Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606118 (CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289) - dev-java/oracle-jdk-bin - dev-java/oracle-jre-bin: multiple vulnerabilities (CPUJAN2017)
Summary: dev-java/oracle-jdk-bin - dev-java/oracle-jre-bin: multiple vulnerabilities (...
Status: RESOLVED FIXED
Alias: CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-17 21:09 UTC by Thomas Deutschmann
Modified: 2017-01-25 13:12 UTC (History)
5 users (show)

See Also:
Package list:
=dev-java/oracle-jdk-bin-1.8.0.121 amd64 x86 =dev-java/oracle-jre-bin-1.8.0.121 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-17 21:09:58 UTC
$URL is still pre release announcement but final versions (8u121) are out:

This Critical Patch Update contains 17 new security fixes for Oracle Java SE. 16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 9.6

http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
Comment 1 Agostino Sarubbo gentoo-dev 2017-01-18 11:43:57 UTC
Thomas, in the past happens that with the {jdk,jre} form, people file to search and thy file duplicates. Let's specify the entire package names just for oracle jkd/jre cases.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-18 16:15:58 UTC
Advisory is now published.
Comment 3 James Le Cuirot gentoo-dev 2017-01-23 23:02:51 UTC
Versions bumped. 1.8.0.111 has already been dropped. There is a single release including arm/arm64 this time. amd64 and x86 teams, please stabilize.
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-24 08:39:21 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-24 08:39:51 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 James Le Cuirot gentoo-dev 2017-01-24 12:42:47 UTC
Old removed. Security team, please continue.
Comment 7 Thomas Deutschmann gentoo-dev Security 2017-01-24 16:46:42 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-01-25 13:12:02 UTC
This issue was resolved and addressed in
 GLSA 201701-65 at https://security.gentoo.org/glsa/201701-65
by GLSA coordinator Thomas Deutschmann (whissi).