-6504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6504):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, and 7u67, and Java
  SE Embedded 7u60, allows remote attackers to affect confidentiality via
  unknown vectors related to Hotspot.

CVE-2014-6503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6503):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532.

CVE-2014-6502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6502):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20,
  and Java SE Embedded 7u60, allows remote attackers to affect integrity via
  unknown vectors related to Libraries.

CVE-2014-6493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6493):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532.

CVE-2014-6492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6492):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when
  running on Firefox, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Deployment.

CVE-2014-6485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6485):
  Unspecified vulnerability in Oracle Java SE 8u20 and JavaFX 2.2.65 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors.

CVE-2014-6476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6476):
  Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote
  attackers to affect integrity via unknown vectors related to Deployment, a
  different vulnerability than CVE-2014-6527.

CVE-2014-6468 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6468):
  Unspecified vulnerability in Oracle Java SE 8u20 allows local users to
  affect confidentiality, integrity, and availability via unknown vectors
  related to Hotspot.

CVE-2014-6466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6466):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when
  running on Internet Explorer, allows local users to affect confidentiality,
  integrity, and availability via unknown vectors related to Deployment.

CVE-2014-6458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6458):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  local users to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment.

CVE-2014-6457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6457):
  Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20;
  Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote
  attackers to affect confidentiality and integrity via vectors related to
  JSSE.

CVE-2014-6456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6456):
  Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors.

CVE-2014-4288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4288):
  Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2015-02-15 14:50:46 UTC

This issue was resolved and addressed in
 GLSA 201502-12 at http://security.gentoo.org/glsa/glsa-201502-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).