| Summary: | <dev-java/icedtea{,-bin}-{6.1.13.7,7.2.5.5}: Multiple vulnerabilities (CVE-2014-{6585,6587,6591,6593,6601},CVE-2015-{0383,0395,0400,0407,0408,0412,5078}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Markus Hauschild <hauschild.markus> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | caster, gnu_andrew, java, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://blog.fuseyism.com/index.php/2015/01/23/security-icedtea-2-5-4-for-openjdk-7-released/ | ||
| Whiteboard: | B3 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Markus Hauschild
2015-01-27 09:34:25 UTC
This is clearly security issue Not very familiar with Icedtea release cycle, so i can not say which of those CVE affects 1.6 branch of our icedtea packages (In reply to Sergey Popov from comment #1) > This is clearly security issue > > Not very familiar with Icedtea release cycle, so i can not say which of > those CVE affects 1.6 branch of our icedtea packages yes, http://blog.fuseyism.com/index.php/2015/01/26/security-icedtea-1-13-6-for-openjdk-6-released/ Updated ebuilds have been in java overlay since 23/01 (2.5.4) and 26/01 (1.13.6). @maintainers: Any movement on this? Right, no doubt you all saw the massive bug-close-fest that just went on. I know I wasn't supposed to close those but the situation was getting both ridiculous and confusing. Sorry if this messes things up with the GLSAs but it was a bit late to send them now. I've just spoken to keytoaster and he said it's cool. So there's still a few left and it would be great to be able to close those too. Both icedtea and icedtea-bin have now been updated to the latest versions and these should be free of any vulnerabilities reported to date. The older icedtea-bin versions have been kept as they are currently stable. They can go as soon as the latest ones are marked stable. icedtea is trickier as keywording is required for arm, ia64, ppc, and ppc64. I can deal with ppc and ppc64. I might be able to deal with arm but maybe not for a while. Someone else will need to address ia64. Time for an update. - The latest icedtea 6 and 7 has been keyworded for ~ppc. - The latest icedtea 7 has been keyworded for ~arm. - icedtea-bin builds have been added for ~ppc and ~arm. - We are dropping ia64 entirely but I lack time to do the mass unkeywording now. - ppc64 is proving problematic. I'll come back to that. Because of the last 2 points, I can't drop the vulnerable icedtea versions yet. However I can drop the vulnerable icedtea-bin versions if we stabilise for amd64 and x86. I would also like it stabilised for ppc so that ibm-(jdk|jre)-bin can eventually be dropped. No action is necessary for arm at the moment as it has never had a stable VM. Arch teams, please do your thing. Please clearly state which packages should go stable on which arches. (In reply to Agostino Sarubbo from comment #7) > Please clearly state which packages should go stable on which arches. Sorry, here you go. dev-java/icedtea-bin 6.1.13.7, 7.2.5.5: amd64 ppc x86 dev-java/icedtea-sound 1.0.1: amd64 ppc x86 dev-java/icedtea-web 1.5.1-r1: ppc x86 stable amd64 stable If you want to test icedtea-web on a remote machine properly (thinking PPC here) then I was able to fire up sshd in a chroot on a non-standard port, use some port forwarding trickery to log in with X11 forwarding enabled and run itweb-settings as well as javaws. The latter allows you to run an applet without needing a whole browser. *** Bug 546702 has been marked as a duplicate of this bug. *** ppc stable. Maintainer(s), please cleanup. Security, please vote. Another update on the non-bin situation. icedtea-7 hasn't been fixed on ppc64 yet but the pre-release for icedtea-3 (Java 8) is looking promising. I've also cleared almost all of the items blocking me from dropping ia64. The vulnerable -bin versions have now been removed. For non-bin, I still need to drop ia64 but gnu_andrew is going to look into the ppc64 issue next week. Thank you for the update. GLSA Vote: Yes CVE-2015-5078 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5078): SQL injection vulnerability in the insert function in application/controllers/admin/dataentry.php in LimeSurvey 2.06+ allows remote authenticated users to execute arbitrary SQL commands via the closedate parameter. CVE-2015-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. CVE-2015-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. CVE-2015-0407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. CVE-2015-0400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. CVE-2015-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2015-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. CVE-2014-6601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-6593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. CVE-2014-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591): Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. CVE-2014-6587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-6585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. Please Cleanup: = dev-java/icedtea 6.1.13.5, 7.2.4.8 ia64 has been dropped so 7.2.4.8 has now gone. Waiting to hear from gnu_andrew on the ppc64 issue before removing 6.1.13.5. GLSA Vote: Yes New request filed What is the ppc64 issue with relation to 6? I'm only aware of issues with 7. Note that the next batch of security updates - 1.13.8 & 2.5.6/2.6.1 will be out within the next week. (In reply to Andrew John Hughes from comment #22) > What is the ppc64 issue with relation to 6? I'm only aware of issues with 7. The problem is that I can't drop that version without something to replace it with. In truth, I could keyword the latest 6 but I had wanted to drop 6 now that 7 has HotSpot. It works much better. If a fix is proving elusive then I'll bite the bullet. I would have done it by now but I've been away. Upstream haven't been able to resolve the ppc64 issue so I've bitten the bullet and keyworded 6.1.13.7 whilst dropping 6.1.13.5. Sorry it took so long. Security team, please close this out now. This issue was resolved and addressed in GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14 by GLSA coordinator Kristian Fiskerstrand (K_F). |
