ID CVE-2014-6585 Type cve Reporter NVD Modified 2016-12-21T21:59:17
Description
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6591.
{"openvas": [{"lastseen": "2018-09-01T23:50:51", "references": ["2015-3569", "https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154190.html"], "pluginID": "1361412562310869156", "description": "Check the version of icu", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-04-03T00:00:00", "title": "Fedora Update for icu FEDORA-2015-3569", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-6591"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869156", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for icu FEDORA-2015-3569\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869156\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-03 05:08:15 +0200 (Fri, 03 Apr 2015)\");\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for icu FEDORA-2015-3569\");\n script_tag(name: \"summary\", value: \"Check the version of icu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tools and utilities for developing with icu.\n\");\n script_tag(name: \"affected\", value: \"icu on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-3569\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154190.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"icu\", rpm:\"icu~52.1~5.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:51:21", "references": ["2015-3590", "https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152738.html"], "pluginID": "1361412562310869116", "description": "Check the version of icu", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-03-22T00:00:00", "title": "Fedora Update for icu FEDORA-2015-3590", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-6591"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869116", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for icu FEDORA-2015-3590\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869116\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-22 06:53:52 +0100 (Sun, 22 Mar 2015)\");\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for icu FEDORA-2015-3590\");\n script_tag(name: \"summary\", value: \"Check the version of icu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tools and utilities for developing with icu.\n\");\n script_tag(name: \"affected\", value: \"icu on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-3590\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152738.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"icu\", rpm:\"icu~50.1.2~11.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:51:16", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156235.html", "2015-6084"], "pluginID": "1361412562310869313", "description": "Check the version of icu", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-04-29T00:00:00", "title": "Fedora Update for icu FEDORA-2015-6084", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-9654", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869313", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869313", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for icu FEDORA-2015-6084\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869313\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-29 05:27:23 +0200 (Wed, 29 Apr 2015)\");\n script_cve_id(\"CVE-2014-9654\", \"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-6585\",\n \"CVE-2014-6591\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for icu FEDORA-2015-6084\");\n script_tag(name: \"summary\", value: \"Check the version of icu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tools and utilities for developing with icu.\n\");\n script_tag(name: \"affected\", value: \"icu on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-6084\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156235.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"icu\", rpm:\"icu~50.1.2~12.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:51:08", "references": ["2015-6087", "https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156237.html"], "pluginID": "1361412562310869314", "description": "Check the version of icu", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-04-29T00:00:00", "title": "Fedora Update for icu FEDORA-2015-6087", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-9654", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310869314", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869314", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for icu FEDORA-2015-6087\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869314\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-29 05:27:30 +0200 (Wed, 29 Apr 2015)\");\n script_cve_id(\"CVE-2014-9654\", \"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-6585\",\n \"CVE-2014-6591\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for icu FEDORA-2015-6087\");\n script_tag(name: \"summary\", value: \"Check the version of icu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tools and utilities for developing with icu.\n\");\n script_tag(name: \"affected\", value: \"icu on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-6087\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156237.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"icu\", rpm:\"icu~52.1~6.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:53:35", "references": ["http://www.debian.org/security/2015/dsa-3323.html"], "pluginID": "703323", "description": "Several vulnerabilities were discovered\nin the International Components for Unicode (ICU) library.\n\nCVE-2014-8146 \nThe Unicode Bidirectional Algorithm implementation does not properly\ntrack directionally isolated pieces of text, which allows remote\nattackers to cause a denial of service (heap-based buffer overflow)\nor possibly execute arbitrary code via crafted text.\n\nCVE-2014-8147 \nThe Unicode Bidirectional Algorithm implementation uses an integer\ndata type that is inconsistent with a header file, which allows\nremote attackers to cause a denial of service (incorrect malloc\nfollowed by invalid free) or possibly execute arbitrary code via\ncrafted text.\n\nCVE-2015-4760 \nThe Layout Engine was missing multiple boundary checks. These could\nlead to buffer overflows and memory corruption. A specially crafted\nfile could cause an application using ICU to parse untrusted font\nfiles to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1\nfor CVE-2014-6585 \nwas incomplete, possibly leading to an invalid memory\naccess. This could allow remote attackers to disclose portion of private\nmemory via crafted font files.", "edition": 3, "reporter": "Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net", "published": "2015-08-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Debian Security Advisory DSA 3323-1 (icu - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-8147", "CVE-2014-8146", "CVE-2015-4760"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703323", "id": "OPENVAS:703323", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3323.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3323-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703323);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-8146\", \"CVE-2014-8147\", \"CVE-2015-4760\");\n script_name(\"Debian Security Advisory DSA 3323-1 (icu - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-08-01 00:00:00 +0200 (Sat, 01 Aug 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3323.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"icu on Debian Linux\");\n script_tag(name: \"insight\", value: \"ICU is a C++ and C library that provides\nrobust and full-featured Unicode and locale support.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 4.8.1.1-12+deb7u3.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 52.1-8+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 52.1-10.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 52.1-10.\n\nWe recommend that you upgrade your icu packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the International Components for Unicode (ICU) library.\n\nCVE-2014-8146 \nThe Unicode Bidirectional Algorithm implementation does not properly\ntrack directionally isolated pieces of text, which allows remote\nattackers to cause a denial of service (heap-based buffer overflow)\nor possibly execute arbitrary code via crafted text.\n\nCVE-2014-8147 \nThe Unicode Bidirectional Algorithm implementation uses an integer\ndata type that is inconsistent with a header file, which allows\nremote attackers to cause a denial of service (incorrect malloc\nfollowed by invalid free) or possibly execute arbitrary code via\ncrafted text.\n\nCVE-2015-4760 \nThe Layout Engine was missing multiple boundary checks. These could\nlead to buffer overflows and memory corruption. A specially crafted\nfile could cause an application using ICU to parse untrusted font\nfiles to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1\nfor CVE-2014-6585 \nwas incomplete, possibly leading to an invalid memory\naccess. This could allow remote attackers to disclose portion of private\nmemory via crafted font files.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"icu-doc\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu-dev\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48:amd64\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48:i386\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48-dbg\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:51:10", "references": ["2015-16314", "https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169316.html"], "pluginID": "1361412562310806130", "description": "Check the version of icu", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-10-14T00:00:00", "title": "Fedora Update for icu FEDORA-2015-16314", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-9654", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310806130", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806130", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for icu FEDORA-2015-16314\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806130\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-14 08:03:55 +0200 (Wed, 14 Oct 2015)\");\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\", \"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-9654\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for icu FEDORA-2015-16314\");\n script_tag(name: \"summary\", value: \"Check the version of icu\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"Tools and utilities for developing with icu.\n\");\n script_tag(name: \"affected\", value: \"icu on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-16314\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169316.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"icu\", rpm:\"icu~54.1~4.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:41", "references": ["http://www.debian.org/security/2015/dsa-3323.html"], "pluginID": "1361412562310703323", "description": "Several vulnerabilities were discovered\nin the International Components for Unicode (ICU) library.\n\nCVE-2014-8146 \nThe Unicode Bidirectional Algorithm implementation does not properly\ntrack directionally isolated pieces of text, which allows remote\nattackers to cause a denial of service (heap-based buffer overflow)\nor possibly execute arbitrary code via crafted text.\n\nCVE-2014-8147 \nThe Unicode Bidirectional Algorithm implementation uses an integer\ndata type that is inconsistent with a header file, which allows\nremote attackers to cause a denial of service (incorrect malloc\nfollowed by invalid free) or possibly execute arbitrary code via\ncrafted text.\n\nCVE-2015-4760 \nThe Layout Engine was missing multiple boundary checks. These could\nlead to buffer overflows and memory corruption. A specially crafted\nfile could cause an application using ICU to parse untrusted font\nfiles to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1\nfor CVE-2014-6585 \nwas incomplete, possibly leading to an invalid memory\naccess. This could allow remote attackers to disclose portion of private\nmemory via crafted font files.", "edition": 3, "reporter": "Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net", "published": "2015-08-01T00:00:00", "title": "Debian Security Advisory DSA 3323-1 (icu - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-8147", "CVE-2014-8146", "CVE-2015-4760"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310703323", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703323", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3323.nasl 9355 2018-04-06 07:16:07Z cfischer $\n# Auto-generated from advisory DSA 3323-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703323\");\n script_version(\"$Revision: 9355 $\");\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-8146\", \"CVE-2014-8147\", \"CVE-2015-4760\");\n script_name(\"Debian Security Advisory DSA 3323-1 (icu - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-04-06 09:16:07 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value: \"2015-08-01 00:00:00 +0200 (Sat, 01 Aug 2015)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3323.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"icu on Debian Linux\");\n script_tag(name: \"insight\", value: \"ICU is a C++ and C library that provides\nrobust and full-featured Unicode and locale support.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 4.8.1.1-12+deb7u3.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 52.1-8+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 52.1-10.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 52.1-10.\n\nWe recommend that you upgrade your icu packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the International Components for Unicode (ICU) library.\n\nCVE-2014-8146 \nThe Unicode Bidirectional Algorithm implementation does not properly\ntrack directionally isolated pieces of text, which allows remote\nattackers to cause a denial of service (heap-based buffer overflow)\nor possibly execute arbitrary code via crafted text.\n\nCVE-2014-8147 \nThe Unicode Bidirectional Algorithm implementation uses an integer\ndata type that is inconsistent with a header file, which allows\nremote attackers to cause a denial of service (incorrect malloc\nfollowed by invalid free) or possibly execute arbitrary code via\ncrafted text.\n\nCVE-2015-4760 \nThe Layout Engine was missing multiple boundary checks. These could\nlead to buffer overflows and memory corruption. A specially crafted\nfile could cause an application using ICU to parse untrusted font\nfiles to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1\nfor CVE-2014-6585 \nwas incomplete, possibly leading to an invalid memory\naccess. This could allow remote attackers to disclose portion of private\nmemory via crafted font files.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"icu-doc\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu-dev\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48:amd64\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48:i386\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libicu48-dbg\", ver:\"4.8.1.1-12+deb7u3\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:09", "references": ["http://secunia.com/advisories/62215", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"], "pluginID": "1361412562310805266", "description": "The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.", "edition": 10, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-02-02T00:00:00", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6593", "CVE-2015-0408", "CVE-2014-6591"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805266", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805266", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_java_mult_unspecified_vuln04_feb15.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:jre\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805266\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0410\", \"CVE-2015-0408\", \"CVE-2015-0407\", \"CVE-2015-0395\",\n \"CVE-2015-0383\", \"CVE-2014-6593\", \"CVE-2014-6591\", \"CVE-2014-6585\");\n script_bugtraq_id(72165, 72140, 72162, 72142, 72155, 72169, 72175, 72173);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-02 14:08:03 +0530 (Mon, 02 Feb 2015)\");\n script_name(\"Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple unspecified flaws exist due to,\n\n - An infinite loop in the DER decoder that is triggered when handling negative\n length values.