Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 572716

Summary: <dev-java/icedtea{,-bin}-7.2.6.4: Multiple vulnerabilities (CVE-2016-{0402,0448,0466,0483,0494})
Product: Gentoo Security Reporter: James Le Cuirot <chewi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.fuseyism.com/index.php/2016/01/21/security-icedtea-2-6-4-for-openjdk-7-released/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description James Le Cuirot gentoo-dev 2016-01-23 19:27:38 UTC
I'm going to bump icedtea and icedtea-bin now. icedtea doesn't get marked stable so the vulnerable versions will be cleared immediately.
Comment 1 James Le Cuirot gentoo-dev 2016-01-23 22:48:55 UTC
amd64 and x86 arch teams, please stabilise:
dev-java/icedtea-bin-7.2.6.4
Comment 2 Agostino Sarubbo gentoo-dev 2016-01-24 16:21:54 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2016-01-24 16:22:19 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 4 James Le Cuirot gentoo-dev 2016-01-24 17:44:23 UTC
Thanks ago! Old removed. Security team, please continue.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-09 13:31:48 UTC
Added to existing GLSA request.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-09 13:39:46 UTC
None of these apply to Java:

CVE-2015-{7575,8126,8472}
Comment 7 James Le Cuirot gentoo-dev 2016-03-09 13:59:49 UTC
(In reply to Aaron Bauman from comment #6)
> None of these apply to Java:
> 
> CVE-2015-{7575,8126,8472}

They were mentioned in gnu_andrew's blog post in contexts relating to Java. I'm not sure how CVE-2015-{8126,8472} applies as libpng is used but not bundled. Regarding CVE-2015-7575, it says "further reduce use of MD5" which is presumably an attempt to mitigate the issue.
Comment 8 Patrice Clement gentoo-dev 2016-03-09 14:59:45 UTC
Typo in the bug report title.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 23:41:34 UTC
This issue was resolved and addressed in
 GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14
by GLSA coordinator Kristian Fiskerstrand (K_F).