Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 517224 (CVE-2014-2490)

Summary: dev-java/icedtea: multiple vulnerabilities (CVE-2014-{2490,4209,4216,4218,4219,4244,4252,4262,4263,4266,4268})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: caster, gnu_andrew, java, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.fuseyism.com/index.php/2014/07/15/security-icedtea-1-13-4-for-openjdk-6-released/
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-07-16 08:05:16 UTC
From ${URL} :

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver, the ability to build against system libraries and support for alternative virtual 
machines and architectures beyond those supported by OpenJDK.

This release updates our OpenJDK 6 support in the 1.13.x series with the July 2014 security fixes.

If you find an issue with the release, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

What’s New?

New in release 1.13.4 (2014-07-15)
Security fixes
S8029755, CVE-2014-4209: Enhance subject class
S8030763: Validate global memory allocation
S8031346, CVE-2014-4244: Enhance RSA key handling
S8031540: Introduce document horizon
S8032536: JVM resolves wrong method in some unusual cases
S8033055: Issues in 2d
S8033301, CVE-2014-4266: Build more informative InfoBuilder
S8034267: Probabilistic native crash
S8034272: Do not cram data into CRAM arrays
S8035004, CVE-2014-4252: Provider provides less service
S8035009, CVE-2014-4218: Make Proxy representations consistent
S8035119, CVE-2014-4219: Fix exceptions to bytecode verification
S8035699, CVE-2014-4268: File choosers should be choosier
S8036571: (process) Process process arguments carefully
S8036800: Attribute OOM to correct part of code
S8037046: Validate libraries to be loaded
S8037157: Verify <init> call
S8037076, CVE-2014-2490: Check constant pool constants
S8037162, CVE-2014-4263: More robust DH exchanges
S8037167, CVE-2014-4216: Better method signature resolution
S8039520, CVE-2014-4262: More atomicity of atomic updates


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-07-30 04:37:10 UTC
CVE-2014-4268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4268):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect confidentiality via unknown vectors
  related to Swing.

CVE-2014-4266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4266):
  Unspecified vulnerability in Oracle Java SE 7u60 and 8u5 allows remote
  attackers to affect integrity via unknown vectors related to Serviceability.

CVE-2014-4263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4263):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and
  JRockit R27.8.2 and R28.3.2, allows remote attackers to affect
  confidentiality and integrity via unknown vectors related to "Diffie-Hellman
  key agreement."

CVE-2014-4262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4262):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Libraries.

CVE-2014-4252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4252):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect confidentiality via unknown vectors
  related to Security.

CVE-2014-4244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4244):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5, and
  JRockit R27.8.2 and JRockit R28.3.2, allows remote attackers to affect
  confidentiality and integrity via unknown vectors related to Security.

CVE-2014-4219 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4219):
  Unspecified vulnerability in Oracle Java SE 6u75, 7u60, and 8u5 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Hotspot.

CVE-2014-4218 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4218):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect integrity via unknown vectors related to
  Libraries.

CVE-2014-4216 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4216):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2014-4209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4209):
  Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5
  allows remote attackers to affect confidentiality and integrity via vectors
  related to JMX.

CVE-2014-2490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2490):
  Unspecified vulnerability in the Java SE component in Oracle Java SE 7u60
  and SE 8u5 allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.
Comment 2 Andrew John Hughes 2014-09-02 23:19:44 UTC
The same update is needed for 7 too. The latest is 2.5.2: http://bitly.com/it20502
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-10-05 19:57:26 UTC
Maintainers please advise if there is any movement on this?
Comment 4 James Le Cuirot gentoo-dev 2015-07-21 22:14:13 UTC
This was dealt with ages ago so security team should close this out.