\n\n - An error in the RMI component's transport implementation related to incorrect\n context class loader use.\n\n - An error in the Swing component's file chooser implementation.\n\n - An error in vm/memory/referenceProcessor.cpp related to handling of phantom\n object references in the Hotspot JVM garbage collector.\n\n - An error in the Hotspot JVM related to insecure handling of temporary\n performance data files.\n\n - An error in the JSSE component related to improper ChangeCipherSpec tracking\n during SSL/TLS handshakes.\n\n - Two out-of-bounds read errors in the layout component that is triggered when\n parsing fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to conduct a denial of service attack, man-in-the-middle attack, potentially\n disclose memory contents, remove or overwrite arbitrary files on the system,\n disclose certain directory information, bypass sandbox restrictions and\n potentially execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE 5 update 75 and prior, 6\n update 85 and prior, 7 update 72 and prior, and 8 update 25 and prior on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/62215\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_portable_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JRE/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!jreVer = get_app_version(cpe:CPE))\n{\n CPE = \"cpe:/a:sun:jre\";\n if(!jreVer = get_app_version(cpe:CPE)) {\n exit(0);\n }\n}\n\nif(jreVer =~ \"^(1\\.(5|6|7|8))\")\n{\n if(version_in_range(version:jreVer, test_version:\"1.5.0\", test_version2:\"1.5.0.75\")||\n version_in_range(version:jreVer, test_version:\"1.6.0\", test_version2:\"1.6.0.85\")||\n version_in_range(version:jreVer, test_version:\"1.7.0\", test_version2:\"1.7.0.72\")||\n version_in_range(version:jreVer, test_version:\"1.8.0\", test_version2:\"1.8.0.25\"))\n {\n report = 'Installed version: ' + jreVer + '\\n' +\n 'Fixed version: ' + \"Apply the patch\" + '\\n';\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:40:16", "references": ["http://secunia.com/advisories/62215", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"], "pluginID": "1361412562310108403", "description": "The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-02-02T00:00:00", "title": "Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6593", "CVE-2015-0408", "CVE-2014-6591"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310108403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108403", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_java_mult_unspecified_vuln04_feb15_lin.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:jre\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108403\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-0410\", \"CVE-2015-0408\", \"CVE-2015-0407\", \"CVE-2015-0395\",\n \"CVE-2015-0383\", \"CVE-2014-6593\", \"CVE-2014-6591\", \"CVE-2014-6585\");\n script_bugtraq_id(72165, 72140, 72162, 72142, 72155, 72169, 72175, 72173);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-02 14:08:03 +0530 (Mon, 02 Feb 2015)\");\n script_name(\"Oracle Java SE JRE Multiple Unspecified Vulnerabilities-04 Feb 2015 (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Oracle Java SE\n JRE and is prone to multiple unspecified vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple unspecified flaws exist due to,\n\n - An infinite loop in the DER decoder that is triggered when handling negative\n length values.\n\n - An error in the RMI component's transport implementation related to incorrect\n context class loader use.\n\n - An error in the Swing component's file chooser implementation.\n\n - An error in vm/memory/referenceProcessor.cpp related to handling of phantom\n object references in the Hotspot JVM garbage collector.\n\n - An error in the Hotspot JVM related to insecure handling of temporary\n performance data files.\n\n - An error in the JSSE component related to improper ChangeCipherSpec tracking\n during SSL/TLS handshakes.\n\n - Two out-of-bounds read errors in the layout component that is triggered when\n parsing fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers\n to conduct a denial of service attack, man-in-the-middle attack, potentially\n disclose memory contents, remove or overwrite arbitrary files on the system,\n disclose certain directory information, bypass sandbox restrictions and\n potentially execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Oracle Java SE 5 update 75 and prior, 6\n update 85 and prior, 7 update 72 and prior, and 8 update 25 and prior on\n Linux.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/62215\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/Java/JRE/Linux/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!jreVer = get_app_version(cpe:CPE))\n{\n CPE = \"cpe:/a:sun:jre\";\n if(!jreVer = get_app_version(cpe:CPE)) {\n exit(0);\n }\n}\n\nif(jreVer =~ \"^(1\\.(5|6|7|8))\")\n{\n if(version_in_range(version:jreVer, test_version:\"1.5.0\", test_version2:\"1.5.0.75\")||\n version_in_range(version:jreVer, test_version:\"1.6.0\", test_version2:\"1.6.0.85\")||\n version_in_range(version:jreVer, test_version:\"1.7.0\", test_version2:\"1.7.0.72\")||\n version_in_range(version:jreVer, test_version:\"1.8.0\", test_version2:\"1.8.0.25\"))\n {\n report = 'Installed version: ' + jreVer + '\\n' +\n 'Fixed version: ' + \"Apply the patch\" + '\\n';\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-28T18:23:41", "references": ["http://linux.oracle.com/errata/ELSA-2015-0068.html"], "pluginID": "1361412562310123201", "description": "Oracle Linux Local Security Checks ELSA-2015-0068", "edition": 6, "reporter": "Eero Volotinen", "published": "2015-10-06T00:00:00", "title": "Oracle Linux Local Check: ELSA-2015-0068", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123201", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123201", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-0068.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123201\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:00:38 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-0068\");\n script_tag(name:\"insight\", value:\"ELSA-2015-0068 - java-1.7.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-0068\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-0068.html\");\n script_cve_id(\"CVE-2014-3566\", \"CVE-2014-6585\", \"CVE-2014-6587\", \"CVE-2014-6591\", \"CVE-2014-6593\", \"CVE-2014-6601\", \"CVE-2015-0383\", \"CVE-2015-0395\", \"CVE-2015-0407\", \"CVE-2015-0408\", \"CVE-2015-0410\", \"CVE-2015-0412\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk\", rpm:\"java-1.7.0-openjdk~1.7.0.75~2.5.4.0.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-demo\", rpm:\"java-1.7.0-openjdk-demo~1.7.0.75~2.5.4.0.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-devel\", rpm:\"java-1.7.0-openjdk-devel~1.7.0.75~2.5.4.0.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-javadoc\", rpm:\"java-1.7.0-openjdk-javadoc~1.7.0.75~2.5.4.0.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.7.0-openjdk-src\", rpm:\"java-1.7.0-openjdk-src~1.7.0.75~2.5.4.0.0.1.el5_11\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:43:46", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1183645", "https://bugzilla.redhat.com/show_bug.cgi?id=1183646", "http://www.nessus.org/u?715638cb"], "pluginID": "82544", "description": "Security fix for CVE-2014-6585, CVE-2014-6591\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-04-03T00:00:00", "title": "Fedora 21 : icu-52.1-5.fc21 (2015-3569)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-6591"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:icu"], "id": "FEDORA_2015-3569.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82544", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-3569.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82544);\n script_version(\"$Revision: 1.6 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:06:17 $\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\");\n script_bugtraq_id(72173, 72175);\n script_xref(name:\"FEDORA\", value:\"2015-3569\");\n\n script_name(english:\"Fedora 21 : icu-52.1-5.fc21 (2015-3569)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2014-6585, CVE-2014-6591\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183646\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154190.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?715638cb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"icu-52.1-5.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:06:09", "references": ["http://www.nessus.org/u?dc0edd87", "https://bugzilla.redhat.com/show_bug.cgi?id=1183645", "https://bugzilla.redhat.com/show_bug.cgi?id=1183646"], "pluginID": "82050", "description": "Security fix for CVE-2014-6585, CVE-2014-6591\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2015-03-25T00:00:00", "title": "Fedora 20 : icu-50.1.2-11.fc20 (2015-3590)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-6591"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:icu"], "id": "FEDORA_2015-3590.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82050", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-3590.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82050);\n script_version(\"$Revision: 1.5 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:06:18 $\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\");\n script_xref(name:\"FEDORA\", value:\"2015-3590\");\n\n script_name(english:\"Fedora 20 : icu-50.1.2-11.fc20 (2015-3590)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2014-6585, CVE-2014-6591\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183646\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152738.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dc0edd87\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"icu-50.1.2-11.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:26", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1183645", "https://bugzilla.redhat.com/show_bug.cgi?id=1185205", "https://bugzilla.redhat.com/show_bug.cgi?id=1190129", "https://bugzilla.redhat.com/show_bug.cgi?id=1185202", "http://www.nessus.org/u?146a1099", "https://bugzilla.redhat.com/show_bug.cgi?id=1183646"], "pluginID": "86376", "description": "Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2015-10-14T00:00:00", "title": "Fedora 22 : icu-54.1-4.fc22 (2015-16314)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-9654", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2018-01-30T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:22", "p-cpe:/a:fedoraproject:fedora:icu"], "id": "FEDORA_2015-16314.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86376", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-16314.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86376);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\", \"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-9654\");\n script_xref(name:\"FEDORA\", value:\"2015-16314\");\n\n script_name(english:\"Fedora 22 : icu-54.1-4.fc22 (2015-16314)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923\nCVE-2014-7926 CVE-2014-9654\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1185202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1185205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1190129\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169316.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?146a1099\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"icu-54.1-4.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-13T17:07:44", "references": ["https://security-tracker.debian.org/tracker/CVE-2014-8147", "https://packages.debian.org/source/jessie/icu", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773", "https://security-tracker.debian.org/tracker/CVE-2014-6585", "https://security-tracker.debian.org/tracker/CVE-2014-8146", "https://packages.debian.org/source/wheezy/icu", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778511", "https://www.debian.org/security/2015/dsa-3323", "https://security-tracker.debian.org/tracker/CVE-2015-4760"], "pluginID": "85162", "description": "Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.\n\n - CVE-2014-8146 The Unicode Bidirectional Algorithm implementation does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text.\n\n - CVE-2014-8147 The Unicode Bidirectional Algorithm implementation uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text.\n\n - CVE-2015-4760 The Layout Engine was missing multiple boundary checks.\n These could lead to buffer overflows and memory corruption. A specially crafted file could cause an application using ICU to parse untrusted font files to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1 for CVE-2014-6585 was incomplete, possibly leading to an invalid memory access. This could allow remote attackers to disclose portion of private memory via crafted font files.", "edition": 6, "reporter": "Tenable", "published": "2015-08-03T00:00:00", "title": "Debian DSA-3323-1 : icu - security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-6585", "CVE-2014-8147", "CVE-2014-8146", "CVE-2015-4760"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:icu", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3323.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=85162", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3323. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85162);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/10 11:49:37\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-8146\", \"CVE-2014-8147\", \"CVE-2015-4760\");\n script_xref(name:\"DSA\", value:\"3323\");\n\n script_name(english:\"Debian DSA-3323-1 : icu - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in the International\nComponents for Unicode (ICU) library.\n\n - CVE-2014-8146\n The Unicode Bidirectional Algorithm implementation does\n not properly track directionally isolated pieces of\n text, which allows remote attackers to cause a denial of\n service (heap-based buffer overflow) or possibly execute\n arbitrary code via crafted text.\n\n - CVE-2014-8147\n The Unicode Bidirectional Algorithm implementation uses\n an integer data type that is inconsistent with a header\n file, which allows remote attackers to cause a denial of\n service (incorrect malloc followed by invalid free) or\n possibly execute arbitrary code via crafted text.\n\n - CVE-2015-4760\n The Layout Engine was missing multiple boundary checks.\n These could lead to buffer overflows and memory\n corruption. A specially crafted file could cause an\n application using ICU to parse untrusted font files to\n crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in\nDSA-3187-1 for CVE-2014-6585 was incomplete, possibly leading to an\ninvalid memory access. This could allow remote attackers to disclose\nportion of private memory via crafted font files.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-8146\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-8147\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2015-4760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2014-6585\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/icu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/icu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3323\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the icu packages.\n\nFor the oldstable distribution (wheezy), these problems have been\nfixed in version 4.8.1.1-12+deb7u3.