| Summary: | dev-java/icedtea: multiple vulnerabilities (CVE-2014-{2490,4209,4216,4218,4219,4244,4252,4262,4263,4266,4268}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | caster, gnu_andrew, java, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://blog.fuseyism.com/index.php/2014/07/15/security-icedtea-1-13-4-for-openjdk-6-released/ | ||
| Whiteboard: | ~2 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2014-4268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4268): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Swing. CVE-2014-4266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4266): Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote attackers to affect integrity via unknown vectors related to Serviceability. CVE-2014-4263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4263): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to "Diffie-Hellman key agreement." CVE-2014-4262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4262): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-4252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4252): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality via unknown vectors related to Security. CVE-2014-4244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4244): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. CVE-2014-4219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4219): Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-4218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4218): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect integrity via unknown vectors related to Libraries. CVE-2014-4216 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4216): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-4209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4209): Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX. CVE-2014-2490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2490): Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60 and SE 8u5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. The same update is needed for 7 too. The latest is 2.5.2: http://bitly.com/it20502 Maintainers please advise if there is any movement on this? This was dealt with ages ago so security team should close this out. |
From ${URL} : The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual machines and architectures beyond those supported by OpenJDK. This release updates our OpenJDK 6 support in the 1.13.x series with the July 2014 security fixes. If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome. Full details of the release can be found below. What’s New? New in release 1.13.4 (2014-07-15) Security fixes S8029755, CVE-2014-4209: Enhance subject class S8030763: Validate global memory allocation S8031346, CVE-2014-4244: Enhance RSA key handling S8031540: Introduce document horizon S8032536: JVM resolves wrong method in some unusual cases S8033055: Issues in 2d S8033301, CVE-2014-4266: Build more informative InfoBuilder S8034267: Probabilistic native crash S8034272: Do not cram data into CRAM arrays S8035004, CVE-2014-4252: Provider provides less service S8035009, CVE-2014-4218: Make Proxy representations consistent S8035119, CVE-2014-4219: Fix exceptions to bytecode verification S8035699, CVE-2014-4268: File choosers should be choosier S8036571: (process) Process process arguments carefully S8036800: Attribute OOM to correct part of code S8037046: Validate libraries to be loaded S8037157: Verify <init> call S8037076, CVE-2014-2490: Check constant pool constants S8037162, CVE-2014-4263: More robust DH exchanges S8037167, CVE-2014-4216: Better method signature resolution S8039520, CVE-2014-4262: More atomicity of atomic updates @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.