Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 606118 (CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289)

Summary: dev-java/oracle-jdk-bin - dev-java/oracle-jre-bin: multiple vulnerabilities (CPUJAN2017)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ap, ercpe, himbeere, java, mrueg
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA
Whiteboard: A2 [glsa cve]
Package list:
=dev-java/oracle-jdk-bin-1.8.0.121 amd64 x86 =dev-java/oracle-jre-bin-1.8.0.121 amd64 x86
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-17 21:09:58 UTC 
$URL is still pre release announcement but final versions (8u121) are out:

This Critical Patch Update contains 17 new security fixes for Oracle Java SE. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 9.6

http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
Comment 1 Agostino Sarubbo gentoo-dev 2017-01-18 11:43:57 UTC 
Thomas, in the past happens that with the {jdk,jre} form, people file to search and thy file duplicates. Let's specify the entire package names just for oracle jkd/jre cases.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-18 16:15:58 UTC 
Advisory is now published.
Comment 3 James Le Cuirot gentoo-dev 2017-01-23 23:02:51 UTC 
Versions bumped. 1.8.0.111 has already been dropped. There is a single release including arm/arm64 this time. amd64 and x86 teams, please stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-24 08:39:21 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-24 08:39:51 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 James Le Cuirot gentoo-dev 2017-01-24 12:42:47 UTC 
Old removed. Security team, please continue.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-24 16:46:42 UTC 
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-01-25 13:12:02 UTC 
This issue was resolved and addressed in
 GLSA 201701-65 at https://security.gentoo.org/glsa/201701-65
by GLSA coordinator Thomas Deutschmann (whissi).