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 52.1-8+deb8u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"icu-doc\", reference:\"4.8.1.1-12+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libicu-dev\", reference:\"4.8.1.1-12+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libicu48\", reference:\"4.8.1.1-12+deb7u3\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libicu48-dbg\", reference:\"4.8.1.1-12+deb7u3\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"icu-devtools\", reference:\"52.1-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"icu-doc\", reference:\"52.1-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu-dev\", reference:\"52.1-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu52\", reference:\"52.1-8+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libicu52-dbg\", reference:\"52.1-8+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:56:26", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1183645", "http://www.nessus.org/u?58408625", "https://bugzilla.redhat.com/show_bug.cgi?id=1185205", "https://bugzilla.redhat.com/show_bug.cgi?id=1190129", "https://bugzilla.redhat.com/show_bug.cgi?id=1185202", "https://bugzilla.redhat.com/show_bug.cgi?id=1183646"], "pluginID": "86111", "description": "Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2015-09-24T00:00:00", "title": "Fedora 23 : icu-54.1-5.fc23 (2015-16315)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-9654", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2018-01-30T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:icu", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2015-16315.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86111", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-16315.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86111);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:46:07 $\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\", \"CVE-2014-7923\", \"CVE-2014-7926\", \"CVE-2014-9654\");\n script_xref(name:\"FEDORA\", value:\"2015-16315\");\n\n script_name(english:\"Fedora 23 : icu-54.1-5.fc23 (2015-16315)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2014-6585 CVE-2014-6591 CVE-2014-7923\nCVE-2014-7926 CVE-2014-9654\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1183646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1185202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1185205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1190129\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167377.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?58408625\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected icu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"icu-54.1-5.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icu\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:07:21", "references": ["http://advisories.mageia.org/MGASA-2015-0047.html", "http://advisories.mageia.org/MGASA-2015-0102.html"], "pluginID": "82414", "description": "Updated icu packages fix security vulnerabilities :\n\nThe Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a zero-length quantifier or look-behind expression (CVE-2014-7923, CVE-2014-7926).\n\nThe collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence (CVE-2014-7940).\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program (CVE-2014-6585, CVE-2014-6591).", "edition": 6, "reporter": "Tenable", "published": "2015-03-30T00:00:00", "title": "Mandriva Linux Security Advisory : icu (MDVSA-2015:161-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-7926", "CVE-2014-6591"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:icu-doc", "cpe:/o:mandriva:business_server:2", "p-cpe:/a:mandriva:linux:icu-data", "p-cpe:/a:mandriva:linux:lib64icu-devel", "p-cpe:/a:mandriva:linux:lib64icu48", "p-cpe:/a:mandriva:linux:lib64icu52", "p-cpe:/a:mandriva:linux:icu"], "id": "MANDRIVA_MDVSA-2015-161.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82414", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2015:161. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82414);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/19 20:59:19\");\n\n script_cve_id(\n \"CVE-2014-6585\",\n \"CVE-2014-6591\",\n \"CVE-2014-7923\",\n \"CVE-2014-7926\",\n \"CVE-2014-7940\"\n );\n script_bugtraq_id(\n 72173,\n 72175,\n 72288\n );\n script_xref(name:\"MDVSA\", value:\"2015:161\");\n script_xref(name:\"MDVSA\", value:\"2015:161-1\");\n\n script_name(english:\"Mandriva Linux Security Advisory : icu (MDVSA-2015:161-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated icu packages fix security vulnerabilities :\n\nThe Regular Expressions package in International Components for\nUnicode (ICU) 52 before SVN revision 292944 allows remote attackers to\ncause a denial of service (memory corruption) or possibly have\nunspecified other impact via vectors related to a zero-length\nquantifier or look-behind expression (CVE-2014-7923, CVE-2014-7926).\n\nThe collator implementation in i18n/ucol.cpp in International\nComponents for Unicode (ICU) 52 through SVN revision 293126 does not\ninitialize memory for a data structure, which allows remote attackers\nto cause a denial of service or possibly have unspecified other impact\nvia a crafted character sequence (CVE-2014-7940).\n\nIt was discovered that ICU incorrectly handled memory operations when\nprocessing fonts. If an application using ICU processed crafted data,\nan attacker could cause it to crash or potentially execute arbitrary\ncode with the privileges of the user invoking the program\n(CVE-2014-6585, CVE-2014-6591).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0047.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2015-0102.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:icu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:icu-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:icu-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64icu-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64icu48\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64icu52\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"icu-4.8.1.1-3.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"icu-doc-4.8.1.1-3.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64icu-devel-4.8.1.1-3.2.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64icu48-4.8.1.1-3.2.mbs1\")) flag++;\n\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"icu-52.1-2.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"icu-data-52.1-2.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", reference:\"icu-doc-52.1-2.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64icu-devel-52.1-2.1.mbs2\")) flag++;\nif (rpm_check(release:\"MDK-MBS2\", cpu:\"x86_64\", reference:\"lib64icu52-52.1-2.1.mbs2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-13T16:42:18", "references": ["https://access.redhat.com/security/cve/cve-2015-0410", "https://www.ibm.com/developerworks/java/jdk/alerts/", "https://access.redhat.com/security/cve/cve-2014-6593", "https://access.redhat.com/security/cve/cve-2015-0395", "https://access.redhat.com/security/cve/cve-2014-6591", "https://access.redhat.com/security/cve/cve-2014-8892", "https://access.redhat.com/security/cve/cve-2014-8891", "https://access.redhat.com/security/cve/cve-2015-0407", "https://access.redhat.com/errata/RHSA-2015:0136", "https://access.redhat.com/security/cve/cve-2014-6585", "https://access.redhat.com/security/cve/cve-2015-0408"], "pluginID": "81204", "description": "Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-6585, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP9 release. All running instances of IBM Java must be restarted for this update to take effect.", "edition": 8, "reporter": "Tenable", "published": "2015-02-06T00:00:00", "title": "RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:0136)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-0395", "CVE-2014-8892", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6593", "CVE-2015-0408", "CVE-2014-6591", "CVE-2014-8891"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm", "cpe:/o:redhat:enterprise_linux:6.6", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc", "p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin"], "id": "REDHAT-RHSA-2015-0136.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81204", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0136. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81204);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/10 11:49:54\");\n\n script_cve_id(\"CVE-2014-6585\", \"CVE-2014-6591\", \"CVE-2014-6593\", \"CVE-2014-8891\", \"CVE-2014-8892\", \"CVE-2015-0395\", \"CVE-2015-0407\", \"CVE-2015-0408\", \"CVE-2015-0410\");\n script_bugtraq_id(72140, 72162, 72165, 72169, 72173, 72175, 73258, 73259);\n script_xref(name:\"RHSA\", value:\"2015:0136\");\n\n script_name(english:\"RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:0136)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.5.0-ibm packages that fix several security issues are\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nIBM J2SE version 5.0 includes the IBM Java Runtime Environment and the\nIBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-6585, CVE-2014-6591,\nCVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395,\nCVE-2015-0407, CVE-2015-0408, CVE-2015-0410)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP9 release. All running\ninstances of IBM Java must be restarted for this update to take\neffect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.ibm.com/developerworks/java/jdk/alerts/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:0136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0407\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0395\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-0410\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6591\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6593\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-6585\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-8892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-8891\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-javacomm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.5.0-ibm-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:0136\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-accessibility-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"java-1.5.0-ibm-src-1.5.0.16.9-1jpp.1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-demo-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"java-1.5.0-ibm-devel-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-javacomm-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390\", reference:\"java-1.5.0-ibm-jdbc-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-plugin-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.5.0-ibm-src-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"java-1.5.0-ibm-src-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.5.0-ibm-src-1.5.0.16.9-1jpp.1.el6_6\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.5.0-ibm / java-1.5.0-ibm-accessibility / java-1.5.0-ibm-demo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-05T05:55:41", "references": ["http://www.nessus.org/u?432d09d7"], "pluginID": "81015", "description": "A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2015-0412, CVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the- middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566)\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake.\nAn MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK.\nAn untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nAll running instances of OpenJDK Java must be restarted for the update to take effect.", "edition": 6, "reporter": "Tenable", "published": "2015-01-27T00:00:00", "title": "Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (POODLE)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2018-09-04T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20150126_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81015", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81015);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/09/04 13:20:07\");\n\n script_cve_id(\"CVE-2014-3566\", \"CVE-2014-6585\", \"CVE-2014-6587\", \"CVE-2014-6591\", \"CVE-2014-6593\", \"CVE-2014-6601\", \"CVE-2015-0383\", \"CVE-2015-0395\", \"CVE-2015-0407\", \"CVE-2015-0408\", \"CVE-2015-0410\", \"CVE-2015-0412\");\n\n script_name(english:\"Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 (POODLE)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the\nJAX-WS, and RMI components in OpenJDK. An untrusted Java application\nor applet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2015-0412, CVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules)\ndecoder in the Security component in OpenJDK handled negative length\nvalues. A specially crafted, DER-encoded input could cause a Java\napplication to enter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes\nwhen decrypting messages that were encrypted using block ciphers in\ncipher block chaining (CBC) mode. This flaw could possibly allow a\nman-in-the- middle (MITM) attacker to decrypt portions of the cipher\ntext using a padding oracle attack. (CVE-2014-3566)\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent in OpenJDK failed to properly check whether the\nChangeCipherSpec was received during the SSL/TLS connection handshake.\nAn MITM attacker could possibly use this flaw to force a connection to\nbe established without encryption being enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK.\nAn untrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted\nJava application or applet could possibly use this flaw to bypass\ncertain Java sandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in\nthe 2D component in OpenJDK. A specially crafted font file could allow\nan untrusted Java application or applet to disclose portions of the\nJava Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error\nlog files. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nAll running instances of OpenJDK Java must be restarted for the update\nto take effect.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1501&L=scientific-linux-errata&T=0&P=2194\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?432d09d7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.34-1.13.6.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el5_11\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el5_11\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.34-1.13.6.1.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el6_6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el6_6\")) flag++;\n\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.34-1.13.6.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el7_0\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el7_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-11T12:45:37", "references": ["http://www.nessus.org/u?c0012c4e", "http://www.nessus.org/u?0892a6d0"], "pluginID": "80868", "description": "Updated java-1.7.0-openjdk packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2015-0412, CVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake.\nAn MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK.\nAn untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "edition": 9, "reporter": "Tenable", "published": "2015-01-21T00:00:00", "title": "CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:0067) (POODLE)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.7.0-openjdk", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-src", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless"], "id": "CENTOS_RHSA-2015-0067.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80868", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:0067 and \n# CentOS Errata and Security Advisory 2015:0067 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80868);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2014-3566\", \"CVE-2014-6585\", \"CVE-2014-6587\", \"CVE-2014-6591\", \"CVE-2014-6593\", \"CVE-2014-6601\", \"CVE-2015-0383\", \"CVE-2015-0395\", \"CVE-2015-0407\", \"CVE-2015-0408\", \"CVE-2015-0410\", \"CVE-2015-0412\");\n script_bugtraq_id(70574, 72132, 72136, 72140, 72142, 72155, 72162, 72165, 72168, 72169, 72173, 72175);\n script_xref(name:\"RHSA\", value:\"2015:0067\");\n\n script_name(english:\"CentOS 6 / 7 : java-1.7.0-openjdk (CESA-2015:0067) (POODLE)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated java-1.7.0-openjdk packages that fix multiple security issues\nare now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the\nJAX-WS, and RMI components in OpenJDK. An untrusted Java application\nor applet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2015-0412, CVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled\nphantom references. An untrusted Java application or applet could use\nthis flaw to corrupt the Java Virtual Machine memory and, possibly,\nexecute arbitrary code, bypassing Java sandbox restrictions.