Researchers from Trend Micro found a new exploit hosted on some web-servers on the Internet, which allows for arbitrary code execution (driven by download). 1.8.0.45 is affected, j{dk,re}-1.7* are not. While payload being distributed is targeting Windows computers, it is unclear whether the vulnerability allowing for execution of arbitrary code exists in JRE/JDK distriburion for other OSes too, or not.
(In reply to Alexander Bezrukov from comment #0) > Researchers from Trend Micro found a new exploit hosted on some web-servers > on the Internet, which allows for arbitrary code execution (driven by > download). 1.8.0.45 is affected, j{dk,re}-1.7* are not. While payload being > distributed is targeting Windows computers, it is unclear whether the > vulnerability allowing for execution of arbitrary code exists in JRE/JDK > distriburion for other OSes too, or not. Thanks for the report. Since this source (${URL}) is public, is there a reason for submitting it as a classified / restricted bug report? or should this bug be made public?
(In reply to Kristian Fiskerstrand from comment #1) > Thanks for the report. Since this source (${URL}) is public, is there a > reason for submitting it as a classified / restricted bug report? or should > this bug be made public? Perhaps it should be made public. AFAIK, there is no CVE assigned yet and Oracle is silent about this vulnerability. So marking it private I shifted the responsibility for this to Gentoo security :)
(In reply to Alexander Bezrukov from comment #2) > (In reply to Kristian Fiskerstrand from comment #1) > > Thanks for the report. Since this source (${URL}) is public, is there a > > reason for submitting it as a classified / restricted bug report? or should > > this bug be made public? > > Perhaps it should be made public. AFAIK, there is no CVE assigned yet and > Oracle is silent about this vulnerability. So marking it private I shifted > the responsibility for this to Gentoo security :) Thanks for the clarification. Since the source is public I'm lifting the restriction.
*** Bug 554930 has been marked as a duplicate of this bug. ***
This issue is adressed in java-8u51
*** Bug 555022 has been marked as a duplicate of this bug. ***
Please state the package name entirely or everyone will file a duplicate.
1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks!
(In reply to wyvern5 from comment #8) > 1.8u51 has been out for a while; when can we expect to see ebuilds? Thanks! I was overseas for my grandfather's funeral when this came up. I have also taken the opportunity to address many issues with the current ebuild, some of which has resulted in bugs being filed. I have been working on it all week and hope to finish it tonight or tomorrow.
I think the ebuilds are ready now but there's been some USE flag changes that will require me to adjust several Portage profiles. They really need cleaning up anyway; several still refer to sun-jdk and sun-jre, for example. It's late now and I don't want to risk fucking this up so I'll wait till tomorrow.
*** Bug 556022 has been marked as a duplicate of this bug. ***
Job done. Arch teams, please stabilize: dev-java/oracle-jdk-bin-1.8.0.51 dev-java/oracle-jre-bin-1.8.0.51 dev-java/java-sdk-docs-1.8.0.51
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Clean up done.
ping
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201603-11 at https://security.gentoo.org/glsa/201603-11 by GLSA coordinator Kristian Fiskerstrand (K_F).
