Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3132.2 [DLA 1886-1] openjdk-7 security update 23 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openjdk-7 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-2816 CVE-2019-2769 CVE-2019-2762 CVE-2019-2745 Reference: ASB-2019.0212 ESB-2019.2879 ESB-2019.2705 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html https://lists.debian.org/debian-lts-announce/2019/08/msg00027.html Comment: This bulletin contains two (2) Debian security advisories. Revision History: August 23 2019: openjdk-7 - regression update August 16 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : openjdk-7 Version : 7u231-2.6.19-1~deb8u1 CVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service, sandbox bypass, information disclosure or the execution of arbitrary code. For Debian 8 "Jessie", these problems have been fixed in version 7u231-2.6.19-1~deb8u1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1V1VJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTbtBAAknW2ics3eHtzXXnFEC9adxyJneR4YsdTn9832fcDDVQp7FPgdl5IfBcF CLHx2Ajx0Pr292uw3Gb8Sy+88v3xbeLvHcK28BY6mtFueR8FY0iaS7bajbjBWRlp gwN4ziGw9hTX9iJgMoNpR2o4K0fhKUfC9QFzhYpIREiWEN6D2On/l7u+broaqJq7 OsQ/71ySlJSlh3dqNTB+r9rtegx9YRL6F98ZNSCswDyTFMC9vAfud1YoFtIlu9yK VVsF6rUjxqeDPoTtzGpmZUOJCsYw6dvvDAgb8eV8y/xQsr7yBnlhsqW6H7/bUxD0 yKBg5VkV1ElRLECsTnzsnQfO4xZ670aRbC5N+u33AhfbMzvf7KZePJnHTrrUrIG9 OQobqv7dFBTlYuuqCfaQWW+1oaWcfioRTF4NZDGRhLWqnATU8JYEQENSUthaDZN2 ucOzSHueGHpCmzQaDCSLMPSYhDUzkcjSpfcHcxizTsEe2eu6/88jruMtOBLNgi14 ff69CnKT2e93Fi2tKMrjHaOx7qxvFBxZZKZR3Y8gpIVnfEsysq5ihl3G/78jTLh1 deJlqZw/s1CXYsuO51HASj6WpkgDtjiZ3fLpPpzcuzJlgrwXQxaL9Ym36N9g7Ah1 s6b3A7azTw+JY2lRXcgdFs8L3iWsxIiLnITBz2Jg/x8sJrcZQho= =KuF2 - -----END PGP SIGNATURE----- =============================================================================== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : openjdk-7 Version : 7u231-2.6.19-1~deb8u2 Debian Bug : 935082 750400 The latest security update of openjdk-7 caused a regression when applications relied on elliptic curve algorithms to establish SSL connections. Several duplicate classes were removed from rt.jar by the upstream developers of OpenJDK because they were also present in sunec.jar. However Debian never shipped the SunEC security provider in OpenJDK 7. The issue was resolved by building sunec.jar and its corresponding native library libsunec.so from source. In order to build these libraries from source, an update of nss to version 2:3.26-1+debu8u6 is required. Updates for the amd64 architecture are already available, new packages for i386, armel and armhf will be available within the next 24 hours. For Debian 8 "Jessie", this problem has been fixed in version 7u231-2.6.19-1~deb8u2. We recommend that you upgrade your openjdk-7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1fEMlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSd8A//UdO5lVUTRNtqnMJmwdhNGeKHxOwgZb4ntXM4lM0Su+BCNvO2mceN/vl5 XfK2Y4xfjfUXxWswHCobWImuA84YEW9d1xGIwsFtN8NqPSqnPwlnXN0XBij0hvEy IkLNwgOj4j71gBnVGZlYZrVgx3MqHVDTYF9rqUPEsLt627JIe9l6tkq3Juf+FgcE Gl1uG14D2/A/MR6+HvhoLT8RkGb+7mru32x/w9RpkdltbguoH7xXH4mUo4q3QFqN z/fz1/JxFz8+Udrls3yd6e7bN8WH81MLnLOmLz7ZlD/mnIRXcS6aaHHR4UbS5gGE JB/9ame93ApViIMuCHf4QU1V4TIJFeSMrVRfXwwcyz1j4j8606/3rM3Ex3JVERli ammtleXBdvfmjNtNRvNYu+M2NboworzJBbf6mo3o6P9p2bLmjMMK6yMl1I4SroXz 5zHsh8xPik9x+orm36lrfYuaOL3TNL82JIEe2Wd0pWGhXM8BSemCoqZ+2wC8/ZoM uzlTLWHIPE20YOYSCx02tCruZ7K0eJ0CbQYjPYsUM9D4Nb5RKVjg2ImfdaaOlAOR K4DTKhoU3CdWMeZQrIw22Y8kH+dmvYSYhwYYz4pFvDl0o6GUciIzCcclW87sdqq7 IIX0AwA+hJm5ubBCKDFp4xNGptYQjnfhz+T/BqeBpIAQlAyaDGA= =xQVq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXV8odGaOgq3Tt24GAQgzBg/9Ey3BU+R+PnpgoIPMdNDrGoftxlSIH2Af yjdAtZFNb/JMEJRpFX8FNNY6A61SAP3wKzoDVHXrGBFrowVT68rLNNzSiVuSGbYu pDJDIRbD18HOYLgYEmKum/TV7up9okzOoGDaWv1fMeapMEXl1QDEV7ncNwwqo4At iqHslnprR/7HjBNdYeeS1d1FlT4uZ7wsS1KkU31Ant1JX208KKvKrSGPBlz6K2rU b5oVmEhWCF//+Hoc/gSUIYBrwrxymPaQQTHbDq5NeBzR4YH3sFNwUN+wImBnzDpB LKb0/S3CdmYANuQaSonY3jF9CKOzZiDMQcgAgd15WC2NJyQoUc3J0izeZgGC+rQG J6enb5GPNZKZEUWtGohAyffPC9Spy6F8Not7HzFFJ1bnFehCkGRAPV3Iq8xfxFgP QT4PIIyakQFXiJHXad4yDS4sV22upQZ8rDIp6yI+KtKqP4Bqam6KFolGK3cHWGoM 1CmYBhRdkN9V0iNBLgLLnUYLitate9Yzlh4QNNlRnSl3ukpcYSbVousEiafarFJw zAzEGDuXG51alXORNc8dj0DNG39Mtuv6RzlJJx5qUKgdFcaeHP23fcTjw2rg2JIP 5Ah6BBHSWR2XFl025ZmBnpDuVMLHAbBJI5n8IS+YhyraYef9zCAYLZ5G6WySFEEJ O7cnWqzmHvI= =EB+D -----END PGP SIGNATURE-----