\n(CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules)\ndecoder in the Security component in OpenJDK handled negative length\nvalues. A specially crafted, DER-encoded input could cause a Java\napplication to enter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes\nwhen decrypting messages that were encrypted using block ciphers in\ncipher block chaining (CBC) mode. This flaw could possibly allow a\nman-in-the-middle (MITM) attacker to decrypt portions of the cipher\ntext using a padding oracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to\nre-enable SSL 3.0 support if needed. For additional information, refer\nto the Red Hat Bugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE\ncomponent in OpenJDK failed to properly check whether the\nChangeCipherSpec was received during the SSL/TLS connection handshake.\nAn MITM attacker could possibly use this flaw to force a connection to\nbe established without encryption being enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK.\nAn untrusted Java application or applet could use this flaw to bypass\ncertain Java sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted\nJava application or applet could possibly use this flaw to bypass\ncertain Java sandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in\nthe 2D component in OpenJDK. A specially crafted font file could allow\nan untrusted Java application or applet to disclose portions of the\nJava Virtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error\nlog files. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, the issues exposed via Java applets could have been\nexploited without user interaction if a user visited a malicious\nwebsite.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020889.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0892a6d0\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-January/020891.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c0012c4e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1.7.0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.7.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/21\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6\")) flag++;\n\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-13T16:53:01", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=914041", "https://lists.opensuse.org/opensuse-updates/2015-02/msg00006.html"], "pluginID": "81141", "description": "OpenJDK was updated to 2.5.4 - OpenJDK 7u75 to fix security issues and bugs :\n\n - Security fixes\n\n - S8046656: Update protocol support\n\n - S8047125, CVE-2015-0395: (ref) More phantom object references\n\n - S8047130: Fewer escapes from escape analysis\n\n - S8048035, CVE-2015-0400: Ensure proper proxy protocols\n\n - S8049253: Better GC validation\n\n - S8050807, CVE-2015-0383: Better performing performance data handling\n\n - S8054367, CVE-2015-0412: More references for endpoints\n\n - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel\n\n - S8055309, CVE-2015-0408: RMI needs better transportation considerations\n\n - S8055479: TLAB stability\n\n - S8055489, CVE-2014-6585: Better substitution formats\n\n - S8056264, CVE-2014-6587: Multicast support improvements\n\n - S8056276, CVE-2014-6591: Fontmanager feature improvements\n\n - S8057555, CVE-2014-6593: Less cryptic cipher suite management\n\n - S8058982, CVE-2014-6601: Better verification of an exceptional invokespecial\n\n - S8059485, CVE-2015-0410: Resolve parsing ambiguity\n\n - S8061210, CVE-2014-3566: Issues in TLS", "edition": 7, "reporter": "Tenable", "published": "2015-02-03T00:00:00", "title": "openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2015:0190-1) (POODLE)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2018-11-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel", "p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo"], "id": "OPENSUSE-2015-91.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=81141", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-91.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81141);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/10 11:50:02\");\n\n script_cve_id(\"CVE-2014-3566\", \"CVE-2014-6585\", \"CVE-2014-6587\", \"CVE-2014-6591\", \"CVE-2014-6593\", \"CVE-2014-6601\", \"CVE-2015-0383\", \"CVE-2015-0395\", \"CVE-2015-0400\", \"CVE-2015-0407\", \"CVE-2015-0408\", \"CVE-2015-0410\", \"CVE-2015-0412\");\n\n script_name(english:\"openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2015:0190-1) (POODLE)\");\n script_summary(english:\"Check for the openSUSE-2015-91 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"OpenJDK was updated to 2.5.4 - OpenJDK 7u75 to fix security issues and\nbugs :\n\n - Security fixes\n\n - S8046656: Update protocol support\n\n - S8047125, CVE-2015-0395: (ref) More phantom object\n references\n\n - S8047130: Fewer escapes from escape analysis\n\n - S8048035, CVE-2015-0400: Ensure proper proxy protocols\n\n - S8049253: Better GC validation\n\n - S8050807, CVE-2015-0383: Better performing performance\n data handling\n\n - S8054367, CVE-2015-0412: More references for endpoints\n\n - S8055304, CVE-2015-0407: More boxing for\n DirectoryComboBoxModel\n\n - S8055309, CVE-2015-0408: RMI needs better transportation\n considerations\n\n - S8055479: TLAB stability\n\n - S8055489, CVE-2014-6585: Better substitution formats\n\n - S8056264, CVE-2014-6587: Multicast support improvements\n\n - S8056276, CVE-2014-6591: Fontmanager feature\n improvements\n\n - S8057555, CVE-2014-6593: Less cryptic cipher suite\n management\n\n - S8058982, CVE-2014-6601: Better verification of an\n exceptional invokespecial\n\n - S8059485, CVE-2015-0410: Resolve parsing ambiguity\n\n - S8061210, CVE-2014-3566: Issues in TLS\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=914041\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2015-02/msg00006.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected java-1_7_0-openjdk packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/01/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-accessibility-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-devel-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-headless-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-debugsource-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-demo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-devel-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-headless-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-javadoc-1.7.0.75-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"java-1_7_0-openjdk-src-1.7.0.75-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_7_0-openjdk-bootstrap / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-18T13:48:52", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "icu_52.1-8+deb8u2_all.deb", "packageName": "icu", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "icu-devtools_52.1-8+deb8u2_all.deb", "packageName": "icu-devtools", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "libicu-dev_52.1-8+deb8u2_all.deb", "packageName": "libicu-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "7", "packageVersion": "4.8.1.1-12+deb7u3", "arch": "all", "packageFilename": "icu_4.8.1.1-12+deb7u3_all.deb", "packageName": "icu", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "libicu52_52.1-8+deb8u2_all.deb", "packageName": "libicu52", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "icu-doc_52.1-8+deb8u2_all.deb", "packageName": "icu-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "52.1-8+deb8u2", "arch": "all", "packageFilename": "libicu52-dbg_52.1-8+deb8u2_all.deb", "packageName": "libicu52-dbg", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3323-1 security@debian.org\nhttps://www.debian.org/security/ Laszlo Boszormenyi\nAugust 01, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : icu\nCVE ID : CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760\nDebian Bug : 778511 784773\n\nSeveral vulnerabilities were discovered in the International Components\nfor Unicode (ICU) library.\n\nCVE-2014-8146\n\n The Unicode Bidirectional Algorithm implementation does not properly\n track directionally isolated pieces of text, which allows remote\n attackers to cause a denial of service (heap-based buffer overflow)\n or possibly execute arbitrary code via crafted text.\n\nCVE-2014-8147\n\n The Unicode Bidirectional Algorithm implementation uses an integer\n data type that is inconsistent with a header file, which allows\n remote attackers to cause a denial of service (incorrect malloc\n followed by invalid free) or possibly execute arbitrary code via\n crafted text.\n\nCVE-2015-4760\n\n The Layout Engine was missing multiple boundary checks. These could\n lead to buffer overflows and memory corruption. A specially crafted\n file could cause an application using ICU to parse untrusted font\n files to crash and, possibly, execute arbitrary code.\n\nAdditionally, it was discovered that the patch applied to ICU in DSA-3187-1\nfor CVE-2014-6585 was incomplete, possibly leading to an invalid memory\naccess. This could allow remote attackers to disclose portion of private\nmemory via crafted font files.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 4.8.1.1-12+deb7u3.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 52.1-8+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 52.1-10.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 52.1-10.\n\nWe recommend that you upgrade your icu packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-08-01T16:15:09", "title": "[SECURITY] [DSA 3323-1] icu security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:48:52", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6585", "CVE-2014-8147", "CVE-2014-8146", "CVE-2015-4760"], "modified": "2015-08-01T16:15:09", "id": "DEBIAN:DSA-3323-1:B926B", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00219.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:50:29", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "6b34-1.13.6-1~deb7u1", "arch": "all", "packageFilename": "openjdk-6_6b34-1.13.6-1~deb7u1_all.deb", "packageName": "openjdk-6", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3147-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 30, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-6\nCVE ID : CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 \n CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395\n CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 6b34-1.13.6-1~deb7u1.\n\nWe recommend that you upgrade your openjdk-6 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-01-30T15:57:44", "title": "[SECURITY] [DSA 3147-1] openjdk-6 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:50:29", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-30T15:57:44", "id": "DEBIAN:DSA-3147-1:2E393", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00030.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:48:44", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "7u75-2.5.4-1~deb7u1", "arch": "all", "packageFilename": "openjdk-7_7u75-2.5.4-1~deb7u1_all.deb", "packageName": "openjdk-7", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3144-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 29, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openjdk-7\nCVE ID : CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 \n CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395\n CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 7u75-2.5.4-1~deb7u1.\n\nFor the upcoming stable distribution (jessie), these problems will be\nfixed soon.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7u75-2.5.4-1.\n\nWe recommend that you upgrade your openjdk-7 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-01-29T21:57:46", "title": "[SECURITY] [DSA 3144-1] openjdk-7 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:48:44", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-29T21:57:46", "id": "DEBIAN:DSA-3144-1:1ABE5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00027.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:50:00", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "4.8.1.1-12+deb7u2", "arch": "all", "packageFilename": "icu_4.8.1.1-12+deb7u2_all.deb", "packageName": "icu", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3187-1 security@debian.org\nhttp://www.debian.org/security/ Michael Gilbert\nMarch 15, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : icu\nCVE ID : CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2419\n CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926\n CVE-2014-7940 CVE-2014-9654\nDebian Bug : 775884 776264 776265 776719\n\nSeveral vulnerabilities were discovered in the International Components\nfor Unicode (ICU) library.\n\nCVE-2013-1569\n\n Glyph table issue.\n\nCVE-2013-2383\n\n Glyph table issue.\n\nCVE-2013-2384\n\n Font layout issue.\n\nCVE-2013-2419\n\n Font processing issue.\n\nCVE-2014-6585\n\n Out-of-bounds read.\n\nCVE-2014-6591\n\n Additional out-of-bounds reads.\n\nCVE-2014-7923\n\n Memory corruption in regular expression comparison.\n\nCVE-2014-7926\n\n Memory corruption in regular expression comparison.\n\nCVE-2014-7940\n\n Uninitialized memory.\n\nCVE-2014-9654\n\n More regular expression flaws.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 4.8.1.1-12+deb7u2.\n\nFor the upcoming stable (jessie) and unstable (sid) distributions, these\nproblems have been fixed in version 52.1-7.1.\n\nWe recommend that you upgrade your icu packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-03-15T05:02:46", "title": "[SECURITY] [DSA 3187-1] icu security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:50:00", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-15T05:02:46", "id": "DEBIAN:DSA-3187-1:97BB3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00072.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:14:33", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-jre-headless_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-jre-headless", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-jre-zero_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-jre-zero", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-doc_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-jre-lib_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-jre-lib", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-jre_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-jre", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "icedtea6-plugin_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "icedtea6-plugin", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-demo_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-demo", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-source_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-source", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-dbg_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "openjdk-6-jdk_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "openjdk-6-jdk", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "6b34-1.13.6-1~deb6u1", "arch": "all", "packageFilename": "icedtea-6-jre-cacao_6b34-1.13.6-1~deb6u1_all.deb", "packageName": "icedtea-6-jre-cacao", "operator": "lt"}], "description": "Package : openjdk-6\nVersion : 6b34-1.13.6-1~deb6u1\nCVE ID : CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 \n CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395\n CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412\n\nSeveral vulnerabilities have been discovered in OpenJDK, an\nimplementation of the Oracle Java platform, resulting in the execution\nof arbitrary code, information disclosure or denial of service.\n", "edition": 1, "reporter": "Debian", "published": "2015-02-24T18:21:33", "title": "[SECURITY] [DLA 157-1] openjdk-6 security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:33", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-02-24T18:21:33", "id": "DEBIAN:DLA-157-1:370F5", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201502/msg00011.