[gentoo-announce] [ GLSA 201709-22 ] Oracle JDK/JRE, IcedTea: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201709-22 ] Oracle JDK/JRE, IcedTea: Multiple vulnerabilities
Date:	Sun, 24 Sep 2017 21:55:08
Message-Id:	`1574228.XT2khQC1p2@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201709-22

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Oracle JDK/JRE, IcedTea: Multiple vulnerabilities

9

     Date: September 24, 2017

10

     Bugs: #625602, #626088, #627682

11

       ID: 201709-22

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Oracle's JRE and JDK

19

software suites, and IcedTea, the worst of which may allow execution of

20

arbitrary code.

21

22

Background

23

==========

24

25

Java Platform, Standard Edition (Java SE) lets you develop and deploy

26

Java applications on desktops and servers, as well as in today’s

27

demanding embedded environments. Java offers the rich user interface,

28

performance, versatility, portability, and security that today’s

29

applications require.

30

31

IcedTea’s aim is to provide OpenJDK in a form suitable for easy

32

configuration, compilation and distribution with the primary goal of

33

allowing inclusion in GNU/Linux distributions.

34

35

Affected packages

36

=================

37

38

    -------------------------------------------------------------------

39

     Package              /     Vulnerable     /            Unaffected

40

    -------------------------------------------------------------------

41

  1  dev-java/oracle-jdk-bin    < 1.8.0.141              >= 1.8.0.141 

42

  2  dev-java/oracle-jre-bin    < 1.8.0.141              >= 1.8.0.141 

43

  3  dev-java/icedtea-bin        < 3.5.0:8                *>= 3.5.0:8 

44

                                < 7.2.6.11:7           *>= 7.2.6.11:7 

45

    -------------------------------------------------------------------

46

     3 affected packages

47

48

Description

49

===========

50

51

Multiple vulnerabilities have been discovered in Oracle’s JRE, JDK and

52

IcedTea. Please review the referenced CVE identifiers for details.

53

54

Impact

55

======

56

57

A remote attacker could possibly execute arbitrary code with the

58

privileges of the process, cause a Denial of Service condition, or gain

59

access to information.

60

61

Workaround

62

==========

63

64

There is no known workaround at this time.

65

66

Resolution

67

==========

68

69

All Oracle JDK binary users should upgrade to the latest version:

70

71

  # emerge --sync

72

  # emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.141"

73

74

All Oracle JRE binary users should upgrade to the latest version:

75

76

  # emerge --sync

77

  # emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.141"

78

79

All IcedTea binary 7.x users should upgrade to the latest version:

80

81

  # emerge --sync

82

  # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-7.2.6.11"

83

84

All IcedTea binary 3.x users should upgrade to the latest version:

85

86

  # emerge --sync

87

  # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.5.0"

88

89

References

90

==========

91

92

[  1 ] CVE-2017-10053

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10053

94

[  2 ] CVE-2017-10067

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10067

96

[  3 ] CVE-2017-10074

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10074

98

[  4 ] CVE-2017-10078

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10078

100

[  5 ] CVE-2017-10081

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10081

102

[  6 ] CVE-2017-10086

103

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10086

104

[  7 ] CVE-2017-10087

105

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10087

106

[  8 ] CVE-2017-10089

107

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10089

108

[  9 ] CVE-2017-10090

109

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10090

110

[ 10 ] CVE-2017-10096

111

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10096

112

[ 11 ] CVE-2017-10101

113

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10101

114

[ 12 ] CVE-2017-10102

115

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10102

116

[ 13 ] CVE-2017-10105

117

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10105

118

[ 14 ] CVE-2017-10107

119

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10107

120

[ 15 ] CVE-2017-10108

121

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10108

122

[ 16 ] CVE-2017-10109

123

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10109

124

[ 17 ] CVE-2017-10110

125

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10110

126

[ 18 ] CVE-2017-10111

127

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10111

128

[ 19 ] CVE-2017-10114

129

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10114

130

[ 20 ] CVE-2017-10115

131

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10115

132

[ 21 ] CVE-2017-10116

133

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10116

134

[ 22 ] CVE-2017-10117

135

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10117

136

[ 23 ] CVE-2017-10118

137

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10118

138

[ 24 ] CVE-2017-10121

139

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10121

140

[ 25 ] CVE-2017-10125

141

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10125

142

[ 26 ] CVE-2017-10135

143

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10135

144

[ 27 ] CVE-2017-10176

145

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10176

146

[ 28 ] CVE-2017-10193

147

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10193

148

[ 29 ] CVE-2017-10198

149

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10198

150

[ 30 ] CVE-2017-10243

151

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10243

152

153

Availability

154

============

155

156

This GLSA and any updates to it are available for viewing at

157

the Gentoo Security Website:

158

159

 https://security.gentoo.org/glsa/201709-22

160

161

Concerns?

162

=========

163

164

Security is a primary focus of Gentoo Linux and ensuring the

165

confidentiality and security of our users' machines is of utmost

166

importance to us. Any security concerns should be addressed to

167

security@g.o or alternatively, you may file a bug at

168

https://bugs.gentoo.org.

169

170

License

171

=======

172

173

Copyright 2017 Gentoo Foundation, Inc; referenced text

174

belongs to its owner(s).

