Summary: | <dev-java/sun-{jdk,jre-bin}-1.6.0.41, <app-emul/emul-linux-x86-java-1.6.0.41, <dev-java/oracle-{jdk,jre}-bin-1.7.0.15: Multiple vulnerabilities (CVE-2013-{0169,1484,1485,1486,1487}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ralph Sennhauser (RETIRED) <sera> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Ralph Sennhauser (RETIRED)
2013-02-20 11:42:30 UTC
Version bumps are now in tree. The following need to be stabilized on amd64: =app-emulation/emul-linux-x86-java-1.6.0.41 =dev-java/sun-jdk-1.6.0.41 =dev-java/sun-jre-bin-1.6.0.41 The following need to be stabilized on x86: =dev-java/sun-jdk-1.6.0.41 =dev-java/sun-jre-bin-1.6.0.41 =dev-java/oracle-jdk-bin-1.7.0.15 =dev-java/oracle-jre-bin-1.7.0.15 As suggested by Agostino Sarubbo (ago), @java will do the stabilization in 72h on it's own if needed. (In reply to comment #1) > Version bumps are now in tree. > > The following need to be stabilized on amd64: > > =app-emulation/emul-linux-x86-java-1.6.0.41 > =dev-java/sun-jdk-1.6.0.41 > =dev-java/sun-jre-bin-1.6.0.41 > > The following need to be stabilized on x86: > > =dev-java/sun-jdk-1.6.0.41 > =dev-java/sun-jre-bin-1.6.0.41 > =dev-java/oracle-jdk-bin-1.7.0.15 > =dev-java/oracle-jre-bin-1.7.0.15 Done. > As suggested by Agostino Sarubbo (ago), @java will do the stabilization in > 72h on it's own if needed. As I was asked on irc what I meant with that comment I extend a little. First due to the fetch restriction and quite a couple tarballs testing is unusually tedious and in case of binaries chances it won't build are ... low. The other aspect is, a delay will result in bugs like bug 458914 due to Oracle removing old downloads or similar. Most user are probably using ~arch by now anyway after having been screwed once or more. CVE-2013-1487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2013-1486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier, 6 Update 39 and earlier, and 5.0 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. CVE-2013-1485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. CVE-2013-1484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2013-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169): The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. Added to existing GLSA draft. (In reply to comment #2) > As I was asked on irc what I meant with that comment I extend a little. Thanks for the explanation. :) This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle). |