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:14:42", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "icu_4.4.1-8+squeeze3_all.deb", "packageName": "icu", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "icu-doc_4.4.1-8+squeeze3_all.deb", "packageName": "icu-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "libicu-dev_4.4.1-8+squeeze3_all.deb", "packageName": "libicu-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "libicu44-dbg_4.4.1-8+squeeze3_all.deb", "packageName": "libicu44-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "libicu44_4.4.1-8+squeeze3_all.deb", "packageName": "libicu44", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "lib32icu-dev_4.4.1-8+squeeze3_all.deb", "packageName": "lib32icu-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "4.4.1-8+squeeze3", "arch": "all", "packageFilename": "lib32icu44_4.4.1-8+squeeze3_all.deb", "packageName": "lib32icu44", "operator": "lt"}], "description": "Package : icu\nVersion : 4.4.1-8+squeeze3\nCVE ID : CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2419\n CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926\n CVE-2014-7940 CVE-2014-9654\n\nSeveral vulnerabilities were discovered in the International Components\nfor Unicode (ICU) library:\n\nCVE-2013-1569\n\n Glyph table issue.\n\nCVE-2013-2383\n\n Glyph table issue.\n\nCVE-2013-2384\n\n Font layout issue.\n\nCVE-2013-2419\n\n Font processing issue.\n\nCVE-2014-6585\n\n Out-of-bounds read.\n\nCVE-2014-6591\n\n Additional out-of-bounds reads.\n\nCVE-2014-7923\n\n Memory corruption in regular expression comparison.\n\nCVE-2014-7926\n\n Memory corruption in regular expression comparison.\n\nCVE-2014-7940\n\n Uninitialized memory.\n\nCVE-2014-9654\n\n More regular expression flaws.\n\nFor Debian 6 \u201cSqueeze\u201d, these issues have been fixed in icu version\n4.4.1-8+squeeze3.\n", "edition": 1, "reporter": "Debian", "published": "2015-05-14T09:45:48", "title": "[SECURITY] [DLA 219-1] icu security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:42", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-05-14T09:45:48", "id": "DEBIAN:DLA-219-1:C7AC1", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201505/msg00003.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T19:41:08", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.5.0.16.9-1jpp.1.el5", "arch": "i386", "packageName": "java-1.5.0-ibm-javacomm", "packageFilename": "java-1.5.0-ibm-javacomm-1.5.0.16.9-1jpp.1.el5.i386.rpm", "operator": "lt"}], "description": "IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-6585, CVE-2014-6591,\nCVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395, CVE-2015-0407,\nCVE-2015-0408, CVE-2015-0410)\n\nAll users of java-1.5.0-ibm are advised to upgrade to these updated\npackages, containing the IBM J2SE 5.0 SR16-FP9 release. All running\ninstances of IBM Java must be restarted for this update to take effect.\n", "reporter": "RedHat", "published": "2015-02-05T05:00:00", "type": "redhat", "title": "(RHSA-2015:0136) Important: java-1.5.0-ibm security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6585", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T09:04:23", "id": "RHSA-2015:0136", "href": "https://access.redhat.com/errata/RHSA-2015:0136", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:41:13", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk-debuginfo", "packageFilename": "java-1.6.0-openjdk-debuginfo-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}], "description": "The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-01-26T05:00:00", "type": "redhat", "title": "(RHSA-2015:0085) Important: java-1.6.0-openjdk security update", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:13", "id": "RHSA-2015:0085", "href": "https://access.redhat.com/errata/RHSA-2015:0085", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T17:42:57", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "arch": "i386", "packageName": "java-1.7.0-openjdk-debuginfo", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "operator": "lt"}], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-01-20T05:00:00", "type": "redhat", "title": "(RHSA-2015:0068) Important: java-1.7.0-openjdk security update", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T11:49:25", "id": "RHSA-2015:0068", "href": "https://access.redhat.com/errata/RHSA-2015:0068", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:42:01", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.6.0.16.3-1jpp.1.el6", "arch": "x86_64", "packageName": "java-1.6.0-ibm", "packageFilename": "java-1.6.0-ibm-1.6.0.16.3-1jpp.1.el6.x86_64.rpm", "operator": "lt"}], "description": "This update corrects several security vulnerabilities in the IBM Java\nRuntime Environment shipped as part of Red Hat Satellite 5.7. In a typical\noperating environment, these are of low security risk as the runtime is not\nused on untrusted applets.\n\nSeveral flaws were fixed in the IBM Java 2 Runtime Environment.\n(CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891,\nCVE-2014-8892, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406, CVE-2015-0407,\nCVE-2015-0408, CVE-2015-0410, CVE-2015-0412)\n\nUsers of Red Hat Satellite 5.7 are advised to upgrade to these updated\npackages, which contain the IBM Java SE 6 SR16-FP3 release. For this\nupdate to take effect, Red Hat Satellite must be restarted\n(\"/usr/sbin/rhn-satellite restart\"), as well as all running instances of\nIBM Java.\n", "reporter": "RedHat", "published": "2015-02-24T05:00:00", "type": "redhat", "title": "(RHSA-2015:0263) Low: Red Hat Satellite IBM Java Runtime security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T09:02:29", "id": "RHSA-2015:0263", "href": "https://access.redhat.com/errata/RHSA-2015:0263", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:41:51", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.1.2.10-1jpp.3.el6_6", "arch": "i686", "packageName": "java-1.7.1-ibm-devel", "packageFilename": "java-1.7.1-ibm-devel-1.7.1.2.10-1jpp.3.el6_6.i686.rpm", "operator": "lt"}], "description": "IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment\nand the IBM Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-6549, CVE-2014-6585,\nCVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892,\nCVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410,\nCVE-2015-0412)\n\nAll users of java-1.7.1-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7R1 SR2-FP10 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-02-05T05:00:00", "type": "redhat", "title": "(RHSA-2015:0133) Critical: java-1.7.1-ibm security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6549", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T09:04:24", "id": "RHSA-2015:0133", "href": "https://access.redhat.com/errata/RHSA-2015:0133", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T17:40:59", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.7.0.8.10-1jpp.4.el5", "arch": "i386", "packageName": "java-1.7.0-ibm-jdbc", "packageFilename": "java-1.7.0-ibm-jdbc-1.7.0.8.10-1jpp.4.el5.i386.rpm", "operator": "lt"}], "description": "IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-6549, CVE-2014-6585,\nCVE-2014-6587, CVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892,\nCVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410,\nCVE-2015-0412)\n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR8-FP10 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-02-05T05:00:00", "type": "redhat", "title": "(RHSA-2015:0134) Critical: java-1.7.0-ibm security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6549", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T11:57:24", "id": "RHSA-2015:0134", "href": "https://access.redhat.com/errata/RHSA-2015:0134", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:42:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.6.0.16.3-1jpp.1.el5", "arch": "i386", "packageName": "java-1.6.0-ibm-src", "packageFilename": "java-1.6.0-ibm-src-1.6.0.16.3-1jpp.1.el5.i386.rpm", "operator": "lt"}], "description": "IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit.\n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-6585, CVE-2014-6587,\nCVE-2014-6591, CVE-2014-6593, CVE-2014-8891, CVE-2014-8892, CVE-2015-0395,\nCVE-2015-0403, CVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410,\nCVE-2015-0412)\n\nAll users of java-1.6.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 6 SR16-FP3 release. All running\ninstances of IBM Java must be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-02-05T05:00:00", "type": "redhat", "title": "(RHSA-2015:0135) Critical: java-1.6.0-ibm security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-8891", "CVE-2014-8892", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T09:04:10", "id": "RHSA-2015:0135", "href": "https://access.redhat.com/errata/RHSA-2015:0135", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T17:44:05", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "i686", "packageName": "java-1.7.0-openjdk-debuginfo", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.el6_6.i686.rpm", "operator": "lt"}], "description": "The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n", "reporter": "RedHat", "published": "2015-01-21T05:00:00", "type": "redhat", "title": "(RHSA-2015:0067) Critical: java-1.7.0-openjdk security update", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:05", "id": "RHSA-2015:0067", "href": "https://access.redhat.com/errata/RHSA-2015:0067", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:41:51", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.8.0.31-1jpp.1.el6", "arch": "i686", "packageName": "java-1.8.0-oracle", "packageFilename": "java-1.8.0-oracle-1.8.0.31-1jpp.1.el6.i686.rpm", "operator": "lt"}], "description": "Oracle Java SE version 8 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2014-3566, CVE-2014-6549, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591,\nCVE-2014-6593, CVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403,\nCVE-2015-0406, CVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412,\nCVE-2015-0413, CVE-2015-0421, CVE-2015-0437)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: With this update, the Oracle Java SE now disables the SSL 3.0\nprotocol to address the CVE-2014-3566 issue (also known as POODLE). Refer\nto the Red Hat Bugzilla bug linked to in the References section for\ninstructions on how to re-enable SSL 3.0 support if needed.\n\nAll users of java-1.8.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 8 Update 31 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "reporter": "RedHat", "published": "2015-01-23T02:19:21", "type": "redhat", "title": "(RHSA-2015:0080) Critical: java-1.8.0-oracle security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2014-6549", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412", "CVE-2015-0413", "CVE-2015-0421", "CVE-2015-0437"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T18:20:30", "id": "RHSA-2015:0080", "href": "https://access.redhat.com/errata/RHSA-2015:0080", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T19:43:23", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.7.0.75-1jpp.1.el5_11", "arch": "i586", "packageName": "java-1.7.0-oracle", "packageFilename": "java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.i586.rpm", "operator": "lt"}], "description": "Oracle Java SE version 7 includes the Oracle Java Runtime Environment and\nthe Oracle Java Software Development Kit.\n\nThis update fixes several vulnerabilities in the Oracle Java Runtime\nEnvironment and the Oracle Java Software Development Kit. Further\ninformation about these flaws can be found on the Oracle Java SE Critical\nPatch Update Advisory page, listed in the References section.\n(CVE-2014-3566, CVE-2014-6585, CVE-2014-6587, CVE-2014-6591, CVE-2014-6593,\nCVE-2014-6601, CVE-2015-0383, CVE-2015-0395, CVE-2015-0403, CVE-2015-0406,\nCVE-2015-0407, CVE-2015-0408, CVE-2015-0410, CVE-2015-0412, CVE-2015-0413)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: With this update, the Oracle Java SE now disables the SSL 3.0\nprotocol to address the CVE-2014-3566 issue (also known as POODLE). Refer\nto the Red Hat Bugzilla bug linked to in the References section for\ninstructions on how to re-enable SSL 3.0 support if needed.\n\nAll users of java-1.7.0-oracle are advised to upgrade to these updated\npackages, which provide Oracle Java 7 Update 75 and resolve these issues.\nAll running instances of Oracle Java must be restarted for the update to\ntake effect.", "reporter": "RedHat", "published": "2015-01-23T02:17:01", "type": "redhat", "title": "(RHSA-2015:0079) Critical: java-1.7.0-oracle security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2014-6585", "CVE-2014-6587", "CVE-2014-6591", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0383", "CVE-2015-0395", "CVE-2015-0403", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0410", "CVE-2015-0412", "CVE-2015-0413"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T18:20:35", "id": "RHSA-2015:0079", "href": "https://access.redhat.com/errata/RHSA-2015:0079", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:03", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0067.html"], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm", "packageName": "java-1.7.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm", "packageName": "java-1.7.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "noarch", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.53.amzn1.noarch.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.7.0.75-2.5.4.0.53.amzn1", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}], "description": "**Issue Overview:**\n\nA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. ([CVE-2014-6601 __](<https://access.redhat.com/security/cve/CVE-2014-6601>))\n\nMultiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2015-0412 __](<https://access.redhat.com/security/cve/CVE-2015-0412>), [CVE-2015-0408 __](<https://access.redhat.com/security/cve/CVE-2015-0408>))\n\nA flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0395 __](<https://access.redhat.com/security/cve/CVE-2015-0395>))\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. ([CVE-2015-0410 __](<https://access.redhat.com/security/cve/CVE-2015-0410>))\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. ([CVE-2014-3566 __](<https://access.redhat.com/security/cve/CVE-2014-3566>))\n\nNote: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. ([CVE-2014-6593 __](<https://access.redhat.com/security/cve/CVE-2014-6593>))\n\nAn information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2015-0407 __](<https://access.redhat.com/security/cve/CVE-2015-0407>))\n\nA NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. ([CVE-2014-6587 __](<https://access.redhat.com/security/cve/CVE-2014-6587>))\n\nMultiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. ([CVE-2014-6585 __](<https://access.redhat.com/security/cve/CVE-2014-6585>), [CVE-2014-6591 __](<https://access.redhat.com/security/cve/CVE-2014-6591>))\n\nMultiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. ([CVE-2015-0383 __](<https://access.redhat.com/security/cve/CVE-2015-0383>))\n\n \n**Affected Packages:** \n\n\njava-1.7.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.7.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.i686 \n java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.i686 \n java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.i686 \n java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.i686 \n java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.i686 \n \n noarch: \n java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.53.amzn1.noarch \n \n src: \n java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.src \n \n x86_64: \n java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.x86_64 \n java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.x86_64 \n java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.x86_64 \n java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.x86_64 \n java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2015-01-22T16:46:00", "title": "Critical: java-1.7.0-openjdk", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:03", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-22T16:46:00", "id": "ALAS-2015-471", "href": "https://alas.aws.amazon.com/ALAS-2015-471.