Bug 508716

Summary:	<app-mulation/emul-linux-x86-java-1.7.0.55: Multiple security vulnerabilities (CVE-2014-{0429,0432,0446,0448,0449,0451,0452,0453,0454,0455,0456,0457,0458,0459,0460,0461,0463,0464,2397,2398,2401,2402,2403,2409,2410,2412,2413,2414,2420,2421,2422,2423,2427,2
Product:	Gentoo Security	Reporter:	Bradley Broom <bmbroom>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=507798
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Bradley Broom 2014-04-25 20:00:41 UTC

Download jre-7u51-linux-i586.tar.gz has been replaced by jre-7u55-linux-i586.tar.gz

Reproducible: Always

Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2014-04-25 20:39:26 UTC

+  25 Apr 2014; Tom Wijsman <TomWij@gentoo.org>
+  +emul-linux-x86-java-1.7.0.55.ebuild:
+  Version bump to 1.7.0.55; fixes bug #508716, reported by Bradley Broom.

Thank you very much for filing this bug.

AMD64 arch, can you please stabilize 1.7.0.55? TIA. (This fixes a security bug)

Comment 2 Agostino Sarubbo gentoo-dev

2014-04-26 09:09:12 UTC

amd64 stable.

Maintainer(s), please cleanup.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2014-06-17 22:58:41 UTC

CVE-2014-2428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2428):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Deployment.

CVE-2014-2427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2427):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and
  Java SE Embedded 7u51, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Sound.

CVE-2014-2423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2423):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via vectors related to JAX-WS, a different vulnerability
  than CVE-2014-0452 and CVE-2014-0458.

CVE-2014-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2422):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51,
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors.

CVE-2014-2421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2421):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  2D.

CVE-2014-2420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2420):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect integrity via unknown
  vectors related to Deployment.

CVE-2014-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2414):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via vectors related to JAXB.

CVE-2014-2413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2413):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect integrity via unknown vectors
  related to Libraries.

CVE-2014-2412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2412):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8,
  and Java SE Embedded 7u51, allows remote attackers to affect
  confidentiality, integrity, and availability via vectors related to AWT, a
  different vulnerability than CVE-2014-0451.

CVE-2014-2410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2410):
  Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to
  affect confidentiality, integrity, and availability via unknown vectors
  related to JavaFX.

CVE-2014-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2409):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality and
  integrity via unknown vectors related to Deployment.

CVE-2014-2403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2403):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality via vectors
  related to JAXP.

CVE-2014-2402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2402):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Libraries, a different
  vulnerability than CVE-2014-0432 and CVE-2014-0455.

CVE-2014-2401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2401):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect
  confidentiality via unknown vectors related to 2D.

CVE-2014-2398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2398):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated
  users to affect integrity via unknown vectors related to Javadoc.

CVE-2014-2397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2397):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2014-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0464):
  Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to
  affect confidentiality via unknown vectors related to Scripting, a different
  vulnerability than CVE-2014-0463.

CVE-2014-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0463):
  Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to
  affect confidentiality via unknown vectors related to Scripting, a different
  vulnerability than CVE-2014-0464.

CVE-2014-0461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0461):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Libraries.

CVE-2014-0460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0460):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote
  attackers to affect confidentiality and integrity via vectors related to
  JNDI.

CVE-2014-0459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect availability via unknown vectors
  related to 2D.

CVE-2014-0458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0458):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via vectors related to JAX-WS, a different vulnerability
  than CVE-2014-0452 and CVE-2014-2423.

CVE-2014-0457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0457):
  Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8;
  JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Libraries.

CVE-2014-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0456):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Hotspot.

CVE-2014-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0455):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Libraries, a different
  vulnerability than CVE-2014-0432 and CVE-2014-2402.

CVE-2014-0454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0454):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Security.

CVE-2014-0453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0453):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote
  attackers to affect confidentiality and integrity via unknown vectors
  related to Security.

CVE-2014-0452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0452):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality, integrity,
  and availability via vectors related to JAX-WS, a different vulnerability
  than CVE-2014-0458 and CVE-2014-2423.

CVE-2014-0451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0451):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and
  Java SE Embedded 7u51, allows remote attackers to affect confidentiality,
  integrity, and availability via vectors related to AWT, a different
  vulnerability than CVE-2014-2412.

CVE-2014-0449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0449):
  Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE
  Embedded 7u51, allows remote attackers to affect confidentiality via unknown
  vectors related to Deployment.

CVE-2014-0448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0448):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to Deployment.

CVE-2014-0446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0446):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and
  Java SE Embedded 7u51, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to Libraries.

CVE-2014-0432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0432):
  Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded
  7u51, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Libraries, a different
  vulnerability than CVE-2014-0455 and CVE-2014-2402.

CVE-2014-0429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0429):
  Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8;
  JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to 2D.

Comment 4 Yury German Gentoo Infrastructure

2014-06-17 23:00:30 UTC

Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

Added to existing GLSA Request

Comment 5 Yury German Gentoo Infrastructure

2014-12-29 01:12:25 UTC

Cleaned up as part of a subsequent bug.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2015-02-15 14:50:29 UTC

This issue was resolved and addressed in
 GLSA 201502-12 at http://security.gentoo.org/glsa/glsa-201502-12.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).