Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661456 (CVE-2018-2938, CVE-2018-2940, CVE-2018-2941, CVE-2018-2952, CVE-2018-2964, CVE-2018-2972, CVE-2018-2973) - <dev-java/oracle-jdk-bin-1.8.0.181: <dev-java/oracle-jre-bin-1.8.0.181: Multiple vulnerabilities
Summary: <dev-java/oracle-jdk-bin-1.8.0.181: <dev-java/oracle-jre-bin-1.8.0.181: Multi...
Status: RESOLVED FIXED
Alias: CVE-2018-2938, CVE-2018-2940, CVE-2018-2941, CVE-2018-2952, CVE-2018-2964, CVE-2018-2972, CVE-2018-2973
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/sec...
Whiteboard: A2 [glsa+ cve]
Keywords:
: 661868 (view as bug list)
Depends on: 663566
Blocks:
  Show dependency tree
 
Reported: 2018-07-18 05:41 UTC by D'juan McDonald (domhnall)
Modified: 2019-03-14 01:45 UTC (History)
3 users (show)

See Also:
Package list:
dev-java/oracle-jdk-bin-1.8.0.181 amd64 x86 dev-java/oracle-jre-bin-1.8.0.181 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-07-18 05:41:12 UTC 
Oracle Java SE and JRockit are prone to a remote security vulnerability.

The vulnerability can be exploited over multiple protocols. This issue affects the 'Concurrency' component.

This vulnerability affects the following supported versions:
Java SE: 6u191, 7u181, 8u172, 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18 


@maintainer(s), not same as bug 653560

Gentoo Security Padawan
(domhnall)
Comment 2 D'juan McDonald (domhnall) 2018-07-19 01:18:10 UTC 
(In reply to Mike Limansky from comment #1)
>Shouldn't the versions be 10.0.2 and 8u181?

For affected? Not according to the CVEs on mitre. Unless I am missing something.
Comment 3 Mike Limansky 2018-07-19 12:40:33 UTC 
(In reply to D'juan McDonald (domhnall) from comment #2)
> (In reply to Mike Limansky from comment #1)
> >Shouldn't the versions be 10.0.2 and 8u181?
> 
> For affected? Not according to the CVEs on mitre. Unless I am missing
> something.

Sorry, I've misread the description.
Comment 4 Mike Limansky 2018-08-02 12:51:00 UTC 
I've just tested with copied ebuild from the previous version and it works fine for me.
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2018-08-05 12:50:09 UTC 
*** Bug 661868 has been marked as a duplicate of this bug. ***
Comment 6 Andreas Prieß 2018-08-05 15:01:30 UTC 
Sorry for the noise, but once again this bug can not easily be found since the package name is somewhat obscured.

You might save a few characters while typing, displaying this bug page or whatever by having the packages

dev-java/oracle-jdk-bin and
dev-java/oracle-jre-bin

shortened to dev-java/oracle-{jdk,jre}-bin.

But since the Bugzilla search does not resolve this to the actual package names bugs will often be missed, not only coming from "Related Bugs" at packages.gentoo.org:

https://packages.gentoo.org/packages/dev-java/oracle-jdk-bin

So you get duplicate bugs and many people wasting time and bandwidth until they finally find the correct bug for a small saving of what exactly?

tl;dr

Please, always write full package names in bug titles. Bugs will not be found otherwise. This was discussed before and considered best practice.

Thanks!
Comment 7 Guido Jäkel 2018-08-07 07:25:37 UTC 
(In reply to Mike Limansky from comment #4)
> I've just tested with copied ebuild from the previous version and it works
> fine for me.

I also just test this and confirm.
Comment 8 Larry the Git Cow gentoo-dev 2018-08-10 21:02:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f406fccb349764c34a993953abd0c052d603abd0

commit f406fccb349764c34a993953abd0c052d603abd0
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-08-10 20:55:48 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-08-10 21:02:13 +0000

    dev-java/oracle-jre-bin: Security bump to 1.8.0.181
    
    Bug: https://bugs.gentoo.org/661456
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 dev-java/oracle-jre-bin/Manifest                   |   2 +
 .../oracle-jre-bin/oracle-jre-bin-1.8.0.181.ebuild | 220 +++++++++++++++++++++
 2 files changed, 222 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d96a80b1a9d2af7f5ce9adacd463968f645e9653

commit d96a80b1a9d2af7f5ce9adacd463968f645e9653
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-08-10 20:49:51 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-08-10 21:02:11 +0000

    dev-java/oracle-jdk-bin: Security bump to 1.8.0.181
    
    Bug: https://bugs.gentoo.org/661456
    Package-Manager: Portage-2.3.45, Repoman-2.3.10

 dev-java/oracle-jdk-bin/Manifest                   |  14 +
 .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.181.ebuild | 301 +++++++++++++++++++++
 2 files changed, 315 insertions(+)
Comment 9 James Le Cuirot gentoo-dev 2018-08-10 21:08:24 UTC 
I have dealt with Java 8. Java 9 is probably vulnerable already but there are issues blocking the addition of 10. Let's just focus on 8 here.
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-08-14 00:50:43 UTC 
amd64 stable
Comment 11 D'juan McDonald (domhnall) 2018-08-14 17:41:21 UTC 
@security, please update status to IN_P.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-16 00:40:51 UTC 
x86 stable
Comment 13 Larry the Git Cow gentoo-dev 2018-08-18 21:30:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=384d196024de436c1aae39431c010a6d112a95ce

commit 384d196024de436c1aae39431c010a6d112a95ce
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-08-18 21:30:11 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-08-18 21:30:11 +0000

    dev-java/oracle-jre-bin: Drop vulnerable 1.8.0.172
    
    Bug: https://bugs.gentoo.org/661456
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 dev-java/oracle-jre-bin/Manifest                   |   2 -
 .../oracle-jre-bin/oracle-jre-bin-1.8.0.172.ebuild | 220 ---------------------
 2 files changed, 222 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e6e5285f5bba1b9d640decf9f270e6e7fcebfe9

commit 7e6e5285f5bba1b9d640decf9f270e6e7fcebfe9
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-08-18 21:29:16 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-08-18 21:29:16 +0000

    dev-java/oracle-jdk-bin: Drop vulnerable 1.8.0.172
    
    Bug: https://bugs.gentoo.org/661456
    Package-Manager: Portage-2.3.47, Repoman-2.3.10

 dev-java/oracle-jdk-bin/Manifest                   |  14 -
 dev-java/oracle-jdk-bin/metadata.xml               |   1 -
 .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.172.ebuild | 301 ---------------------
 3 files changed, 316 deletions(-)
Comment 14 Miroslav Šulc gentoo-dev 2019-01-17 08:47:22 UTC 
the affected versions are gone:

commit ed2e7d8db523186f340c4d9db762109bc37486f0 (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 09:44:59 2019 +0100

    dev-java/oracle-jre-bin-1.8.0.181: removed obsolete
    
    also per bug #668948, #661456 and #653560
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

commit 9bd0311bf2956781e054945b1a6c925be085644f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 09:43:09 2019 +0100

    dev-java/oracle-jdk-bin-1.8.0.181: removed obsolete
    
    also per bug #668948, #661456 and #653560
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
Comment 15 Miroslav Šulc gentoo-dev 2019-01-17 08:48:49 UTC 
ah, sorry, i overlooked one digit :-) the commits are not related to this bug :-)
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:45:50 UTC 
This issue was resolved and addressed in
 GLSA 201903-14 at https://security.gentoo.org/glsa/201903-14
by GLSA coordinator Aaron Bauman (b-man).