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T16:55:28", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0085.html"], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.6.0.34-67.1.13.6.0.69.amzn1", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}], "description": "**Issue Overview:**\n\nA flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. ([CVE-2014-6601 __](<https://access.redhat.com/security/cve/CVE-2014-6601>))\n\nMultiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2015-0412 __](<https://access.redhat.com/security/cve/CVE-2015-0412>), [CVE-2015-0408 __](<https://access.redhat.com/security/cve/CVE-2015-0408>))\n\nA flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0395 __](<https://access.redhat.com/security/cve/CVE-2015-0395>))\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. ([CVE-2015-0410 __](<https://access.redhat.com/security/cve/CVE-2015-0410>))\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. ([CVE-2014-3566 __](<https://access.redhat.com/security/cve/CVE-2014-3566>))\n\nNote: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. ([CVE-2014-6593 __](<https://access.redhat.com/security/cve/CVE-2014-6593>))\n\nAn information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2015-0407 __](<https://access.redhat.com/security/cve/CVE-2015-0407>))\n\nA NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. ([CVE-2014-6587 __](<https://access.redhat.com/security/cve/CVE-2014-6587>))\n\nMultiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. ([CVE-2014-6585 __](<https://access.redhat.com/security/cve/CVE-2014-6585>), [CVE-2014-6591 __](<https://access.redhat.com/security/cve/CVE-2014-6591>))\n\nMultiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. ([CVE-2015-0383 __](<https://access.redhat.com/security/cve/CVE-2015-0383>)) The [CVE-2015-0383 __](<https://access.redhat.com/security/cve/CVE-2015-0383>) issue was discovered by Red Hat.\n\n \n**Affected Packages:** \n\n\njava-1.6.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.6.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.i686 \n \n src: \n java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.src \n \n x86_64: \n java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2015-02-11T19:50:00", "title": "Important: java-1.6.0-openjdk", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:28", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-02-11T19:50:00", "id": "ALAS-2015-480", "href": "https://alas.aws.amazon.com/ALAS-2015-480.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T16:55:15", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0069.html"], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "src", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.src.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk-headless", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk-headless", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk-src", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "noarch", "packageFilename": "java-1.8.0-openjdk-javadoc-1.8.0.31-2.b13.5.amzn1.noarch.rpm", "packageName": "java-1.8.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm", "packageName": "java-1.8.0-openjdk-demo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.8.0.31-2.b13.5.amzn1", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.i686.rpm", "packageName": "java-1.8.0-openjdk-devel", "operator": "lt"}], "description": "**Issue Overview:**\n\nMultiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. ([CVE-2014-6601 __](<https://access.redhat.com/security/cve/CVE-2014-6601>), [CVE-2015-0437 __](<https://access.redhat.com/security/cve/CVE-2015-0437>))\n\nMultiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. ([CVE-2015-0412 __](<https://access.redhat.com/security/cve/CVE-2015-0412>), [CVE-2014-6549 __](<https://access.redhat.com/security/cve/CVE-2014-6549>), [CVE-2015-0408 __](<https://access.redhat.com/security/cve/CVE-2015-0408>))\n\nA flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions. ([CVE-2015-0395 __](<https://access.redhat.com/security/cve/CVE-2015-0395>))\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded. ([CVE-2015-0410 __](<https://access.redhat.com/security/cve/CVE-2015-0410>))\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack. ([CVE-2014-3566 __](<https://access.redhat.com/security/cve/CVE-2014-3566>))\n\nNote: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled. ([CVE-2014-6593 __](<https://access.redhat.com/security/cve/CVE-2014-6593>))\n\nAn information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. ([CVE-2015-0407 __](<https://access.redhat.com/security/cve/CVE-2015-0407>))\n\nA NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. ([CVE-2014-6587 __](<https://access.redhat.com/security/cve/CVE-2014-6587>))\n\nMultiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory. ([CVE-2014-6585 __](<https://access.redhat.com/security/cve/CVE-2014-6585>), [CVE-2014-6591 __](<https://access.redhat.com/security/cve/CVE-2014-6591>))\n\nMultiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. ([CVE-2015-0383 __](<https://access.redhat.com/security/cve/CVE-2015-0383>))\n\n \n**Affected Packages:** \n\n\njava-1.8.0-openjdk\n\n \n**Issue Correction:** \nRun _yum update java-1.8.0-openjdk_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.i686 \n java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.i686 \n java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.i686 \n java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.i686 \n java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.i686 \n java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.i686 \n \n noarch: \n java-1.8.0-openjdk-javadoc-1.8.0.31-2.b13.5.amzn1.noarch \n \n src: \n java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.src \n \n x86_64: \n java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.x86_64 \n java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2015-01-22T16:48:00", "title": "Important: java-1.8.0-openjdk", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:15", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0437"], "modified": "2015-01-22T16:48:00", "id": "ALAS-2015-472", "href": "https://alas.aws.amazon.com/ALAS-2015-472.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:08:55", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6585", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6591", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2383", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2384", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-1569", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2419", "https://usn.ubuntu.com/usn/usn-2522-1"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "4.8.1.1-3ubuntu0.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libicu48", "operator": "lt"}], "description": "USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font patches caused a regression when using LibreOffice Calc. The patches have now been updated to fix the regression.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419)\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-6585, CVE-2014-6591)\n\nIt was discovered that ICU incorrectly handled memory operations when processing regular expressions. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)\n\nIt was discovered that ICU collator implementation incorrectly handled memory operations. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7940)", "edition": 3, "reporter": "Ubuntu", "published": "2015-03-10T00:00:00", "title": "ICU vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-10T00:00:00", "id": "USN-2522-3", "href": "https://usn.ubuntu.com/2522-3/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:09:45", "references": ["https://launchpad.net/bugs/1429043", "https://usn.ubuntu.com/usn/usn-2522-1"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "4.8.1.1-3ubuntu0.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libicu48", "operator": "lt"}], "description": "USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font patches caused a regression when using LibreOffice Calc. The patches have been temporarily backed out until the regression is investigated.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419)\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-6585, CVE-2014-6591)\n\nIt was discovered that ICU incorrectly handled memory operations when processing regular expressions. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)\n\nIt was discovered that ICU collator implementation incorrectly handled memory operations. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7940)", "edition": 3, "reporter": "Ubuntu", "published": "2015-03-06T00:00:00", "title": "ICU regression", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-06T00:00:00", "id": "USN-2522-2", "href": "https://usn.ubuntu.com/2522-2/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:09:07", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0395", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0408", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6593", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6585", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6591", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0410", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0407", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0383", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0412", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3566", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0400", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6601", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6587"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-headless", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6b34-1.13.6-1ubuntu0.10.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-zero", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "icedtea-6-jre-cacao", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6b34-1.13.6-1ubuntu0.10.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6b34-1.13.6-1ubuntu0.10.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "icedtea-6-jre-cacao", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-zero", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6b34-1.13.6-1ubuntu0.10.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-headless", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "icedtea-6-jre-jamvm", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "6b34-1.13.6-1ubuntu0.12.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-lib", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "6b34-1.13.6-1ubuntu0.10.04.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-6-jre-lib", "operator": "lt"}], "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593)\n\nA vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410)", "edition": 3, "reporter": "Ubuntu", "published": "2015-01-27T00:00:00", "title": "OpenJDK 6 vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-01-27T00:00:00", "id": "USN-2486-1", "href": "https://usn.ubuntu.com/2486-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:10:23", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9654", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-7923", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-7926", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6585", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6591", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2383", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2384", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-1569", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-7940", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-2419"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "4.8.1.1-3ubuntu0.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libicu48", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "52.1-3ubuntu0.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libicu52", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "52.1-6ubuntu0.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libicu52", "operator": "lt"}], "description": "It was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419)\n\nIt was discovered that ICU incorrectly handled memory operations when processing fonts. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-6585, CVE-2014-6591)\n\nIt was discovered that ICU incorrectly handled memory operations when processing regular expressions. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)\n\nIt was discovered that ICU collator implementation incorrectly handled memory operations. If an application using ICU processed crafted data, an attacker could cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2014-7940)", "edition": 3, "reporter": "Ubuntu", "published": "2015-03-05T00:00:00", "title": "ICU vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-05T00:00:00", "id": "USN-2522-1", "href": "https://usn.ubuntu.com/2522-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:17", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0395", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0408", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6593", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6585", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0413", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6591", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0410", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0407", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0383", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0412", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-3566", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-0400", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6601", "https://people.canonical.com/~ubuntu-security/cve/CVE-2014-6587"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-zero", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "icedtea-7-jre-jamvm", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "icedtea-7-jre-jamvm", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-zero", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-source", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-source", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-headless", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-lib", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-lib", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "7u75-2.5.4-1~trusty1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.10", "packageVersion": "7u75-2.5.4-1~utopic1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openjdk-7-jre-headless", "operator": "lt"}], "description": "Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412)\n\nSeveral vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407)\n\nA vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593)\n\nA vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383)\n\nA vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410)\n\nA vulnerability was discovered in the OpenJDK JRE related to data integrity. (CVE-2015-0413)", "edition": 3, "reporter": "Ubuntu", "published": "2015-01-28T00:00:00", "title": "OpenJDK 7 vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-01-28T00:00:00", "id": "USN-2487-1", "href": "https://usn.ubuntu.com/2487-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:59", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31765"], "description": "Multiple memory corruptions.", "edition": 1, "reporter": "UBUNTU", "published": "2015-03-07T00:00:00", "title": "libicu multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:59", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "icu", "version": "52", "operator": "eq"}], "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-07T00:00:00", "id": "SECURITYVULNS:VULN:14291", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14291", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:57", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2522-1\r\nMarch 05, 2015\r\n\r\nicu vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 14.10\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nICU could be made to crash or run programs as your login if it processed\r\nspecially crafted data.