ESB-2017.3001 - [Debian] openjdk-7: Multiple vulnerabilities 2017-11-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.3001
                         openjdk-7 security update
                             24 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjdk-7
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10388 CVE-2017-10357 CVE-2017-10356
                   CVE-2017-10355 CVE-2017-10350 CVE-2017-10349
                   CVE-2017-10348 CVE-2017-10347 CVE-2017-10346
                   CVE-2017-10345 CVE-2017-10295 CVE-2017-10285
                   CVE-2017-10281 CVE-2017-10274 

Reference:         ASB-2017.0173
                   ESB-2017.2876
                   ESB-2017.2688

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4048

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4048-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 23, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openjdk-7
CVE ID         : CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295 
                 CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348 
                 CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356 
                 CVE-2017-10357 CVE-2017-10388

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in impersonation
of Kerberos services, denial of service, sandbox bypass or HTTP header
injection.

For the oldstable distribution (jessie), these problems have been fixed
in version 7u151-2.6.11-2~deb8u1.

We recommend that you upgrade your openjdk-7 packages.

For the detailed security status of openjdk-7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-7

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAloXRmYACgkQEMKTtsN8
Tja9Nw//fywrBWXdhGycA5a3JcteahX6ZA/cCyA63TQAhER3O4G1mRDtVnv7FMIs
Q8jwoUYv9oihs0f6Ux0b3T57H8K63iD7c9K3gcLfRUozxDc6hGW5g4em/LHvOM78
AGCpPNLxHdduFlyJMepjQ66C0Oyrwhzt1/OX2jvf4a44ExIlEi+3I02ntj5kN3Hg
i4zg5JU5Ky/TWCBVWfl3xxVwPqWIzAMIlLbK647nFKdYxzc7cmWmrdRZ0YpPQyj2
0urRoh+o6T7+X/4BBc3aY2yBykmDMh2yPRDkVjHA6E7cctuSIhjKbfcJDaDmDnqh
CddqVbMAv3egwebF8Y0UYZsGJEA2ZPkyyiFnSRW5jIE4k8GBsy+nHrvIhixjAqzr
AHP03n9Chr8ftSFki9ug+JlUYIOKjc7iJisVLw8XM/Cqpkqp9PVFz+Loxot66Ax4
l5T0orqXjIgomyxx0IpVEK+VD/jxqYjNQ/70tXpiAMoEBnSuFl/EGGQQvZhY+cD+
0Zhj2/1JHW3ruR0ObOAb415+vkPkE360EPLt1gm9uYYn+Jm9y7FohzcVwtwOcIHL
LhjlqWbaLxRUr+eO8Tw/4V/WGA7hNZ5caonR+vQV+Fw7vSiK9gk+T1hAg2yyxKUC
3xJFRM/FZjDYX/fVZR+CVzUTVUuixjnGtLXyatXYO8l6qT0WgWs=
=2OHU
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhdw5Ix+lLeg9Ub1AQgnnQ//Z1JnsjI4WZtp9Qr50ikyCXAKP5eS2eLS
UqwJWMmS3J54K727QlRh9CWa8uInYugt+oqhSV88DfOCHmI+a2cFH7HygtCBCkIj
kK0np1jeqZABslLOoDF2pyj9biSVzFxygjUzUaKjlBXWIB6svSsQQ41Whr2WiiBQ
DRbJa2Gvc8o1g9TYmW474yw4Pz2ds6l0EUj8gBiqMUWRoF3KAfV0uJSwdv0WHCM/
o8LPXUZZ9weDgETyk17Wuh66v1QNH2VNFQloPPnx27yN2kAy0ld0qjOCtCdl5m3S
urFd5eUdmcJ61SItMOOPy1uDPsmSBuX0Q/IgWysF4NdaNEGK6f1jGFpO1yxteoIa
dDhiWJDbFvBpRVoMNU9DqMWCAVE12spg/OITw9Hzfi7duC5AWRVCIGxMLp2P0LHU
zycCYpM93DvBIBiQGqih0rQcl9cPWmHfYlZNb3tELBOyxN8QcnIJrid6wiFN9U/9
BXUHhXVA+A29eTrdVZ71zUoI01uMrnaFF7dckxCvOn6/wmL09Vh+K/YZlRiXcnhk
yjZJAToX2qg22ulZDj0JFlmDjtGMzxbqr22bIWru/OZT2XSwYon/zVcpxw2vGylQ
ZjEQjxMkN74Aot5yxqfdn1k2sb6o3NcSk6isnraM0TMCpePZ4Tr0evLqKU1hYn+Y
RYBIBMHATfA=
=AwON
-----END PGP SIGNATURE-----

« Back to bulletins