Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 572716 - <dev-java/icedtea{,-bin}-7.2.6.4: Multiple vulnerabilities (CVE-2016-{0402,0448,0466,0483,0494})
Summary: <dev-java/icedtea{,-bin}-7.2.6.4: Multiple vulnerabilities (CVE-2016-{0402,04...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.fuseyism.com/index.php/20...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-23 19:27 UTC by James Le Cuirot
Modified: 2016-03-12 23:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description James Le Cuirot gentoo-dev 2016-01-23 19:27:38 UTC 
I'm going to bump icedtea and icedtea-bin now. icedtea doesn't get marked stable so the vulnerable versions will be cleared immediately.
Comment 1 James Le Cuirot gentoo-dev 2016-01-23 22:48:55 UTC 
amd64 and x86 arch teams, please stabilise:
dev-java/icedtea-bin-7.2.6.4
Comment 2 Agostino Sarubbo gentoo-dev 2016-01-24 16:21:54 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-01-24 16:22:19 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 4 James Le Cuirot gentoo-dev 2016-01-24 17:44:23 UTC 
Thanks ago! Old removed. Security team, please continue.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-09 13:31:48 UTC 
Added to existing GLSA request.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-09 13:39:46 UTC 
None of these apply to Java:

CVE-2015-{7575,8126,8472}
Comment 7 James Le Cuirot gentoo-dev 2016-03-09 13:59:49 UTC 
(In reply to Aaron Bauman from comment #6)
> None of these apply to Java:
> 
> CVE-2015-{7575,8126,8472}

They were mentioned in gnu_andrew's blog post in contexts relating to Java. I'm not sure how CVE-2015-{8126,8472} applies as libpng is used but not bundled. Regarding CVE-2015-7575, it says "further reduce use of MD5" which is presumably an attempt to mitigate the issue.
Comment 8 Patrice Clement gentoo-dev 2016-03-09 14:59:45 UTC 
Typo in the bug report title.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 23:41:34 UTC 
This issue was resolved and addressed in
 GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14
by GLSA coordinator Kristian Fiskerstrand (K_F).