\r\n\r\nSoftware Description:\r\n- icu: International Components for Unicode library\r\n\r\nDetails:\r\n\r\nIt was discovered that ICU incorrectly handled memory operations when\r\nprocessing fonts. If an application using ICU processed crafted data, an\r\nattacker could cause it to crash or potentially execute arbitrary code with\r\nthe privileges of the user invoking the program. This issue only affected\r\nUbuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,\r\nCVE-2013-2419)\r\n\r\nIt was discovered that ICU incorrectly handled memory operations when\r\nprocessing fonts. If an application using ICU processed crafted data, an\r\nattacker could cause it to crash or potentially execute arbitrary code with\r\nthe privileges of the user invoking the program. (CVE-2014-6585,\r\nCVE-2014-6591)\r\n\r\nIt was discovered that ICU incorrectly handled memory operations when\r\nprocessing regular expressions. If an application using ICU processed\r\ncrafted data, an attacker could cause it to crash or potentially execute\r\narbitrary code with the privileges of the user invoking the program.\r\n(CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)\r\n\r\nIt was discovered that ICU collator implementation incorrectly handled\r\nmemory operations. If an application using ICU processed crafted data, an\r\nattacker could cause it to crash or potentially execute arbitrary code with\r\nthe privileges of the user invoking the program. (CVE-2014-7940)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 14.10:\r\n libicu52 52.1-6ubuntu0.2\r\n\r\nUbuntu 14.04 LTS:\r\n libicu52 52.1-3ubuntu0.2\r\n\r\nUbuntu 12.04 LTS:\r\n libicu48 4.8.1.1-3ubuntu0.3\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2522-1\r\n CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2419,\r\n CVE-2014-6585, CVE-2014-6591, CVE-2014-7923, CVE-2014-7926,\r\n CVE-2014-7940, CVE-2014-9654\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/icu/52.1-6ubuntu0.2\r\n https://launchpad.net/ubuntu/+source/icu/52.1-3ubuntu0.2\r\n https://launchpad.net/ubuntu/+source/icu/4.8.1.1-3ubuntu0.3\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-03-07T00:00:00", "title": "[USN-2522-1] ICU vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:57", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2384", "CVE-2014-7923", "CVE-2014-6585", "CVE-2014-7940", "CVE-2014-9654", "CVE-2013-2419", "CVE-2014-7926", "CVE-2014-6591", "CVE-2013-2383", "CVE-2013-1569"], "modified": "2015-03-07T00:00:00", "id": "SECURITYVULNS:DOC:31765", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31765", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "references": [], "description": "Over 150 vulnerabilities in different applications are closed in auqrterly update.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-01-25T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:58", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Enterprise Asset Management", "version": "8.2", "operator": "eq"}, {"name": "Wavese", "version": "8.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Forms", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "3.5", "operator": "eq"}, {"name": "Fusion Middleware", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "5.5", "operator": "eq"}, {"name": "Healthcare Master Person Index", "version": "2", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "6.5", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "10.1", "operator": "eq"}, {"name": "SOA Suite", "version": "11.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Communications Diameter Signaling Router", "version": "5.0", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Siebel Applications", "version": "8.2", "operator": "eq"}, {"name": "WebLogic Portal", "version": "10.3", "operator": "eq"}, {"name": "BI Publisher", "version": "10.1", "operator": "eq"}, {"name": "RTD Platform", "version": "3.0", "operator": "eq"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "11.5", "operator": "eq"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "SOA Suite", "version": "12.1", "operator": "eq"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "OpenSSO", "version": "8.0", "operator": "eq"}, {"name": "WebLogic Server", "version": "10.3", "operator": "eq"}, {"name": "MICROS Retail", "version": "4.8", "operator": "eq"}, {"name": "Oracle Containers for J2EE", "version": "10.1", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Agile PLM for Process", "version": "6.1", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle Reports", "version": "11.1", "operator": "eq"}, {"name": "WebCenter Content", "version": "11.1", "operator": "eq"}, {"name": "VirtualBox", "version": "4.3", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "7.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.5", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "10.1", "operator": "eq"}, {"name": "Solaris", "version": "11", "operator": "eq"}, {"name": "Oracle", "version": "11.1", "operator": "eq"}, {"name": "BI Publisher", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Tool", "version": "9.1", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.0", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "eq"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "eq"}, {"name": "Communications Messaging Server", "version": "7.0", "operator": "eq"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-6599", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2014-0114", "CVE-2015-0364", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-25T00:00:00", "id": "SECURITYVULNS:VULN:14233", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14233", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2017-06-08T00:16:30", "references": [], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerabilities, and for information about releases or hotfixes that address the vulnerabilities, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.0 \n1.6.0 - 1.6.4| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \nBIG-IP Edge Clients for Android| None| 2.0.0 - 2.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Apple iOS| None| 2.0.0 - 2.0.4 \n1.0.5 - 1.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Linux| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for MAC OS X| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for Windows| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients Windows Phone 8.1| None| 1.0.0.x| Not vulnerable| None \nBIG-IP Edge Portal for Android| None| 1.0.0 - 1.0.2| Not vulnerable| None \nBIG-IP Edge Portal for Apple iOS| None| 1.0.0 - 1.0.3| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the** Severity** value. Security Advisory articles published before this date do not list a** Severity** value.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "reporter": "f5", "published": "2015-04-02T23:52:00", "title": "Multiple OpenJDK vulnerabilities", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2017-04-06T16:50:00", "href": "https://support.f5.com/csp/article/K16352", "id": "F5:K16352", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:09:29", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "reporter": "f5", "published": "2015-04-02T00:00:00", "title": "SOL16352 - Multiple OpenJDK vulnerabilities", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2016-07-25T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/300/sol16352.html", "id": "SOL16352", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-08T00:16:16", "references": [], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.0 \n1.6.0 - 1.6.4| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \nBIG-IP Edge Clients for Android| None| 2.0.0 - 2.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Apple iOS| None| 2.0.0 - 2.0.4 \n1.0.5 - 1.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Linux| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for MAC OS X| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for Windows| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients Windows Phone 8.1| None| 1.0.0.x| Not vulnerable| None \nBIG-IP Edge Portal for Android| None| 1.0.0 - 1.0.2| Not vulnerable| None \nBIG-IP Edge Portal for Apple iOS| None| 1.0.0 - 1.0.3| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the **Severity** value. Security Advisory articles published before this date do not list a **Severity** value.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "reporter": "f5", "published": "2015-04-03T00:05:00", "title": "Multiple JavaSE client-side vulnerabilities", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2014-6549", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2017-04-06T16:50:00", "href": "https://support.f5.com/csp/article/K16354", "id": "F5:K16354", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:10:01", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "reporter": "f5", "published": "2015-04-02T00:00:00", "title": "SOL16354 - Multiple JavaSE client-side vulnerabilities", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2014-6549", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2016-07-25T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/300/sol16354.html", "id": "SOL16354", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:38:48", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=914041"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-src", "packageFilename": "java-1_7_0-openjdk-src-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap", "packageFilename": "java-1_7_0-openjdk-bootstrap-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-debuginfo", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-debugsource", "packageFilename": "java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-demo-debuginfo", "packageFilename": "java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-headless", "packageFilename": "java-1_7_0-openjdk-bootstrap-headless-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-demo", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-src", "packageFilename": "java-1_7_0-openjdk-src-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-demo-debuginfo", "packageFilename": "java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-debugsource", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-devel", "packageFilename": "java-1_7_0-openjdk-bootstrap-devel-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-devel-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-headless-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-headless", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-devel-debuginfo", "packageFilename": "java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-devel", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-javadoc", "packageFilename": "java-1_7_0-openjdk-javadoc-1.7.0.75-4.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-accessibility", "packageFilename": "java-1_7_0-openjdk-accessibility-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-devel", "packageFilename": "java-1_7_0-openjdk-bootstrap-devel-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-debugsource", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-headless-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-devel", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-accessibility", "packageFilename": "java-1_7_0-openjdk-accessibility-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-demo", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-devel-debuginfo", "packageFilename": "java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-debugsource", "packageFilename": "java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-devel-debuginfo", "packageFilename": "java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-headless", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-debuginfo", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap", "packageFilename": "java-1_7_0-openjdk-bootstrap-1.7.0.75-4.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "1.7.0.75-4.1", "packageName": "java-1_7_0-openjdk-bootstrap-headless", "packageFilename": "java-1_7_0-openjdk-bootstrap-headless-1.7.0.75-4.1.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "OpenJDK was updated to 2.5.4 - OpenJDK 7u75 to fix security issues and\n bugs:\n\n * Security fixes\n - S8046656: Update protocol support\n - S8047125, CVE-2015-0395: (ref) More phantom object references\n - S8047130: Fewer escapes from escape analysis\n - S8048035, CVE-2015-0400: Ensure proper proxy protocols\n - S8049253: Better GC validation\n - S8050807, CVE-2015-0383: Better performing performance data handling\n - S8054367, CVE-2015-0412: More references for endpoints\n - S8055304, CVE-2015-0407: More boxing for DirectoryComboBoxModel\n - S8055309, CVE-2015-0408: RMI needs better transportation considerations\n - S8055479: TLAB stability\n - S8055489, CVE-2014-6585: Better substitution formats\n - S8056264, CVE-2014-6587: Multicast support improvements\n - S8056276, CVE-2014-6591: Fontmanager feature improvements\n - S8057555, CVE-2014-6593: Less cryptic cipher suite management\n - S8058982, CVE-2014-6601: Better verification of an exceptional\n invokespecial\n - S8059485, CVE-2015-0410: Resolve parsing ambiguity\n - S8061210, CVE-2014-3566: Issues in TLS\n\n", "edition": 1, "reporter": "Suse", "published": "2015-02-02T12:04:48", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-02-02T12:04:48", "id": "OPENSUSE-SU-2015:0190-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00001.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:26:30", "references": ["https://bugzilla.suse.com/914041", "https://bugzilla.suse.com/901223"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-headless", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-debugsource", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-demo-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-demo-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-debuginfo-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-demo-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-demo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-demo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-demo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-devel", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-headless", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-devel-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-headless", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-devel-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-headless", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-devel", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-headless-debuginfo-1.7.0.75-11.3.x86_64.rpm", "packageName": "java-1_7_0-openjdk-headless-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-debugsource-1.7.0.75-11.3.ppc64le.rpm", "packageName": "java-1_7_0-openjdk-debugsource", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "1.7.0.75-11.3", "packageFilename": "java-1_7_0-openjdk-devel-debuginfo-1.7.0.75-11.3.s390x.rpm", "packageName": "java-1_7_0-openjdk-devel-debuginfo", "arch": "s390x", "operator": "lt"}], "description": "This update fixes 13 security issues.\n\n These security issues were fixed:\n - CVE-2015-0395: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25 allowed remote attackers to affect confidentiality,\n integrity, and availability via unknown vectors related to Hotspot\n (bnc#914041).\n - CVE-2015-0400: Unspecified vulnerability in Oracle Java SE 6u85, 7u72,\n and 8u25 allowed remote attackers to affect confidentiality via unknown\n vectors related to Libraries (bnc#914041).\n - CVE-2015-0383: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and\n R28.3.4 allowed local users to affect integrity and availability via\n unknown vectors related to Hotspot (bnc#914041).\n - CVE-2015-0412: Unspecified vulnerability in Oracle Java SE 6u85, 7u72,\n and 8u25 allowed remote attackers to affect confidentiality, integrity,\n and availability via vectors related to JAX-WS (bnc#914041).