Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 498148 (CVE-2013-5902)

Summary: <dev-java/oracle-{jre,jdk}-bin-1.7.0.51 : multiple vulnerabilities (CVE-2013-{5902,5904,5905,5906,5907,5910},CVE-2014-{0368,0373,0375,0376,0382,0385,0387,0403,0408,0410,0411,0415,0416,0417,0418,0422,0423,0424,0428})
Product: Gentoo Security Reporter: Paolo <paolo.stivanin>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: java, wyvern5
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/56485/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 498386    

Description Paolo 2014-01-15 10:19:30 UTC
jdk and jre have reached version 7u51.
Thanks :)
Comment 1 Agostino Sarubbo gentoo-dev 2014-01-15 10:49:52 UTC
thanks for the report. This is also a security bug.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-16 20:00:49 UTC
The vulnerabilities are reported in the following products:
* JDK and JRE 7 Update 45 and prior
* JDK and JRE 6 Update 65 and prior
* JDK and JRE 5 Update 55 and prior

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#JAVA
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-17 15:10:37 UTC
+*oracle-jdk-bin-1.7.0.51 (17 Jan 2014)
+
+  17 Jan 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +oracle-jdk-bin-1.7.0.51.ebuild:
+  non-maintainer security bump due to slacking java herd (bug #498148).
+
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-17 16:44:09 UTC
+*oracle-jre-bin-1.7.0.51 (17 Jan 2014)
+
+  17 Jan 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +oracle-jre-bin-1.7.0.51.ebuild:
+  non-maintainer security bump due to slacking java herd (bug #498148).
+
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-17 16:48:53 UTC
Thank you for the bumps, please advise when tested and ready for stabilization.
Comment 6 xenon 2014-01-18 16:46:37 UTC
Is it just me or the bumper forgot to update the FX_VERSION variable in the ebuild? It's still FX_VERSION="2_2_45" and the corresponding package is not available for download anymore, anyway.
Comment 7 keith koski 2014-01-18 21:11:46 UTC
(In reply to xenon from comment #6)
> Is it just me or the bumper forgot to update the FX_VERSION variable in the
> ebuild?

I see the same problem.
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-19 01:01:29 UTC
+*oracle-jdk-bin-1.7.0.51-r1 (19 Jan 2014)
+
+  19 Jan 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -oracle-jdk-bin-1.7.0.51.ebuild, +oracle-jdk-bin-1.7.0.51-r1.ebuild:
+  Forgot to change java_fx version.
+

Thanks for spotting this and sorry for the circumstances...
Comment 9 Ralph Sennhauser (RETIRED) gentoo-dev 2014-01-23 16:22:29 UTC
Please stabilize the following for amd64 and x86:
=dev-java/oracle-jre-bin-1.7.0.51
=dev-java/oracle-jdk-bin-1.7.0.51

Thanks to Lars for taking care of the bump.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:28:11 UTC
CVE-2014-0375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality and integrity via unknown vectors
  related to Deployment, a different vulnerability than CVE-2013-5898 and
  CVE-2014-0403.

CVE-2014-0373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and
  OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Serviceability.  NOTE: the
  previous information is from the January 2014 CPU. Oracle has not commented
  on third-party claims that the issue is related to throwing of an incorrect
  exception when SnmpStatusException should have been used in the SNMP
  implementation, which allows attackers to escape the sandbox.

CVE-2014-0368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java
  SE Embedded 7u45, allows remote attackers to affect confidentiality via
  unknown vectors related to Networking.  NOTE: the previous information is
  from the January 2014 CPU. Oracle has not commented on third-party claims
  that the issue is related to incorrect permission checks when listening on a
  socket, which allows attackers to escape the sandbox.

CVE-2013-5910 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, and Java SE
  Embedded 7u45, allows remote attackers to affect integrity via unknown
  vectors related to Security.

CVE-2013-5907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit
  R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to 2D.  NOTE: the previous information is from the January
  2014 CPU. Oracle has not commented on third-party claims that the issue is
  due to incorrect input validation in LookupProcessor.cpp in the ICU Layout
  Engine, which allows attackers to cause a denial of service (crash) or
  possibly execute arbitrary code via a crafted font file.

CVE-2013-5906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Install, a different vulnerability than
  CVE-2013-5905.

CVE-2013-5905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Install, a different vulnerability than
  CVE-2013-5906.

CVE-2013-5904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904):
  Unspecified vulnerability in Oracle Java SE 7u45 allows remote attackers to
  affect confidentiality, integrity, and availability via unknown vectors
  related to Deployment.

CVE-2013-5902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5889,
  CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.

CVE-2013-5899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality via unknown vectors related to
  Deployment.

CVE-2013-5898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality and integrity via unknown vectors
  related to Deployment, a different vulnerability than CVE-2014-0375 and
  CVE-2014-0403.

CVE-2013-5896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; and Java
  SE Embedded 7u45; allows remote attackers to affect availability via vectors
  related to CORBA.

