Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 421073 - <app-emulation/emul-linux-x86-java-1.6.0.33-r1; <dev-java/sun-{jdk,jre-bin}-1.6.0.33-r1; <dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1 - multiple vulnerabilities (CVE-2012-{1711,1713,1716,1717,1718,1719,1721,1722,1723,1724,1725,1726})
Summary: <app-emulation/emul-linux-x86-java-1.6.0.33-r1; <dev-java/sun-{jdk,jre-bin}-1...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/top...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-14 08:53 UTC by Ralph Sennhauser (RETIRED)
Modified: 2014-01-27 01:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Sennhauser (RETIRED) gentoo-dev 2012-06-14 08:53:48 UTC
See URL.

A full round of bumps will follow.
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2012-06-14 10:08:54 UTC
Version bumps are now in tree:

* app-emulation/emul-linux-x86-java-1.6.0.33
* dev-java/sun-jdk-1.6.0.33
* dev-java/sun-jre-bin-1.6.0.33
* dev-java/oracle-jdk-bin-1.7.0.5
* dev-java/oracle-jre-bin-1.7.0.5


The following need to be stabilized:

=app-emulation/emul-linux-x86-java-1.6.0.33  (amd64)
=dev-java/sun-jdk-1.6.0.33                   (amd64, x86)
=dev-java/sun-jre-bin-1.6.0.33               (amd64, x86)

As x86 accidentally stabilized oracle-{jdk,jre}-bin the following need to be stabilized on x86 as well:

=dev-java/oracle-jdk-bin-1.7.0.5             (x86)
=dev-java/oracle-jre-bin-1.7.0.5             (x86)
Comment 2 Agostino Sarubbo gentoo-dev 2012-06-15 09:58:49 UTC
amd64 stable
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-09 07:02:32 UTC
Stabilising =dev-java/java-sdk-docs-1.7.0.4 on x86 as well as it's required by =dev-java/oracle-jdk-bin-1.7.0.5[doc]
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-09 07:16:42 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-07-09 08:36:06 UTC
@security: please vote
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-07-11 22:41:36 UTC
CVE-2012-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier allows remote attackers to affect
  confidentiality and integrity via unknown vectors related to Libraries.

CVE-2012-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update
  35 and earlier allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Hotspot.

CVE-2012-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows
  remote attackers to affect availability, related to JAXP.

CVE-2012-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, and 1.4.2_37 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability via unknown vectors related to
  Hotspot.

CVE-2012-1722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2012-1721.

CVE-2012-1721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment, a different vulnerability than
  CVE-2012-1722.

CVE-2012-1719 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, and 1.4.2_37 and earlier allows remote attackers to affect
  integrity, related to CORBA.

CVE-2012-1718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, and 1.4.2_37 and earlier allows remote attackers to affect
  availability via unknown vectors related to Security.

CVE-2012-1717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, and 1.4.2_37 and earlier allows local users to affect
  confidentiality via unknown vectors related to printing on Solaris or Linux.

CVE-2012-1716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update
  35 and earlier allows remote attackers to affect confidentiality, integrity,
  and availability via unknown vectors related to Swing.

CVE-2012-1713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote
  attackers to affect confidentiality, integrity, and availability via unknown
  vectors related to 2D.

CVE-2012-1711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711):
  Unspecified vulnerability in the Java Runtime Environment (JRE) component in
  Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35
  and earlier, and 1.4.2_37 and earlier allows remote attackers to affect
  confidentiality, integrity, and availability, related to CORBA.
Comment 7 Sean Amoss gentoo-dev Security 2012-07-11 22:43:42 UTC
Thanks, everyone. 

Added to existing GLSA request.
Comment 8 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2012-07-12 20:33:16 UTC
x86 please stabilize again, dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1

Upstream silently changed contents of the distfiles so I did a revbump to better be sure everyone gets this. Could be related to security, but no idea :(

changing bug summary to -r1 as well
Comment 9 Ralph Sennhauser (RETIRED) gentoo-dev 2012-07-13 16:05:10 UTC
(In reply to comment #8)
> x86 please stabilize again, dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1
> 
> Upstream silently changed contents of the distfiles so I did a revbump to
> better be sure everyone gets this. Could be related to security, but no idea
> :(
> 
> changing bug summary to -r1 as well

Same for java 6, arch teams please also stabilize:

=app-emulation/emul-linux-x86-java-1.6.0.33-r1  (amd64)
=dev-java/sun-jdk-1.6.0.33-r1                   (amd64, x86)
=dev-java/sun-jre-bin-1.6.0.33-r1               (amd64, x86)

Thanks.
Comment 10 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-14 21:07:09 UTC
x86 stable
Comment 11 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2012-07-28 16:52:31 UTC
amd64: ok (for packages bellow)

=dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1
=dev-java/sun-{jdk,jre}-1.6.0.33-r1

can't test emul-linux-.. package, I switched my boxes to nomultilib due to some problems on hardened. Also, there are some problems on hardened that r2 supposedly fix (pax marking), wouldn't it be worth to stabilize r2 instead?
This may have been fixed already in eclass, see #427642
Comment 12 Agostino Sarubbo gentoo-dev 2012-08-03 13:53:58 UTC
amd64 stable
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-08-03 16:25:28 UTC
GLSA together with #404071
Comment 14 erik falor 2012-08-16 16:10:02 UTC
The bundle jre-6u33-linux-i586.bin is no longer available from http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html.  That URL provides now jre-6u34-linux-i586.bin.

In fact, I cannot find any downloadables for Java 6 update 33 at the Java 6 SE archives at http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html.  The latest update available is 32.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 16:27:52 UTC
(In reply to comment #14)
> The bundle jre-6u33-linux-i586.bin is no longer available from
> http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-
> 1637595.html.  That URL provides now jre-6u34-linux-i586.bin.
> 
> In fact, I cannot find any downloadables for Java 6 update 33 at the Java 6
> SE archives at
> http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-
> downloads-javase6-419409.html.  The latest update available is 32.

Erik, this looks be bug 431492.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 01:27:41 UTC
This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).