Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 546678 - <dev-java/oracle-{jdk,jre}-bin-{1.7.0.80, 1.8.0.45}: Multiple vulnerabilities (CVE-2015-{0458,0459,0460,0469,0470,0477,0478,0480,0484,0486,0488,0491,0492})
Summary: <dev-java/oracle-{jdk,jre}-bin-{1.7.0.80, 1.8.0.45}: Multiple vulnerabilities...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blogs.oracle.com/security/ent...
Whiteboard: A2 [glsa cve]
Keywords:
: 546888 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-04-15 20:57 UTC by Mike Limansky
Modified: 2016-03-12 12:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Limansky 2015-04-15 20:57:46 UTC
Oracle JRE/JDK 7u80 and 8u45 was released with fixes of critical security fixes. 
The list of vulnerability reports: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixJAVA

Reproducible: Always
Comment 1 James Le Cuirot gentoo-dev 2015-04-15 22:26:06 UTC
I've bumped v8. Someone else can waste their bandwidth on v7. :P
Comment 2 Agostino Sarubbo gentoo-dev 2015-04-17 08:10:25 UTC
*** Bug 546888 has been marked as a duplicate of this bug. ***
Comment 3 Patrice Clement gentoo-dev 2015-04-17 14:26:57 UTC
+*oracle-jdk-bin-1.7.0.80 (17 Apr 2015)
+
+  17 Apr 2015; Patrice Clement <monsieurp@gentoo.org>
+  +oracle-jdk-bin-1.7.0.80.ebuild:
+  Version bump. Fix security bug 546678.
+
Comment 4 Patrice Clement gentoo-dev 2015-04-17 14:43:50 UTC
+*oracle-jre-bin-1.7.0.80 (17 Apr 2015)
+
+  17 Apr 2015; Patrice Clement <monsieurp@gentoo.org>
+  +oracle-jre-bin-1.7.0.80.ebuild:
+  Version bump. Fix security bug 546678.
+
Comment 5 Patrice Clement gentoo-dev 2015-04-17 14:56:25 UTC
+*java-sdk-docs-1.7.0.80 (17 Apr 2015)
+
+  17 Apr 2015; Patrice Clement <monsieurp@gentoo.org>
+  +java-sdk-docs-1.7.0.80.ebuild:
+  Version bump. Fix security bug 546678.
+

As far as 1.7.0.80 is concerned, I think we're good.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-04-18 23:34:41 UTC
CVE-2015-0492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0492):
  Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and JavaFX
  2.2.76, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors, a different vulnerability than
  CVE-2015-0484.

CVE-2015-0491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0491):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40,
  and Java FX 2.2.76, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to 2D, a different
  vulnerability than CVE-2015-0459.

CVE-2015-0488 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0488):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40,
  and JRockit R28.3.5, allows remote attackers to affect availability via
  vectors related to JSSE.

CVE-2015-0486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0486):
  Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to
  affect confidentiality via unknown vectors related to Deployment.

CVE-2015-0484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0484):
  Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and Java FX
  2.2.76, allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors, a different vulnerability than
  CVE-2015-0492.

CVE-2015-0480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0480):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40
  allows remote attackers to affect integrity and availability via unknown
  vectors related to Tools.

CVE-2015-0478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0478):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40,
  and JRockit R28.3.5, allows remote attackers to affect confidentiality via
  vectors related to JCE.

CVE-2015-0477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0477):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40
  allows remote attackers to affect integrity via unknown vectors related to
  Beans.

CVE-2015-0470 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0470):
  Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to
  affect integrity via unknown vectors related to Hotspot.

CVE-2015-0469 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0469):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to 2D.

CVE-2015-0460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0460):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2015-0459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0459):
  Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40,
  and JavaFX 2.2.76, allows remote attackers to affect confidentiality,
  integrity, and availability via unknown vectors related to 2D, a different
  vulnerability than CVE-2015-0491.

CVE-2015-0458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0458):
  Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-18 23:39:27 UTC
Arches, Thank you for your work.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 8 James Le Cuirot gentoo-dev 2015-04-19 12:12:00 UTC
Done.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-19 13:43:19 UTC
Maintainer(s), Thank you for you for cleanup.
Comment 10 James Le Cuirot gentoo-dev 2015-07-30 21:14:39 UTC
Ping! If you're going to do a GLSA for this one, you may want to handle it alongside the more recent vulnerability.
Comment 11 Patrice Clement gentoo-dev 2015-08-14 18:29:37 UTC
(In reply to James Le Cuirot from comment #10)
> Ping! If you're going to do a GLSA for this one, you may want to handle it
> alongside the more recent vulnerability.

ping^2
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-15 23:41:59 UTC
We will we bunch up as many vulnerabilities as possible.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:40:53 UTC
This issue was resolved and addressed in
 GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11
by GLSA coordinator Kristian Fiskerstrand (K_F).