ID

VAR-201510-0529

CVE

CVE-2015-4893

TITLE

Multiple Oracle Product denial of service vulnerability

DESCRIPTION

Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911. The vulnerability can be exploited over multiple protocols. This issue affects the 'JAXP' sub-component. The jessie update in DSA 3381 was built incorrectly, we apologise for the inconvenience. In addition the version number in jessie-security was lower than in wheezy-security which could result in upgrade problems during distribution updates. This has been fixed in 7u85-2.6.1-6~deb8u1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.1-ibm security update Advisory ID: RHSA-2015:2506-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2506.html Issue date: 2015-11-23 CVE Names: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-5006 ===================================================================== 1. Summary: Updated java-1.7.1-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.7.1-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7R1 SR3-FP20 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1233687 - CVE-2015-4806 OpenJDK: HttpURLConnection header restriction bypass (Libraries, 8130193) 1273022 - CVE-2015-4835 OpenJDK: insufficient permission checks in StubGenerator (CORBA, 8076383) 1273053 - CVE-2015-4843 OpenJDK: java.nio Buffers integer overflow issues (Libraries, 8130891) 1273304 - CVE-2015-4883 OpenJDK: incorrect access control context used in DGCClient (RMI, 8076413) 1273308 - CVE-2015-4860 OpenJDK: incorrect access control context used in DGCImpl (RMI, 8080688) 1273311 - CVE-2015-4805 OpenJDK: missing checks for proper initialization in ObjectStreamClass (Serialization, 8103671) 1273318 - CVE-2015-4844 ICU: missing boundary checks in layout engine (OpenJDK 2D, 8132042) 1273338 - CVE-2015-4840 OpenJDK: OOB access in CMS code (2D, 8086092) 1273414 - CVE-2015-4882 OpenJDK: incorrect String object deserialization in IIOPInputStream (CORBA, 8076387) 1273425 - CVE-2015-4842 OpenJDK: leak of user.dir location (JAXP, 8078427) 1273430 - CVE-2015-4734 OpenJDK: kerberos realm name leak (JGSS, 8048030) 1273496 - CVE-2015-4903 OpenJDK: insufficient proxy class checks in RemoteObjectInvocationHandler (RMI, 8076339) 1273637 - CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842) 1273638 - CVE-2015-4893 OpenJDK: incomplete MaxXMLNameLimit enforcement (JAXP, 8086733) 1273734 - CVE-2015-4872 OpenJDK: incomplete constraints enforcement by AlgorithmChecker (Security, 8131291) 1273858 - CVE-2015-4810 Oracle JDK: unspecified vulnerability fixed in 7u91 and 8u65 (Deployment) 1273859 - CVE-2015-4871 Oracle JDK: unspecified vulnerability fixed in 7u91 (Libraries) 1273860 - CVE-2015-4902 Oracle JDK: unspecified vulnerability fixed in 6u105, 7u91 and 8u65 (Deployment) 1282379 - CVE-2015-5006 IBM JDK: local disclosure of kerberos credentials cache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm ppc64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.ppc64.rpm s390x: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.i686.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el6_7.x86_64.rpm Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.ppc64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.ppc.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.ppc64.rpm ppc64le: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.ppc64le.rpm s390x: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.s390.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.s390.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.s390x.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.3.20-1jpp.1.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.3.20-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4871 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-5006 https://access.redhat.com/security/updates/classification/#critical http://www.ibm.com/developerworks/java/jdk/alerts/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWUw2uXlSAg2UNWIIRAuNEAKCoUfgYDqKOPKqVsPWNhhM69MSXxgCggr4c GfWhQE6JGDQHUCMNktgk3T8= =BUGm -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 5 client) - i386, x86_64 3. Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2015-4835, CVE-2015-4881, CVE-2015-4843, CVE-2015-4883, CVE-2015-4860, CVE-2015-4805, CVE-2015-4844) Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed. (CVE-2015-4803, CVE-2015-4893, CVE-2015-4911) It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy. (CVE-2015-4872) Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201603-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Oracle JRE/JDK: Multiple vulnerabilities Date: March 12, 2016 Bugs: #525472, #540054, #546678, #554886, #563684, #572432 ID: 201603-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Oracle's JRE and JDK software suites allowing remote attackers to remotely execute arbitrary code, obtain information, and cause Denial of Service. Background ========== Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today's demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today's applications require. Workaround ========== There is no known workaround at this time. Resolution ========== All Oracle JRE Users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.72" All Oracle JDK Users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.72" References ========== [ 1 ] CVE-2015-0437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0437 [ 2 ] CVE-2015-0437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0437 [ 3 ] CVE-2015-0458 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0458 [ 4 ] CVE-2015-0459 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0459 [ 5 ] CVE-2015-0460 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0460 [ 6 ] CVE-2015-0469 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0469 [ 7 ] CVE-2015-0470 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0470 [ 8 ] CVE-2015-0477 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0477 [ 9 ] CVE-2015-0478 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0478 [ 10 ] CVE-2015-0480 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0480 [ 11 ] CVE-2015-0484 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0484 [ 12 ] CVE-2015-0486 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0486 [ 13 ] CVE-2015-0488 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0488 [ 14 ] CVE-2015-0491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0491 [ 15 ] CVE-2015-0492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0492 [ 16 ] CVE-2015-2590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2590 [ 17 ] CVE-2015-2601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2601 [ 18 ] CVE-2015-2613 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2613 [ 19 ] CVE-2015-2619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2619 [ 20 ] CVE-2015-2621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2621 [ 21 ] CVE-2015-2625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2625 [ 22 ] CVE-2015-2627 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2627 [ 23 ] CVE-2015-2628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2628 [ 24 ] CVE-2015-2632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2632 [ 25 ] CVE-2015-2637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2637 [ 26 ] CVE-2015-2638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2638 [ 27 ] CVE-2015-2659 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2659 [ 28 ] CVE-2015-2664 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2664 [ 29 ] CVE-2015-4000 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000 [ 30 ] CVE-2015-4729 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4729 [ 31 ] CVE-2015-4731 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4731 [ 32 ] CVE-2015-4732 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4732 [ 33 ] CVE-2015-4733 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4733 [ 34 ] CVE-2015-4734 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4734 [ 35 ] CVE-2015-4734 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4734 [ 36 ] CVE-2015-4736 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4736 [ 37 ] CVE-2015-4748 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4748 [ 38 ] CVE-2015-4760 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4760 [ 39 ] CVE-2015-4803 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4803 [ 40 ] CVE-2015-4803 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4803 [ 41 ] CVE-2015-4805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4805 [ 42 ] CVE-2015-4805 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4805 [ 43 ] CVE-2015-4806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4806 [ 44 ] CVE-2015-4806 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4806 [ 45 ] CVE-2015-4810 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4810 [ 46 ] CVE-2015-4810 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4810 [ 47 ] CVE-2015-4835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4835 [ 48 ] CVE-2015-4835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4835 [ 49 ] CVE-2015-4840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4840 [ 50 ] CVE-2015-4840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4840 [ 51 ] CVE-2015-4842 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4842 [ 52 ] CVE-2015-4842 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4842 [ 53 ] CVE-2015-4843 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4843 [ 54 ] CVE-2015-4843 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4843 [ 55 ] CVE-2015-4844 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4844 [ 56 ] CVE-2015-4844 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4844 [ 57 ] CVE-2015-4860 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4860 [ 58 ] CVE-2015-4860 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4860 [ 59 ] CVE-2015-4868 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4868 [ 60 ] CVE-2015-4868 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4868 [ 61 ] CVE-2015-4871 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4871 [ 62 ] CVE-2015-4871 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4871 [ 63 ] CVE-2015-4872 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4872 [ 64 ] CVE-2015-4872 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4872 [ 65 ] CVE-2015-4881 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4881 [ 66 ] CVE-2015-4881 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4881 [ 67 ] CVE-2015-4882 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4882 [ 68 ] CVE-2015-4882 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4882 [ 69 ] CVE-2015-4883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4883 [ 70 ] CVE-2015-4883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4883 [ 71 ] CVE-2015-4893 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4893 [ 72 ] CVE-2015-4893 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4893 [ 73 ] CVE-2015-4901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4901 [ 74 ] CVE-2015-4901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4901 [ 75 ] CVE-2015-4902 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4902 [ 76 ] CVE-2015-4902 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4902 [ 77 ] CVE-2015-4903 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4903 [ 78 ] CVE-2015-4903 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4903 [ 79 ] CVE-2015-4906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4906 [ 80 ] CVE-2015-4906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4906 [ 81 ] CVE-2015-4908 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4908 [ 82 ] CVE-2015-4908 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4908 [ 83 ] CVE-2015-4911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4911 [ 84 ] CVE-2015-4911 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4911 [ 85 ] CVE-2015-4916 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4916 [ 86 ] CVE-2015-4916 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4916 [ 87 ] CVE-2015-7840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7840 [ 88 ] CVE-2015-7840 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7840 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201603-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Content-Disposition: inline ==========================================================================Ubuntu Security Notice USN-2784-1 October 28, 2015 openjdk-7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 15.04 - Ubuntu 14.04 LTS Summary: Several security issues were fixed in OpenJDK 7. Software Description: - openjdk-7: Open Source Java implementation Details: Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2015-4805, CVE-2015-4835, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4881, CVE-2015-4883) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2015-4806) A vulnerability was discovered in the OpenJDK JRE related to data integrity. An attacker could exploit this expose sensitive data over the network. (CVE-2015-4872) Multiple vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2015-4734, CVE-2015-4840, CVE-2015-4842, CVE-2015-4903) Multiple vulnerabilities were discovered in the OpenJDK JRE related to availability. (CVE-2015-4803, CVE-2015-4882, CVE-2015-4893, CVE-2015-4911) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: icedtea-7-jre-jamvm 7u85-2.6.1-5ubuntu0.15.10.1 openjdk-7-jre 7u85-2.6.1-5ubuntu0.15.10.1 openjdk-7-jre-headless 7u85-2.6.1-5ubuntu0.15.10.1 openjdk-7-jre-lib 7u85-2.6.1-5ubuntu0.15.10.1 openjdk-7-jre-zero 7u85-2.6.1-5ubuntu0.15.10.1 Ubuntu 15.04: icedtea-7-jre-jamvm 7u85-2.6.1-5ubuntu0.15.04.1 openjdk-7-jre 7u85-2.6.1-5ubuntu0.15.04.1 openjdk-7-jre-headless 7u85-2.6.1-5ubuntu0.15.04.1 openjdk-7-jre-lib 7u85-2.6.1-5ubuntu0.15.04.1 openjdk-7-jre-zero 7u85-2.6.1-5ubuntu0.15.04.1 Ubuntu 14.04 LTS: icedtea-7-jre-jamvm 7u85-2.6.1-5ubuntu0.14.04.1 openjdk-7-jre 7u85-2.6.1-5ubuntu0.14.04.1 openjdk-7-jre-headless 7u85-2.6.1-5ubuntu0.14.04.1 openjdk-7-jre-lib 7u85-2.6.1-5ubuntu0.14.04.1 openjdk-7-jre-zero 7u85-2.6.1-5ubuntu0.14.04.1 This update uses a new upstream release, which includes additional bug fixes

AFFECTED PRODUCTS