| Summary: | <dev-java/oracle-{jdk,jre}-bin-1.7.0.11: Unspecified remote code execution vulnerability (CVE-2012-3174,CVE-2013-0422) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jamiahx, java |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.kb.cert.org/vuls/id/625617 | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sean Amoss (RETIRED)
2013-01-10 16:14:20 UTC
The following are now in tree and need to be stabilized on x86. Thanks. =dev-java/oracle-jdk-bin-1.7.0.11 =dev-java/oracle-jre-bin-1.7.0.11 *** Bug 451980 has been marked as a duplicate of this bug. *** CVE-2013-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422): The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681. CVE-2012-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174): Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0422. NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of technical details from Oracle, the CNA. It is currently unknown whether this CVE is related to (1) the findClass method in the MBeanInstantiator class, (2) recursive use of the reflection API, (3) an unrelated vulnerability, or (4) a combination of two or more of these vulnerabilities. I get: * Please download jdk-7u6-apidocs.zip from * http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-download-435117.html Link only gives jdk-7u11-apidocs.zip to download. What should I do with this? (In reply to comment #5) > I get: > > * Please download jdk-7u6-apidocs.zip from > * > http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc- > download-435117.html > > Link only gives jdk-7u11-apidocs.zip to download. What should I do with this? Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6 (In reply to comment #6) > (In reply to comment #5) > > I get: > > > > * Please download jdk-7u6-apidocs.zip from > > * > > http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc- > > download-435117.html > > > > Link only gives jdk-7u11-apidocs.zip to download. What should I do with this? > > Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6 Bumped to 1.7.0.11, please add =dev-java/java-sdk-docs-1.7.0.11 to the stabilization list. Builds fine on x86. Please mark stable for x86. x86 done in bug 455174 Already on existing GLSA draft. This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle). |