ESB-2018.3280 - [Debian] openjdk-8: Multiple vulnerabilities 2018-10-26

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3280
            Multiple vulnerabilities in openjdk-8 affect Debian
                              26 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjdk-8
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Delete Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3214 CVE-2018-3183 CVE-2018-3180
                   CVE-2018-3169 CVE-2018-3149 CVE-2018-3139
                   CVE-2018-3136  

Reference:         ASB-2018.0256
                   ESB-2018.3260
                   ESB-2018.3258
                   ESB-2018.3164

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4326

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4326-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 25, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2018-3136 CVE-2018-3139 CVE-2018-3149 CVE-2018-3169 
                 CVE-2018-3180 CVE-2018-3183 CVE-2018-3214

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, incomplete TLS identity verification,
information disclosure or the execution of arbitrary code.
	    
For the stable distribution (stretch), these problems have been fixed in
version 8u181-b13-2~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlvSM3EACgkQEMKTtsN8
TjZn8RAAwB6mz17Kf4ZHoAyQvG5zdYYb4oLJwU+0DnzfcWXLq1X3RL+r4hFEMMra
Dquiw8hY/ZUY8cNC19QXE0CEmhJXg12cguhfv3G8eTeQE765tEGpm9+ntrmE1GSh
Qwx70rWK3vgoRYG2tbTJNKnjH1M4JQXP+qH988gpPH/EmgRIbro5uTLNgmV8dVJO
Cxc7gmsUMAFkZg042FGigPZ6rkTVH8LUkwmFlJAgyBcjL+jiaY/O6cciFHY9gis1
ik2EhSkAS+E2WGIWdei430ZYfE13bLCPZ/xQhO/9+DzpRJjDkq7qZHUhdyc0toOq
OlauF3Vnnl0rpTAX/3JvaISxJUr2KgCIAKjHuUaPd/iaEy4sBdRSrlJIvHVptKRK
8R+IPZJjyM7AQ4NIaAPdiq3ic2CwbNxTvasZml7RCcW+dUkoDKn74O00ES3FWB1X
eT9zu4wZwPsWqjEUabYTxrH2AHuiISVndoY0jZGRQvzM/KnklmdzjkggUDTZFwyc
O30l+ziK7DwBbAM5O0aiSA/ldB2AcyUoqj8oYDe5voamy81EqICYeuo9x0eRNdoX
dUAkMDHs2RNtndpqQlTPKa9VxEMlUSMnmayHviggr/KwnDCxSroz7c41KmTseWdM
cYf0zqZfsZEvVBmezZ5Ra3K0krZpZpGVEDS/rJpwxGu9jXxbAmE=
=a+S0
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9JfbWaOgq3Tt24GAQg5lhAA2bv08dYR/1qlGMlATsilcMAArw/eO2KW
zGH3pwbKL2Yo5wK7TzN/A71OZXEzBX8em7vul56237SHu/BKvwfM7EW+uS8O/AnM
jrYnMpS1HLp3hGhexdOXUFqfJbLKv3uV3CE1rlEhrJgFY6PhruH6PxKyKc5C0Sto
b5yBUn0saDhGIhkDRrq6B6Vyf+5yQm2D0JKh7jMTT8tjRtknQOEppdQsAVzqT1Ai
nDTPZZU84ZtZwdYmi6ks95kgHnb+QwtG7OcCBILQtLn92hjvmrVoE9DJmhTbsBcn
vtU7a9e54wwIBAOsNz1WYMXnA2nelF265VJru3F9gRTp4i7eX2fl+v4Ua2XGmBkk
5OxjKdfa1KGWcPA1x2lx2cRSnDyFSvvlaURJGhPoeqyAEaCo37LKGCrXzaKbLpaF
IuaO0UT8FCV/fBk2qnjutRuMevYQdVRO8wrT4J/b+Wh/H5namtU3oehJzQ9qIUXJ
phpPwKyKA93h/geTcNmKqxNOeVGkSnhyEivM8EIMYUTIDkGu7w15qzVKosbDwz4P
8RayJaWhIvMGvPXWVXrBu/3G/RoHzvD1Zvkl8S0tIe2OZysYU5bLGkpRbZaKmcCv
ud2YSp0Xqs75xXbTR+vRR1yX7863ogGYsOXRALiBCNutL+sSq9PMeyut1hENCusb
jdqFKAEN9/4=
=eHSD
-----END PGP SIGNATURE-----

« Back to bulletins