From ${URL} : Description Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to manipulate certain data and cause a DoS (Denial of Service), by malicious users to manipulate certain data, and by malicious people to disclose sensitive information, manipulate certain data, cause a DoS, and compromise a vulnerable system. For more information: SA55631 (#1) SA56116 1) An error within the 2D subcomponent of the client and server deployment can be exploited to execute arbitrary code. 2) An error within the Libraries subcomponent of the client and server deployment can be exploited to execute arbitrary code. 3) An error within the Hotspot subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 4) An error within the 2D subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 5) An error within the JavaFX subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 6) An error within the Hotspot subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 7) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 8) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 9) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 10) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 11) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to execute arbitrary code. 12) An error within the AWT subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 13) An error within the AWT subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 14) An error within the JAX-WS subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 15) An error within the JAX-WS subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 16) An error within the JAX-WS subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 17) An error within the JAXB subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 18) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 19) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 20) An error within the Security subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 21) An error within the Sound subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 22) An error within the JavaFX subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data and to cause a crash. 23) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose, update, insert, or delete certain data. 24) An error within the JNDI subcomponent of the client and server deployment can be exploited to disclose, update, insert, or delete certain data. 25) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 26) An error within the JAXP subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 27) An error within the 2D subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 28) An error within the Scripting subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 29) An error within the Scripting subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to disclose certain data. 30) An error within the 2D subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to cause a crash. 31) An error within the Libraries subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. 32) An error within the Security subcomponent of the client and server deployment can be exploited to disclose, update, insert, or delete certain data. 33) An error within the Javadoc subcomponent of the client and server deployment can be exploited to update, insert, or delete certain data. 34) An error within the Libraries subcomponent of the client and server deployment related to the unpack200 tool can be exploited to update, insert, or delete certain data and to cause a crash. 35) An error within the Deployment subcomponent of the client deployment can be exploited via untrusted Java Web Start applications and untrusted Java applets to update, insert, or delete certain data. The vulnerabilities are reported in the following products: * JDK and JRE 7 Update 51 and prior * JDK and JRE 6 Update 71 and prior * JDK and JRE 5 Update 61 and prior * JDK and JRE 8 Solution: Apply updates. Further details available to Secunia VIM customers Provided and/or discovered by: It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2014 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information. Original Advisory: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+ 16 Apr 2014; Tom Wijsman <TomWij@gentoo.org> +oracle-jdk-bin-1.7.0.55.ebuild, + +oracle-jdk-bin-1.8.0.5.ebuild, -oracle-jdk-bin-1.8.0.0.ebuild, + oracle-jdk-bin-1.7.0.51-r1.ebuild: + Security version bumps to 1.7.0.55 and 1.8.0.5; fixes bug #507776 and bug + #507798, removed unstable versions from 1.7.0.51-r1, pending stabilization of + 1.7.0.55. Arches, please test and mark stable 1.7.0.55; then feel free to drop 1.7.0.51-r1. Target keywords: amd64 x86
*** Bug 507776 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
cleanup done.
CVE-2014-2428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2428): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2014-2427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2427): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. CVE-2014-2423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2423): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-0458. CVE-2014-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2422): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and JavaFX 2.2.51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. CVE-2014-2421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2421): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2014-2420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2420): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Deployment. CVE-2014-2414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2414): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXB. CVE-2014-2413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2413): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect integrity via unknown vectors related to Libraries. CVE-2014-2412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2412): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, SE 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-0451. CVE-2014-2410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2410): Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. CVE-2014-2409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2409): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. CVE-2014-2403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2403): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via vectors related to JAXP. CVE-2014-2402 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2402): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-0455. CVE-2014-2401 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2401): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality via unknown vectors related to 2D. CVE-2014-2398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2398): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JavaFX 2.2.51; and JRockit R27.8.1 and R28.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Javadoc. CVE-2014-2397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2397): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0464): Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0463. CVE-2014-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0463): Unspecified vulnerability in Oracle Java SE 8 allows remote attackers to affect confidentiality via unknown vectors related to Scripting, a different vulnerability than CVE-2014-0464. CVE-2014-0461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0461): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-0460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0460): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via vectors related to JNDI. CVE-2014-0459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0459): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect availability via unknown vectors related to 2D. CVE-2014-0458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0458): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0452 and CVE-2014-2423. CVE-2014-0457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0457): Unspecified vulnerability in Oracle Java SE 5.0u61, SE 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0456): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0455): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0432 and CVE-2014-2402. CVE-2014-0454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0454): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. CVE-2014-0453 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0453): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security. CVE-2014-0452 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0452): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS, a different vulnerability than CVE-2014-0458 and CVE-2014-2423. CVE-2014-0451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0451): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT, a different vulnerability than CVE-2014-2412. CVE-2014-0449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0449): Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality via unknown vectors related to Deployment. CVE-2014-0448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0448): Unspecified vulnerability in Oracle Java SE 7u51 and 8 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2014-0446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0446): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-0432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0432): Unspecified vulnerability in Oracle Java SE 7u51 and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2014-0455 and CVE-2014-2402. CVE-2014-0429 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0429): Unspecified vulnerability in Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201502-12 at http://security.gentoo.org/glsa/glsa-201502-12.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
