Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 473980 - <dev-java/oracle-{jdk,jre}-bin-1.7.0.25 - Version bump to correct 40 CVE security vulnerabilities (CVE-2013-{1500,1571,2400,2407,2412,2437,2442,...,2473,3743,3744})
Summary: <dev-java/oracle-{jdk,jre}-bin-1.7.0.25 - Version bump to correct 40 CVE secu...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
: 435644 473792 (view as bug list)
Depends on: 499082
Blocks:
  Show dependency tree
 
Reported: 2013-06-21 05:44 UTC by Hypnos
Modified: 2014-01-29 22:55 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-22 12:57:43 UTC
According to your second link, for reference if it dies:

CVE-2013-1500, CVE-2013-1571, CVE-2013-2400, CVE-2013-2407, CVE-2013-2412, CVE-2013-2437, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2462, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2467, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-3744

Here we go:

+  22 Jun 2013; Tom Wijsman <TomWij@gentoo.org> +oracle-jre-bin-1.7.0.25.ebuild:
+  Version bump to 1.7.0.25 for security bug #473980 reported by Hypnos, fixes 40
+  CVEs.

x86 arch team, please stabilize such that we can remove the older versions.
Comment 2 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-22 13:11:32 UTC
*** Bug 473792 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Prieß 2013-06-22 15:48:48 UTC
This is not just the JRE, dev-java/oracle-jdk-bin is also affected, but not mentioned here (the duplicate was about the JDK).

So, since the ebuild for the JDK is not yet updated in the tree - please add the JDK to this bug and update to 1.7.25 also.
Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-22 18:00:49 UTC
(In reply to Andreas Prieß from comment #3)
> This is not just the JRE, dev-java/oracle-jdk-bin is also affected, but not
> mentioned here (the duplicate was about the JDK).
> 
> So, since the ebuild for the JDK is not yet updated in the tree - please add
> the JDK to this bug and update to 1.7.25 also.

Done, was distracted after doing the docs and then having to download all the required file for manifesting.

+  22 Jun 2013; Tom Wijsman <TomWij@gentoo.org> +oracle-jdk-bin-1.7.0.25.ebuild,
+  oracle-jdk-bin-1.7.0.17.ebuild, oracle-jdk-bin-1.7.0.21.ebuild:
+  Version bump to 1.7.0.25 for security bug #473980 reported by Hypnos, fixes 40
+  CVEs.

Stabilization can now continue.
Comment 5 Andreas Schürch gentoo-dev 2013-06-26 08:01:31 UTC
x86 stable, thanks.
Comment 6 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-26 16:02:47 UTC
*** Bug 435644 has been marked as a duplicate of this bug. ***
Comment 7 Chris Reffett gentoo-dev Security 2013-06-28 20:55:16 UTC
The exact details of the compromise are not published, but several of the CVEs use the phrase "unauthorized Operating System takeover including arbitrary code execution," which I believe means "remote active compromise."
Comment 8 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-29 10:15:09 UTC
Yes, amd64, feel free to proceed stabilization; as you requested in bug #435644.
Comment 9 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-06-29 16:39:19 UTC
+  29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> java-sdk-docs-1.7.0.25.ebuild:
+  Stabilized 1.7.0.25 for oracle-jdk-bin and oracle-jre-bin. Permitted by ago.

+  29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> -oracle-jdk-bin-1.7.0.17.ebuild,
+  -oracle-jdk-bin-1.7.0.21.ebuild, oracle-jdk-bin-1.7.0.25.ebuild:
+  Drop old insecure versions; stabilized 1.7.0.25 after building, testing and
+  running some Java software. Permitted by ago.

+  29 Jun 2013; Tom Wijsman <TomWij@gentoo.org> -oracle-jre-bin-1.7.0.17.ebuild,
+  -oracle-jre-bin-1.7.0.21.ebuild, oracle-jre-bin-1.7.0.25.ebuild:
+  Drop old insecure versions; stabilized 1.7.0.25 after building, testing and
+  running some Java software. Permitted by ago.
Comment 10 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-09-11 13:51:41 UTC
The version bumped here can no longer be fetched, see "See Also" for the status of the version bump towards the next version (.25 -> .40).
Comment 11 Maciej Mrozowski gentoo-dev 2013-09-13 20:24:22 UTC
Hmm, what about virtual/jdk-1.7? Should go stable on mentioned archs as well?
Comment 12 Sean Amoss gentoo-dev Security 2013-09-30 23:48:44 UTC
Maintainers, it looks like app-emulation/emul-linux-x86-java is also affected by these vulnerabilities. What are the plans with this package? p.mask?
Comment 13 Sean Amoss gentoo-dev Security 2013-10-10 12:12:55 UTC
(In reply to Sean Amoss from comment #12)
> Maintainers, it looks like app-emulation/emul-linux-x86-java is also
> affected by these vulnerabilities. What are the plans with this package?
> p.mask?

java, multilib: ping ^
Comment 14 Pacho Ramos gentoo-dev 2013-10-10 17:05:10 UTC
the old-style emul set for java was always handled by java team
Comment 15 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-01-23 23:04:09 UTC
+  23 Jan 2014; Tom Wijsman <TomWij@gentoo.org>
+  +emul-linux-x86-java-1.7.0.51.ebuild, +files/emul-linux-x86-java-1.7.env-r1:
+  Version bump to 1.7.0.51 for security bug #473980.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 01:28:21 UTC
This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 17 Sean Amoss gentoo-dev Security 2014-01-29 22:55:58 UTC
All done here.