Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Kristian Fiskerstrand <k_f@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201603-14 ] IcedTea: Multiple vulnerabilities
Date: Sat, 12 Mar 2016 23:41:55
Message-Id: 56E4A86E.7040105@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201603-14
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: IcedTea: Multiple vulnerabilities
9 Date: March 12, 2016
10 Bugs: #537940, #559532, #565842, #567850, #572716
11 ID: 201603-14
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in IcedTea allowing remote
19 attackers to affect confidentiality, integrity, and availability
20 through various vectors.
21
22 Background
23 ==========
24
25 IcedTea's aim is to provide OpenJDK in a form suitable for easy
26 configuration, compilation and distribution with the primary goal of
27 allowing inclusion in GNU/Linux distributions.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 dev-java/icedtea < 7.2.6.4 *>= 6.1.13.9
36 >= 7.2.6.4
37 2 dev-java/icedtea-bin < 7.2.6.4 *>= 6.1.13.9
38 >= 7.2.6.4
39 -------------------------------------------------------------------
40 2 affected packages
41
42 Description
43 ===========
44
45 Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot,
46 Libraries, and JAXP, exist which allows remote attackers to affect the
47 confidentiality, integrity, and availability of vulnerable systems.
48 This includes the possibility of remote execution of arbitrary code,
49 information disclosure, or Denial of Service. Many of the
50 vulnerabilities can only be exploited through sandboxed Java Web Start
51 applications and java applets. Please reference the CVEs listed for
52 specific details.
53
54 Impact
55 ======
56
57 Remote attackers may remotely execute arbitrary code, compromise
58 information, or cause Denial of Service.
59
60 Workaround
61 ==========
62
63 There is no known work around at this time.
64
65 Resolution
66 ==========
67
68 IcedTea 7.x users should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-java/icedtea-7.2.6.4"
72
73 IcedTea bin 7.x users should upgrade to the latest version:
74
75 # emerge --sync
76 # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-7.2.6.4"
77
78 IcedTea 6.x users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot --verbose ">=dev-java/icedtea-6.1.13.9"
82
83 IcedTea bin 6.x users should upgrade to the latest version:
84
85 # emerge --sync
86 # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-6.1.13.9"
87
88 References
89 ==========
90
91 [ 1 ] CVE-2014-6585
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585
93 [ 2 ] CVE-2014-6587
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587
95 [ 3 ] CVE-2014-6591
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591
97 [ 4 ] CVE-2014-6593
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593
99 [ 5 ] CVE-2014-6601
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601
101 [ 6 ] CVE-2015-0383
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383
103 [ 7 ] CVE-2015-0395
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395
105 [ 8 ] CVE-2015-0400
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400
107 [ 9 ] CVE-2015-0407
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407
109 [ 10 ] CVE-2015-0408
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408
111 [ 11 ] CVE-2015-0412
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412
113 [ 12 ] CVE-2015-2590
114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2590
115 [ 13 ] CVE-2015-2601
116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2601
117 [ 14 ] CVE-2015-2613
118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2613
119 [ 15 ] CVE-2015-2621
120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2621
121 [ 16 ] CVE-2015-2625
122 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2625
123 [ 17 ] CVE-2015-2628
124 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2628
125 [ 18 ] CVE-2015-2632
126 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2632
127 [ 19 ] CVE-2015-4731
128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4731
129 [ 20 ] CVE-2015-4732
130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4732
131 [ 21 ] CVE-2015-4733
132 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4733
133 [ 22 ] CVE-2015-4734
134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4734
135 [ 23 ] CVE-2015-4748
136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4748
137 [ 24 ] CVE-2015-4749
138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4749
139 [ 25 ] CVE-2015-4760
140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4760
141 [ 26 ] CVE-2015-4803
142 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4803
143 [ 27 ] CVE-2015-4805
144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4805
145 [ 28 ] CVE-2015-4806
146 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4806
147 [ 29 ] CVE-2015-4835
148 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4835
149 [ 30 ] CVE-2015-4840
150 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4840
151 [ 31 ] CVE-2015-4842
152 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4842
153 [ 32 ] CVE-2015-4843
154 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4843
155 [ 33 ] CVE-2015-4844
156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4844
157 [ 34 ] CVE-2015-4860
158 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4860
159 [ 35 ] CVE-2015-4871
160 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4871
161 [ 36 ] CVE-2015-4872
162 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4872
163 [ 37 ] CVE-2015-4881
164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4881
165 [ 38 ] CVE-2015-4882
166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4882
167 [ 39 ] CVE-2015-4883
168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4883
169 [ 40 ] CVE-2015-4893
170 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4893
171 [ 41 ] CVE-2015-4903
172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4903
173 [ 42 ] CVE-2015-4911
174 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4911
175 [ 43 ] CVE-2016-0402
176 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0402
177 [ 44 ] CVE-2016-0448
178 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0448
179 [ 45 ] CVE-2016-0466
180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0466
181 [ 46 ] CVE-2016-0483
182 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0483
183 [ 47 ] CVE-2016-0494
184 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0494
185
186 Availability
187 ============
188
189 This GLSA and any updates to it are available for viewing at
190 the Gentoo Security Website:
191
192 https://security.gentoo.org/glsa/201603-14
193
194 Concerns?
195 =========
196
197 Security is a primary focus of Gentoo Linux and ensuring the
198 confidentiality and security of our users' machines is of utmost
199 importance to us. Any security concerns should be addressed to
200 security@g.o or alternatively, you may file a bug at
201 https://bugs.gentoo.org.
202
203 License
204 =======
205
206 Copyright 2016 Gentoo Foundation, Inc; referenced text
207 belongs to its owner(s).
208
209 The contents of this document are licensed under the
210 Creative Commons - Attribution / Share Alike license.
211
212 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups