Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 477210

Summary: <dev-java/icedtea-{bin}-6.1.12.6, <dev-java/icedtea-{bin}-7.2.4.1: Multiple vulnerabilities
Product: Gentoo Security Reporter: wbrana
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.fuseyism.com/index.php/2013/07/10/security-icedtea-1-11-12-1-12-6-for-openjdk-6-released/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description wbrana 2013-07-17 11:34:37 UTC
7.2.4.1 was released which fixes security bugs

http://blog.fuseyism.com/index.php/2013/07/08/security-icedtea-2-4-1-for-openjdk-7-released/
Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-07-20 00:38:43 UTC
+  20 Jul 2013; Tom Wijsman <TomWij@gentoo.org> +icedtea-7.2.4.1.ebuild:
+  Version bump to 7.2.4.1, I plan to do the 6.1.12.6 bump tomorrow; fixes bug
+  #477210, reported by wbrana. Removed zero hotspot tarball fetch due to
+  http://icedtea.classpath.org/hg/release/icedtea7-2.4/rev/08d655f1631e

Thank you for reporting.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-22 22:11:49 UTC
CVE list:
CVE-2013-1500 CVE-2013-1571 CVE-2013-2412 CVE-2013-2407 CVE-2013-2443 CVE-2013-2444 CVE-2013-2445 CVE-2013-2446 CVE-2013-2447 CVE-2013-2448 CVE-2013-2449 CVE-2013-2450 CVE-2013-2451 CVE-2013-2452 CVE-2013-2453 CVE-2013-2454 CVE-2013-2455 CVE-2013-2456 CVE-2013-2457 CVE-2013-2458 CVE-2013-2459 CVE-2013-2460 CVE-2013-2461 CVE-2013-2463 CVE-2013-2465 CVE-2013-2469 CVE-2013-2470 CVE-2013-2471 CVE-2013-2472 CVE-2013-2473

As far as I can tell these were all also Oracle Java bugs too. The CVEs have a constant refrain of affecting confidentiality, integrity, and availablility, so calling this a B3 - denial of service.

@maintainers: ack 6.1.12.6 stable, please. We'll leave 7 since it's only in ~ right now.
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2013-07-23 21:03:54 UTC
(In reply to Chris Reffett from comment #2)
> @maintainers: ack 6.1.12.6 stable, please. We'll leave 7 since it's only in
> ~ right now.

Not yet. Stable applies only to icedtea-bin:6 and I'm yet building that.
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2013-07-24 05:27:47 UTC
Please stabilize dev-java/icedtea-bin-6.1.12.6
Comment 5 Agostino Sarubbo gentoo-dev 2013-07-24 18:43:51 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-07-27 22:04:28 UTC
x86 stable
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 03:10:19 UTC
GLSA vote: yes.
Comment 8 Sergey Popov (RETIRED) gentoo-dev 2013-08-30 11:03:19 UTC
GLSA vote: yes

Added to existing GLSA draft
Comment 9 James Le Cuirot gentoo-dev 2015-05-10 22:28:29 UTC
I'm just going to close this since no one cares. These versions have long gone.