Summary: | <dev-java/oracle-{jdk,jre}-bin-1.7.0.25 - Version bump to correct 40 CVE security vulnerabilities (CVE-2013-{1500,1571,2400,2407,2412,2437,2442,...,2473,3743,3744}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hypnos <hypnos75> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ap, farmboy0, gentoo, java, multilib+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=484568 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 499082 | ||
Bug Blocks: |
Description
Hypnos
2013-06-21 05:44:35 UTC
According to your second link, for reference if it dies: CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744 Here we go: + 22 Jun 2013; Tom Wijsman <TomWij@gentoo.org> +oracle-jre-bin-1.7.0.25.ebuild: + Version bump to 1.7.0.25 for security bug #473980 reported by Hypnos, fixes 40 + CVEs. x86 arch team, please stabilize such that we can remove the older versions. *** Bug 473792 has been marked as a duplicate of this bug. *** This is not just the JRE, dev-java/oracle-jdk-bin is also affected, but not mentioned here (the duplicate was about the JDK). So, since the ebuild for the JDK is not yet updated in the tree - please add the JDK to this bug and update to 1.7.25 also. (In reply to Andreas Prieß from comment #3) > This is not just the JRE, dev-java/oracle-jdk-bin is also affected, but not > mentioned here (the duplicate was about the JDK). > > So, since the ebuild for the JDK is not yet updated in the tree - please add > the JDK to this bug and update to 1.7.25 also. Done, was distracted after doing the docs and then having to download all the required file for manifesting. + 22 Jun 2013; Tom Wijsman <TomWij@gentoo.org> +oracle-jdk-bin-1.7.0.25.ebuild, + oracle-jdk-bin-1.7.0.17.ebuild, oracle-jdk-bin-1.7.0.21.ebuild: + Version bump to 1.7.0.25 for security bug #473980 reported by Hypnos, fixes 40 + CVEs. Stabilization can now continue. x86 stable, thanks. *** Bug 435644 has been marked as a duplicate of this bug. *** The exact details of the compromise are not published, but several of the CVEs use the phrase "unauthorized Operating System takeover including arbitrary code execution," which I believe means "remote active compromise." Yes, amd64, feel free to proceed stabilization; as you requested in bug #435644. + 29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> java-sdk-docs-1.7.0.25.ebuild: + Stabilized 1.7.0.25 for oracle-jdk-bin and oracle-jre-bin. Permitted by ago. + 29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> -oracle-jdk-bin-1.7.0.17.ebuild, + -oracle-jdk-bin-1.7.0.21.ebuild, oracle-jdk-bin-1.7.0.25.ebuild: + Drop old insecure versions; stabilized 1.7.0.25 after building, testing and + running some Java software. Permitted by ago. + 29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> -oracle-jre-bin-1.7.0.17.ebuild, + -oracle-jre-bin-1.7.0.21.ebuild, oracle-jre-bin-1.7.0.25.ebuild: + Drop old insecure versions; stabilized 1.7.0.25 after building, testing and + running some Java software. Permitted by ago. The version bumped here can no longer be fetched, see "See Also" for the status of the version bump towards the next version (.25 -> .40). Hmm, what about virtual/jdk-1.7? Should go stable on mentioned archs as well? Maintainers, it looks like app-emulation/emul-linux-x86-java is also affected by these vulnerabilities. What are the plans with this package? p.mask? (In reply to Sean Amoss from comment #12) > Maintainers, it looks like app-emulation/emul-linux-x86-java is also > affected by these vulnerabilities. What are the plans with this package? > p.mask? java, multilib: ping ^ the old-style emul set for java was always handled by java team + 23 Jan 2014; Tom Wijsman <TomWij@gentoo.org> + +emul-linux-x86-java-1.7.0.51.ebuild, +files/emul-linux-x86-java-1.7.env-r1: + Version bump to 1.7.0.51 for security bug #473980. This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle). All done here. |