CVE-2013-5895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895):
  Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows
  remote attackers to affect confidentiality via unknown vectors related to
  JavaFX.

CVE-2013-5893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893):
  Unspecified vulnerability in Oracle Java SE 7u45 and Java SE Embedded 7u45,
  and OpenJDK 7, allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Libraries.  NOTE: the
  previous information is from the January 2014 CPU. Oracle has not commented
  on third-party claims that the issue is related to improper handling of
  methods in MethodHandles in HotSpot JVM, which allows attackers to escape
  the sandbox.

CVE-2013-5889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5902,
  CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.

CVE-2013-5888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with
  GNOME, allows local users to affect confidentiality, integrity, and
  availability via unknown vectors related to Deployment.

CVE-2013-5887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect availability via unknown vectors related to Deployment.

CVE-2013-5884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5884):
  Unspecified vulnerability in Oracle Java SE Java SE 5.0u55, 6u65, and 7u45;
  Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect
  confidentiality via vectors related to CORBA.  NOTE: the previous
  information is from the January 2014 CPU. Oracle has not commented on
  third-party claims that the issue is related to an incorrect check for code
  permissions by CORBA stub factories.

CVE-2013-5878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded
  7u45, and OpenJDK 7 allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Security.  NOTE:
  the previous information is from the January 2014 CPU. Oracle has not
  commented on third-party claims that the the Security component does not
  properly handle null XML namespace (xmlns) attributes during XML document
  canonicalization, which allows attackers to escape the sandbox.

CVE-2013-5870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870):
  Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to JavaFX.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-01-24 14:28:42 UTC
CVE-2014-0428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE
  Embedded 7u45; and OpenJDK 7 allows remote attackers to affect
  confidentiality, integrity, and availability via vectors related to CORBA. 
  NOTE: the previous information is from the January 2014 CPU. Oracle has not
  commented on third-party claims that the issue is related to "insufficient
  security checks in IIOP streams," which allows attackers to escape the
  sandbox.

CVE-2014-0424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5889,
  CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418.

CVE-2014-0423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit
  R27.7.7 and R28.2.9; and Java SE Embedded 7u45 allows remote authenticated
  users to affect confidentiality and availability via unknown vectors related
  to Beans.

CVE-2014-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE
  Embedded 7u45; and OpenJDK 7 allows remote attackers to affect
  confidentiality, integrity, and availability via vectors related to JNDI. 
  NOTE: the previous information is from the January 2014 CPU. Oracle has not
  commented on third-party claims that the issue is related to missing package
  access checks in the Naming / JNDI component, which allows attackers to
  escape the sandbox.

CVE-2014-0418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5889,
  CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0424.

CVE-2014-0417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX
  2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  2D.

CVE-2014-0416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE
  Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via
  vectors related to JAAS.  NOTE: the previous information is from the January
  2014 CPU. Oracle has not commented on third-party claims that the issue is
  related to how principals are set for the Subject class, which allows
  attackers to escape the sandbox using deserialization of a crafted Subject
  instance.

CVE-2014-0415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5889,
  CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424.

CVE-2014-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit
  R27.7.7 and R28.2.9; and Java SE Embedded 7u45 allows remote attackers to
  affect confidentiality and integrity via vectors related to JSSE.

CVE-2014-0410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment, a different vulnerability than CVE-2013-5889,
  CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424.

CVE-2014-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408):
  Unspecified vulnerability in Oracle Java SE 7u45, when running on OS X,
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2014-0403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403):
  Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote
  attackers to affect confidentiality and integrity via unknown vectors
  related to Deployment, a different vulnerability than CVE-2013-5898 and
  CVE-2014-0375.

CVE-2014-0387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387):
  Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when
  running on Firefox, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Deployment.

CVE-2014-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385):
  Unspecified vulnerability in Oracle Java SE 7u45, when installing on OS X,
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Install.

CVE-2014-0382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382):
  Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows
  remote attackers to affect availability via unknown vectors related to
  JavaFX.

CVE-2014-0376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376):
  Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE
  Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via
  vectors related to JAXP.  NOTE: the previous information is from the January
  2014 CPU. Oracle has not commented on third-party claims that the issue is
  related to an improper check for "code permissions when creating document
  builder factories."
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-25 12:21:09 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-25 12:21:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 01:28:26 UTC
This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 15 Sean Amoss gentoo-dev Security 2014-01-27 01:29:15 UTC
Maintainers, please drop vulnerable versions.
Comment 16 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-28 08:27:57 UTC
(In reply to Sean Amoss from comment #15)
> Maintainers, please drop vulnerable versions.

Was already done two days ago.
Comment 17 Sean Amoss gentoo-dev Security 2014-01-29 22:55:10 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #16)
> (In reply to Sean Amoss from comment #15)
> > Maintainers, please drop vulnerable versions.
> 
> Was already done two days ago.

Thanks.