625602 – (CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10086, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10114, CVE-2017-10115, CVE-2017-10116, CVE-2017-10117, CVE-2017-10118, CVE-2017-10121, CVE-2017-10125, CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243) <dev-java/oracle-{jdk,jre}-bin-1.8.0.141: Multiple vulnerabilities

Bug 625602 (CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10086, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10114, CVE-2017-10115, CVE-2017-10116, CVE-2017-10117, CVE-2017-10118, CVE-2017-10121, CVE-2017-10125, CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243) - <dev-java/oracle-{jdk,jre}-bin-1.8.0.141: Multiple vulnerabilities

Summary: <dev-java/oracle-{jdk,jre}-bin-1.8.0.141: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081, CVE-2017-10086, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10114, CVE-2017-10115, CVE-2017-10116, CVE-2017-10117, CVE-2017-10118, CVE-2017-10121, CVE-2017-10125, CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	http://www.oracle.com/technetwork/sec...
Whiteboard:	A2 [glsa cve]
Keywords:

Duplicates (1):	625628 (view as bug list)
Depends on:
Blocks:

Reported:	2017-07-19 08:26 UTC by Liferer
Modified:	2017-09-24 21:54 UTC (History)
CC List:	4 users (show)

See Also:
Package list:	=dev-java/oracle-jdk-bin-1.8.0.144 amd64 x86 =dev-java/oracle-jre-bin-1.8.0.144 amd64 x86
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Liferer 2017-07-19 08:26:27 UTC

New upatream release 8u141 with security fixes.

Comment 1 James Le Cuirot gentoo-dev

2017-07-19 13:15:03 UTC

*** Bug 625628 has been marked as a duplicate of this bug. ***

Comment 2 Volkan 2017-07-19 23:11:36 UTC

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA

CVE-2017-10053
CVE-2017-10067
CVE-2017-10074
CVE-2017-10078
CVE-2017-10081
CVE-2017-10086
CVE-2017-10087
CVE-2017-10089
CVE-2017-10090
CVE-2017-10096
CVE-2017-10101
CVE-2017-10102
CVE-2017-10105
CVE-2017-10107
CVE-2017-10108
CVE-2017-10109
CVE-2017-10110
CVE-2017-10111
CVE-2017-10114
CVE-2017-10115
CVE-2017-10116
CVE-2017-10117
CVE-2017-10118
CVE-2017-10121
CVE-2017-10125
CVE-2017-10135
CVE-2017-10176
CVE-2017-10193
CVE-2017-10198
CVE-2017-10243

Unsure about the below CVE numbers, they are for Java advanced management console, but is within the same Jave SE risk matrix.
CVE-2017-10104
CVE-2017-10145

Comment 3 Andreas Prieß 2017-07-20 01:10:40 UTC

Just a quick side note:

It would be helpful to keep it as a best practice, NOT to apply clever short forms for multiple packages in the bug summary.

It hides the bugs for searches coming from "Related Bugs" at
https://packages.gentoo.org/packages/dev-java/oracle-jdk-bin
in this case.

And how is one supposed to search for packages in bugs then anyway?

*dev*java*oracle*???*bin*

:-)

Thanks.

Comment 4 James Le Cuirot gentoo-dev

2017-07-20 20:05:29 UTC

Bumped. amd64 and x86 teams, please stabilize.

Comment 5 Pacho Ramos gentoo-dev

2017-07-21 08:57:03 UTC

amd64 stable

Comment 6 James Le Cuirot gentoo-dev

2017-07-26 22:37:21 UTC

Apologies to the amd64 team who have already stabilised 1.8.0.141 but Oracle have just put out another release one week later. It's not strictly a security release but we need to get this new one stabilised too because you need an account to download older releases.

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2017-07-31 11:43:32 UTC

Stable on amd64.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-08-18 20:26:10 UTC

x86 stable

Comment 9 James Le Cuirot gentoo-dev

2017-08-18 21:02:41 UTC

Old removed. Security team, do your thing.

Comment 10 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-17 20:47:25 UTC

GLSA Request filed.

Gentoo Security Padawan
ChrisADR

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2017-09-24 21:54:23 UTC

This issue was resolved and addressed in
 GLSA 201709-22 at https://security.gentoo.org/glsa/201709-22
by GLSA coordinator Aaron Bauman (b-man).