Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537214 (CVE-2015-0383) - <dev-java/oracle-{jre,jdk}-bin-{1.7.0.76,1.8.0.31}: multiple vulnerabilities (CVE-2014-{3566,6549,6585,6587,6591,6593,6601},CVE-2015-{0383,0395,0400,0403,0406,0407,0408,0410,0412,0413,0421})
Summary: <dev-java/oracle-{jre,jdk}-bin-{1.7.0.76,1.8.0.31}: multiple vulnerabilities ...
Status: RESOLVED FIXED
Alias: CVE-2015-0383
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/top...
Whiteboard: A2 [glsa cve]
Keywords:
: 537576 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-01-21 09:37 UTC by Agostino Sarubbo
Modified: 2015-07-10 13:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2015-01-23 17:58:27 UTC
+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jre-bin-1.7.0.76.ebuild:
+  Version bump of oracle-jre-bin:7 wrt bug #537214

+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jre-bin-1.8.0.31.ebuild:
+  Version bump of oracle-jre-bin:8 wrt bug #537214

+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jdk-bin-1.7.0.76.ebuild:
+  Version bump of oracle-jdk-bin:7 wrt bug #537214

+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  +oracle-jdk-bin-1.8.0.31.ebuild:
+  Version bump of oracle-jdk-bin:8 wrt bug #537214

+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> +java-sdk-docs-1.7.0.76.ebuild,
+  +java-sdk-docs-1.8.0.31.ebuild:
+  Version bump of java-sdk-docs wrt bug #537214

+  23 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  +emul-linux-x86-java-1.7.0.76.ebuild:
+  Version bump of emul-linux-x86-java wrt bug #537214

I hope i didn't forget anything.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-01-23 22:58:05 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-23 23:07:47 UTC
CVE-2015-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421):
  Unspecified vulnerability in Oracle Java SE 8u25 allows local users to
  affect confidentiality, integrity, and availability via unknown vectors
  related to the installation process.

CVE-2015-0413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413):
  Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users
  to affect integrity via unknown vectors related to Serviceability.

CVE-2015-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality, integrity, and availability via
  vectors related to JAX-WS.

CVE-2015-0410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410):
  Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit
  component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded
  7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to
  affect availability via unknown vectors related to Security.

CVE-2015-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality, integrity, and
  availability via vectors related to RMI.

CVE-2015-0407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality via unknown vectors
  related to Swing.

CVE-2015-0406 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality and availability via unknown
  vectors related to Deployment.

CVE-2015-0403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  local users to affect confidentiality, integrity, and availability via
  unknown vectors related to Deployment.

CVE-2015-0400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality via unknown vectors related to
  Libraries.

CVE-2015-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality, integrity, and
  availability via unknown vectors related to Hotspot.

CVE-2015-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25;
  Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local
  users to affect integrity and availability via unknown vectors related to
  Hotspot.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-23 23:11:49 UTC
CVE-2014-6601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  remote attackers to affect confidentiality, integrity, and availability via
  unknown vectors related to Hotspot.

CVE-2014-6593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25;
  Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote
  attackers to affect confidentiality and integrity via vectors related to
  JSSE.

CVE-2014-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591):
  Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75,
  6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via
  unknown vectors related to 2D, a different vulnerability than CVE-2014-6585.

CVE-2014-6587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587):
  Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows
  local users to affect confidentiality, integrity, and availability via
  unknown vectors related to Libraries.

CVE-2014-6585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585):
  Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25
  allows remote attackers to affect confidentiality via unknown vectors
  reelated to 2D, a different vulnerability than CVE-2014-6591.

CVE-2014-6549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549):
  Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to
  affect confidentiality, integrity, and availability via unknown vectors
  related to Libraries.
Comment 5 Agostino Sarubbo gentoo-dev 2015-01-24 18:50:17 UTC
*** Bug 537576 has been marked as a duplicate of this bug. ***
Comment 6 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2015-01-25 15:09:17 UTC
I would like to proceed here, but i'm now getting repoman warnings and have no idea how to resolve them:

app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild: RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)], x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)], x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)], x11-libs/libXtst[abi_x86_32(-)]

   dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc']
   dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(default/linux/uclibc/x86) ['sys-libs/glibc']
   dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc']
   dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc']
Comment 7 Agostino Sarubbo gentoo-dev 2015-01-28 10:40:26 UTC
(In reply to Johann Schmitz (ercpe) from comment #6)
> I would like to proceed here, but i'm now getting repoman warnings and have
> no idea how to resolve them:
> 
> app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild:
> RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)],
> x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)],
> x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)],
> x11-libs/libXtst[abi_x86_32(-)]
> 
>    dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND:
> ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc']
>    dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND:
> ~x86(default/linux/uclibc/x86) ['sys-libs/glibc']
>    dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND:
> ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc']
>    dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND:
> ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc']

it works for me for the interested arches.
Comment 8 Agostino Sarubbo gentoo-dev 2015-01-28 10:41:37 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-28 10:42:11 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Johann Schmitz (ercpe) (RETIRED) gentoo-dev 2015-01-30 05:24:15 UTC
+  30 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  -oracle-jre-bin-1.7.0.71.ebuild, -oracle-jre-bin-1.7.0.72.ebuild,
+  -oracle-jre-bin-1.8.0.25.ebuild:
+  Dropped vulnerable versions (#537214)

+  30 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  -oracle-jdk-bin-1.7.0.71.ebuild, -oracle-jdk-bin-1.7.0.72.ebuild,
+  -oracle-jdk-bin-1.8.0.25.ebuild:
+  Removed vulnerable versions (#537214)

+  30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> -java-sdk-docs-1.7.0.71.ebuild,
+  -java-sdk-docs-1.7.0.72.ebuild, -java-sdk-docs-1.8.0.25.ebuild:
+  Removed java-sdk-docs for dropped versions (#537214)

+  30 Jan 2015; Johann Schmitz <ercpe@gentoo.org>
+  -emul-linux-x86-java-1.7.0.71.ebuild, -emul-linux-x86-java-1.7.0.72.ebuild:
+  Removed vulnerable versions (#537214)


Cleanup done
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 02:43:24 UTC
oracle-jdk-bin-1.7.0.60.ebuild was missed on cleanup.
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-02 22:02:36 UTC
Maintainers, thank you for cleaning up.

A new GLSA has been filed by security.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-07-10 12:56:57 UTC
This issue was resolved and addressed in
 GLSA 201507-14 at https://security.gentoo.org/glsa/201507-14
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 14 James Le Cuirot gentoo-dev 2015-07-10 13:03:09 UTC
1.7.0.60 still hasn't been removed, though that's the only version available to arm. I was half thinking of removing it on the next Oracle bump because icedtea is now working well for arm.