175

176

The contents of this document are licensed under the

177

Creative Commons - Attribution / Share Alike license.

178

179

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201709-22
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Oracle JDK/JRE, IcedTea: Multiple vulnerabilities
9	Date: September 24, 2017
10	Bugs: #625602, #626088, #627682
11	ID: 201709-22
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Oracle's JRE and JDK
19	software suites, and IcedTea, the worst of which may allow execution of
20	arbitrary code.
21
22	Background
23	==========
24
25	Java Platform, Standard Edition (Java SE) lets you develop and deploy
26	Java applications on desktops and servers, as well as in today’s
27	demanding embedded environments. Java offers the rich user interface,
28	performance, versatility, portability, and security that today’s
29	applications require.
30
31	IcedTea’s aim is to provide OpenJDK in a form suitable for easy
32	configuration, compilation and distribution with the primary goal of
33	allowing inclusion in GNU/Linux distributions.
34
35	Affected packages
36	=================
37
38	-------------------------------------------------------------------
39	Package / Vulnerable / Unaffected
40	-------------------------------------------------------------------
41	1 dev-java/oracle-jdk-bin < 1.8.0.141 >= 1.8.0.141
42	2 dev-java/oracle-jre-bin < 1.8.0.141 >= 1.8.0.141
43	3 dev-java/icedtea-bin < 3.5.0:8 *>= 3.5.0:8
44	< 7.2.6.11:7 *>= 7.2.6.11:7
45	-------------------------------------------------------------------
46	3 affected packages
47
48	Description
49	===========
50
51	Multiple vulnerabilities have been discovered in Oracle’s JRE, JDK and
52	IcedTea. Please review the referenced CVE identifiers for details.
53
54	Impact
55	======
56
57	A remote attacker could possibly execute arbitrary code with the
58	privileges of the process, cause a Denial of Service condition, or gain
59	access to information.
60
61	Workaround
62	==========
63
64	There is no known workaround at this time.
65
66	Resolution
67	==========
68
69	All Oracle JDK binary users should upgrade to the latest version:
70
71	# emerge --sync
72	# emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.141"
73
74	All Oracle JRE binary users should upgrade to the latest version:
75
76	# emerge --sync
77	# emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.141"
78
79	All IcedTea binary 7.x users should upgrade to the latest version:
80
81	# emerge --sync
82	# emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-7.2.6.11"
83
84	All IcedTea binary 3.x users should upgrade to the latest version:
85
86	# emerge --sync
87	# emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.5.0"
88
89	References
90	==========
91
92	[ 1 ] CVE-2017-10053
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10053
94	[ 2 ] CVE-2017-10067
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10067
96	[ 3 ] CVE-2017-10074
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10074
98	[ 4 ] CVE-2017-10078
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10078
100	[ 5 ] CVE-2017-10081
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10081
102	[ 6 ] CVE-2017-10086
103	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10086
104	[ 7 ] CVE-2017-10087
105	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10087
106	[ 8 ] CVE-2017-10089
107	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10089
108	[ 9 ] CVE-2017-10090
109	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10090
110	[ 10 ] CVE-2017-10096
111	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10096
112	[ 11 ] CVE-2017-10101
113	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10101
114	[ 12 ] CVE-2017-10102
115	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10102
116	[ 13 ] CVE-2017-10105
117	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10105
118	[ 14 ] CVE-2017-10107
119	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10107
120	[ 15 ] CVE-2017-10108
121	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10108
122	[ 16 ] CVE-2017-10109
123	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10109
124	[ 17 ] CVE-2017-10110
125	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10110
126	[ 18 ] CVE-2017-10111
127	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10111
128	[ 19 ] CVE-2017-10114
129	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10114
130	[ 20 ] CVE-2017-10115
131	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10115
132	[ 21 ] CVE-2017-10116
133	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10116
134	[ 22 ] CVE-2017-10117
135	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10117
136	[ 23 ] CVE-2017-10118
137	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10118
138	[ 24 ] CVE-2017-10121
139	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10121
140	[ 25 ] CVE-2017-10125
141	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10125
142	[ 26 ] CVE-2017-10135
143	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10135
144	[ 27 ] CVE-2017-10176
145	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10176
146	[ 28 ] CVE-2017-10193
147	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10193
148	[ 29 ] CVE-2017-10198
149	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10198
150	[ 30 ] CVE-2017-10243
151	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10243
152
153	Availability
154	============
155
156	This GLSA and any updates to it are available for viewing at
157	the Gentoo Security Website:
158
159	https://security.gentoo.org/glsa/201709-22
160
161	Concerns?
162	=========
163
164	Security is a primary focus of Gentoo Linux and ensuring the
165	confidentiality and security of our users' machines is of utmost
166	importance to us. Any security concerns should be addressed to
167	security@g.o or alternatively, you may file a bug at
168	https://bugs.gentoo.org.
169
170	License
171	=======
172
173	Copyright 2017 Gentoo Foundation, Inc; referenced text
174	belongs to its owner(s).
175
176	The contents of this document are licensed under the
177	Creative Commons - Attribution / Share Alike license.
178
179	http://creativecommons.org/licenses/by-sa/2.5