Operating System:

[UNIX/Linux][Debian]

Published:

22 October 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.3921 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3921
                         openjdk-8 security update
                              22 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjdk-8
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2999 CVE-2019-2992 CVE-2019-2989
                   CVE-2019-2988 CVE-2019-2987 CVE-2019-2983
                   CVE-2019-2981 CVE-2019-2978 CVE-2019-2975
                   CVE-2019-2973 CVE-2019-2964 CVE-2019-2962
                   CVE-2019-2949 CVE-2019-2945 CVE-2019-2894

Reference:         ASB-2019.0294
                   ESB-2019.3909
                   ESB-2019.3898

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4548

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4548-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 21, 2019                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2019-2894 CVE-2019-2945 CVE-2019-2949 CVE-2019-2962 
                 CVE-2019-2964 CVE-2019-2973 CVE-2019-2975 CVE-2019-2978 
                 CVE-2019-2981 CVE-2019-2983 CVE-2019-2987 CVE-2019-2988 
                 CVE-2019-2989 CVE-2019-2992 CVE-2019-2999

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in cross-site scripting, denial of service, information
disclosure or Kerberos user impersonation.

For the oldstable distribution (stretch), these problems have been fixed
in version 8u232-b09-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl2uIagACgkQEMKTtsN8
Tjav9Q/+It9kxLH7FJ7vMqKGKa4VF93QF6zSBeOBfGu7jAnXIS+6xrSzo2HTUe3X
q3UYREhUi0tDq/+PsbuBxN7u2uIbwYZjeMrD1Sj6hG6TJH58L5i52emlAPTvcCPv
mU1koChv47lVKi6NTS9iNOpRFcfy3A6q/HqE6LjKMgR93lQkS81iy0diqTYh6NQI
KBEyYH7Z8LP3mTbvFSyfNLlLq9REOVcqCACi89XarmT1HiCG6cnfLp8HiJEU0gAH
Vf5TOq4NoFifHlOgODT4tlrxvgcenaTS/kcmUEkJtBB0yHl0JBLXZ7jsvHlSV2eh
iwfURRPHALRKHVFk58YIJYKL5qGav86Un3FWhm8TXXkcL4eB7NWJo1S2QciuaSQ0
DWdb5MYOTk6/E/P6XhZ9Bh7BzJDfjohy35qHRrdmlCPDa4DRjjxv+jBqwy94NM8h
OG2k9wPEpWxQmDbIiDtpRwsJomjC22FYDtGzvjG8q/YC1WZ5YVEBlWaHKkaWVDrq
tebEd1F1rGINLJJvbKb+zRQ3jyV8gHI8cK5rsPEwQ4sjsGoJce7pt4FdjFx/vIPC
RDdkvsrzGPKSjb2zexx6QYRs+2ohAfgscLDgCFyK60oIpoqKBNaF/ROO8gEGro3u
s5L9mlLzYV3YfuV9Ux/2kNBShM7Wo0QLggN2QHKYhUvH0wOMRE0=
=drJn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXa5Y12aOgq3Tt24GAQgtYg/+PKiyxbN4RDhmOAHIGOhXmd/bWHuqn27h
pxP9qY8NzRjY5YsA8y2qN1+Nna9C2l25zvIthw/Tt7dv+BSzPCO7r4KEKfh8KNIC
X2I/k/DCpDvWbVS3vNHKzwfD1c8LvmwPH1hhmymSeyau2u+lkJ6KoRMPpVA9BCFS
9C+LKEeVpJ4wwLWJpUeaOnVaxjQRxgK1RENouy3bhZEztq3wtueueq2D2kcrqpri
TSZPededkYX1yIqhlWN8NjJeRoLiLDXAfWdifgj8p4ayd6Bnl59daueYD92ZVHvc
ZIgNrgRCdmbWZi61TIxReGtFXUiXj4GtPoMdiTIXP8qTXRunOtZ3as+n6foYrVjU
nA25B8g4VNo6zr8cuaTmc2okLF+KarP/ao028PzoXhQcp8pz9azAgleTS1/MSx36
bWWLJ23beKNO35ZcOOWW268ID18k2ywYiXmYMNfgEKk/VYD8cRO+xTmdhIQd2aM0
IfPrD8FKmdEJNZ621VaAlLaRt9RICmFeTFCXIrdsfNIjcMEROtqp7q4MaKlcwP3S
JyWwDXpSpjTF56vpEZSG0rTaAqPQPb7LLpTsf+4QJ28ML/WpNBjWwT6mSZ5J+QOl
MfYAHfeNQOt8Hay8XS0/OMHhBaYnmOlN+VqQH3xpERk1dwfpS4I+jkpCJBBvjrGA
maRXBV/La0w=
=zLbR
-----END PGP SIGNATURE-----