| Summary: | <dev-java/oracle-{jre,jdk}-bin-{1.7.0.76,1.8.0.31}: multiple vulnerabilities (CVE-2014-{3566,6549,6585,6587,6591,6593,6601},CVE-2015-{0383,0395,0400,0403,0406,0407,0408,0410,0412,0413,0421}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ap, java, wyvern5 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA | ||
| Whiteboard: | A2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2015-01-21 09:37:24 UTC
+ 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jre-bin-1.7.0.76.ebuild: + Version bump of oracle-jre-bin:7 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jre-bin-1.8.0.31.ebuild: + Version bump of oracle-jre-bin:8 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jdk-bin-1.7.0.76.ebuild: + Version bump of oracle-jdk-bin:7 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jdk-bin-1.8.0.31.ebuild: + Version bump of oracle-jdk-bin:8 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> +java-sdk-docs-1.7.0.76.ebuild, + +java-sdk-docs-1.8.0.31.ebuild: + Version bump of java-sdk-docs wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +emul-linux-x86-java-1.7.0.76.ebuild: + Version bump of emul-linux-x86-java wrt bug #537214 I hope i didn't forget anything. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. CVE-2015-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421): Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. CVE-2015-0413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413): Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. CVE-2015-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. CVE-2015-0410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410): Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. CVE-2015-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. CVE-2015-0407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. CVE-2015-0406 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. CVE-2015-0403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2015-0400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. CVE-2015-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2015-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. CVE-2014-6601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-6593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. CVE-2014-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591): Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. CVE-2014-6587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-6585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. CVE-2014-6549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549): Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. *** Bug 537576 has been marked as a duplicate of this bug. *** I would like to proceed here, but i'm now getting repoman warnings and have no idea how to resolve them: app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild: RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)], x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)], x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)], x11-libs/libXtst[abi_x86_32(-)] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(default/linux/uclibc/x86) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc'] (In reply to Johann Schmitz (ercpe) from comment #6) > I would like to proceed here, but i'm now getting repoman warnings and have > no idea how to resolve them: > > app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild: > RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)], > x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)], > x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)], > x11-libs/libXtst[abi_x86_32(-)] > > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~x86(default/linux/uclibc/x86) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc'] it works for me for the interested arches. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -oracle-jre-bin-1.7.0.71.ebuild, -oracle-jre-bin-1.7.0.72.ebuild, + -oracle-jre-bin-1.8.0.25.ebuild: + Dropped vulnerable versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -oracle-jdk-bin-1.7.0.71.ebuild, -oracle-jdk-bin-1.7.0.72.ebuild, + -oracle-jdk-bin-1.8.0.25.ebuild: + Removed vulnerable versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> -java-sdk-docs-1.7.0.71.ebuild, + -java-sdk-docs-1.7.0.72.ebuild, -java-sdk-docs-1.8.0.25.ebuild: + Removed java-sdk-docs for dropped versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -emul-linux-x86-java-1.7.0.71.ebuild, -emul-linux-x86-java-1.7.0.72.ebuild: + Removed vulnerable versions (#537214) Cleanup done oracle-jdk-bin-1.7.0.60.ebuild was missed on cleanup. Maintainers, thank you for cleaning up. A new GLSA has been filed by security. This issue was resolved and addressed in GLSA 201507-14 at https://security.gentoo.org/glsa/201507-14 by GLSA coordinator Kristian Fiskerstrand (K_F). 1.7.0.60 still hasn't been removed, though that's the only version available to arm. I was half thinking of removing it on the next Oracle bump because icedtea is now working well for arm. |