\n - CVE-2015-0407: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25 allowed remote attackers to affect confidentiality via\n unknown vectors related to Swing (bnc#914041).\n - CVE-2015-0408: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25 allowed remote attackers to affect confidentiality,\n integrity, and availability via vectors related to RMI (bnc#914041).\n - CVE-2014-6585: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25 allowed remote attackers to affect confidentiality via\n unknown vectors reelated to 2D, a different vulnerability than\n CVE-2014-6591 (bnc#914041).\n - CVE-2014-6587: Unspecified vulnerability in Oracle Java SE 6u85, 7u72,\n and 8u25 allowed local users to affect confidentiality, integrity, and\n availability via unknown vectors related to Libraries (bnc#914041).\n - CVE-2014-6591: Unspecified vulnerability in the Java SE component in\n Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allowed remote attackers to\n affect confidentiality via unknown vectors related to 2D, a different\n vulnerability than CVE-2014-6585 (bnc#914041).\n - CVE-2014-6593: Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85,\n 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and\n 28.3.4 allowed remote attackers to affect confidentiality and integrity\n via vectors related to JSSE (bnc#914041).\n - CVE-2014-6601: Unspecified vulnerability in Oracle Java SE 6u85, 7u72,\n and 8u25 allowed remote attackers to affect confidentiality, integrity,\n and availability via unknown vectors related to Hotspot (bnc#914041).\n - CVE-2015-0410: Unspecified vulnerability in the Java SE, Java SE\n Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and\n 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4\n allowed remote attackers to affect availability via unknown vectors\n related to Security (bnc#914041).\n - CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i\n and other products, used nondeterministic CBC padding, which made it\n easier for man-in-the-middle attackers to obtain cleartext data via a\n padding-oracle attack, aka the "POODLE" issue (bnc#901223).\n\n These non-security issues were fixed:\n - Update protocol support (S8046656).\n - Fewer escapes from escape analysis (S8047130).\n - Better GC validation (S8049253).\n - TLAB stability (S8055479).\n\n", "edition": 1, "reporter": "Suse", "published": "2015-03-16T12:05:47", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-03-16T12:05:47", "id": "SUSE-SU-2015:0503-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00018.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:02:22", "references": ["https://bugzilla.suse.com/914041", "http://download.suse.com/patch/finder/?keywords=8d9a18b0ce3289f724b64f4b4dccc67e"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-0.7.1.i586.rpm", "packageName": "java-1_7_0-openjdk-demo", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-demo-1.7.0.75-0.7.1.x86_64.rpm", "packageName": "java-1_7_0-openjdk-demo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-0.7.1.x86_64.rpm", "packageName": "java-1_7_0-openjdk-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-devel-1.7.0.75-0.7.1.i586.rpm", "packageName": "java-1_7_0-openjdk-devel", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-0.7.1.x86_64.rpm", "packageName": "java-1_7_0-openjdk", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "11.3", "packageVersion": "1.7.0.75-0.7.1", "packageFilename": "java-1_7_0-openjdk-1.7.0.75-0.7.1.i586.rpm", "packageName": "java-1_7_0-openjdk", "arch": "i586", "operator": "lt"}], "edition": 1, "description": "java-1_7_0-openjdk was updated to fix 19 security issues.\n\n Details are available at\n <a rel=\"nofollow\" href=\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#A\">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#A</a>\n ppendixJAVA\n <<a rel=\"nofollow\" href=\"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#\">http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#</a>\n AppendixJAVA>\n\n Security Issues:\n\n * CVE-2014-6601\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601</a>>\n * CVE-2015-0412\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412</a>>\n * CVE-2014-6549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549</a>>\n * CVE-2015-0408\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408</a>>\n * CVE-2015-0395\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395</a>>\n * CVE-2015-0437\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0437\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0437</a>>\n * CVE-2015-0403\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403</a>>\n * CVE-2015-0421\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0421\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0421</a>>\n * CVE-2015-0406\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406</a>>\n * CVE-2015-0383\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383</a>>\n * CVE-2015-0400\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400</a>>\n * CVE-2015-0407\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407</a>>\n * CVE-2015-0410\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410</a>>\n * CVE-2014-6587\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587</a>>\n * CVE-2014-3566\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566</a>>\n * CVE-2014-6593\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593</a>>\n * CVE-2014-6585\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585</a>>\n * CVE-2014-6591\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591</a>>\n * CVE-2015-0413\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0413\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0413</a>>\n\n", "reporter": "Suse", "published": "2015-02-20T00:04:57", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for java-1_7_0-openjdk (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2015-02-20T00:04:57", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00024.html", "id": "SUSE-SU-2015:0336-1", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:40:40", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.0.1.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.0.1.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.0.1.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.0.1.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el5_11.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el5_11.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.0.1.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.0.1.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.0.1.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.0.1.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}], "description": "[1:1.7.0.75-2.5.4.0.0.1.el5_11]\n- Add oracle-enterprise.patch\n- Fix DISTRO_NAME to 'Oracle Linux'\n[1:1.7.0.75-2.5.4.0]\n- Bump to 2.5.4 using OpenJDK 7u75 b13.\n- Fix elliptic curve list as part of fsg.sh\n- Resolves: rhbz#1180294", "edition": 3, "reporter": "Oracle", "published": "2015-01-21T00:00:00", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-21T00:00:00", "id": "ELSA-2015-0068", "href": "http://linux.oracle.com/errata/ELSA-2015-0068.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:42:37", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.2.0.1.el7_0.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk-accessibility", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el6_6.x86_64.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk-headless", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "noarch", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.0.1.el6_6.noarch.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "noarch", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.0.1.el6_6.noarch.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.0.1.el6_6.i686.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el6_6.i686.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.0.1.el6_6.i686.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "i686", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.0.1.el6_6.i686.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.0.1.el6_6.x86_64.rpm", "packageName": "java-1.7.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.0.1.el6_6.x86_64.rpm", "packageName": "java-1.7.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el6_6.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "src", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.0.1.el6_6.src.rpm", "packageName": "java-1.7.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "noarch", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.0.1.el7_0.noarch.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.0.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.0.1.el7_0.x86_64.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.0.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.0.1.el6_6.x86_64.rpm", "packageName": "java-1.7.0-openjdk-demo", "operator": "lt"}], "description": "[1:1.7.0.75-2.5.4.0.0.1.el6_6]\n- Update DISTRO_NAME in specfile\n[1:1.7.0.75-2.5.4.0]\n- Fix abrt_friendly_hs_log_jdk7.patch to apply again.\n[1:1.7.0.75-2.5.4.0]\n- Bump to 2.5.4 using OpenJDK 7u75 b13.\n- Remove earlier temporary patch for RH1146622 (included upstream)\n- Fix elliptic curve list as part of fsg.sh\n- Resolves: rhbz#1180295\n- Resolves: rhbz#1173706", "edition": 3, "reporter": "Oracle", "published": "2015-01-21T00:00:00", "title": "java-1.7.0-openjdk security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-21T00:00:00", "id": "ELSA-2015-0067", "href": "http://linux.oracle.com/errata/ELSA-2015-0067.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:38:58", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.0.1.el5_11.i386.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.0.1.el5_11.x86_64.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.0.1.el5_11.i386.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.0.1.el5_11.x86_64.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.0.1.el5_11.i386.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.0.1.el5_11.i386.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el7_0.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "packageName": "java-1.6.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.0.1.el5_11.x86_64.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.0.1.el5_11.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "src", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.0.1.el5_11.src.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.0.1.el5_11.x86_64.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "packageName": "java-1.6.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "packageName": "java-1.6.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "x86_64", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.0.1.el5_11.x86_64.rpm", "packageName": "java-1.6.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.0.1.el5_11", "arch": "i386", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.0.1.el5_11.i386.rpm", "packageName": "java-1.6.0-openjdk-src", "operator": "lt"}], "description": "[1:1.6.0.33-1.13.6.1.0.1.el5_11]\n- Add oracle-enterprise.patch\n[1:1.6.0.34-1.13.6.1]\n- Update to latest 1.13.6 release candidate tarball\n- Fixes a number of issues found with b34:\n- * OJ51, PR2187: Sync patch for 4873188 with 7 version\n- * OJ52, PR2185: Application of 6786276 introduces compatibility issue\n- * OJ53, PR2181: strict-aliasing warnings issued on PPC32\n- * OJ54, PR2182: 6911104 reintroduces test fragment removed in existing 6964018 backport\n- * S6730740, PR2186: Fix for 6729881 has apparently broken several 64 bit tests: 'Bad address'\n- * S7031830, PR2183: bad_record_mac failure on TLSv1.2 enabled connection with SSLEngine\n- Also includes PR2180, so patch dropped from RPM.\n- Resolves: rhbz#1180289\n[1:1.6.0.34-1.13.6.0]\n- Apply pr2180.patch to work around issue with older autotools.\n- Resolves: rhbz#1180289\n[1:1.6.0.34-1.13.6.0]\n- Update to IcedTea 1.13.6\n- Apply pr2125.patch in generate_rhel_zip.sh to remove unwanted elliptic curves.\n- Add no_pr2125.patch to avoid repeating the procedure during the IcedTea build.\n- Avoid duplicating the OpenJDK build version by making more use of %{openjdkver}.\n- Add US_export_policy.jar and local_policy.jar to packages.\n- Resolves: rhbz#1180289", "edition": 3, "reporter": "Oracle", "published": "2015-01-26T00:00:00", "title": "java-1.6.0-openjdk security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-26T00:00:00", "id": "ELSA-2015-0085", "href": "http://linux.oracle.com/errata/ELSA-2015-0085.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:40:11", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-headless", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-demo", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-headless", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "x86_64", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "noarch", "packageFilename": "java-1.8.0-openjdk-javadoc-1.8.0.31-1.b13.el6_6.noarch.rpm", "packageName": "java-1.8.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "noarch", "packageFilename": "java-1.8.0-openjdk-javadoc-1.8.0.31-1.b13.el6_6.noarch.rpm", "packageName": "java-1.8.0-openjdk-javadoc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "i686", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "src", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.src.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "arch": "src", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.src.rpm", "packageName": "java-1.8.0-openjdk", "operator": "lt"}], "description": "[1:1.8.0.31-1.b13]\n- Update to January CPU patch update.\n- Resolves: RHBZ#1180299\n[1:1.8.0.25-4.b17]\n- updated aarch64 sources\n- epoch synced to 1\n- all ppcs excluded from classes dump(1156151)\n- Resolves: rhbz#1173706", "edition": 3, "reporter": "Oracle", "published": "2015-01-21T00:00:00", "title": "java-1.8.0-openjdk security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0437"], "modified": "2015-01-21T00:00:00", "id": "ELSA-2015-0069", "href": "http://linux.oracle.com/errata/ELSA-2015-0069.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2017-10-03T18:24:49", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0067.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "noarch", "packageName": "java-1.7.0-openjdk-javadoc", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "noarch", "packageName": "java-1.7.0-openjdk-javadoc", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el6_6.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-accessibility", "packageFilename": "java-1.7.0-openjdk-accessibility-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "x86_64", "packageName": "java-1.7.0-openjdk", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-headless", "packageFilename": "java-1.7.0-openjdk-headless-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-src", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "i686", "packageName": "java-1.7.0-openjdk-devel", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-devel", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "i686", "packageName": "java-1.7.0-openjdk-src", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-demo", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-devel", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-demo", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "x86_64", "packageName": "java-1.7.0-openjdk-src", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.2.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "i686", "packageName": "java-1.7.0-openjdk", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "any", "packageName": "java-1.7.0-openjdk", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el6_6.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.7.0.75-2.5.4.0.el6_6", "arch": "i686", "packageName": "java-1.7.0-openjdk-demo", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "noarch", "packageName": "java-1.7.0-openjdk-javadoc", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.2.el7_0.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.7.0.75-2.5.4.2.el7_0", "arch": "any", "packageName": "java-1.7.0-openjdk", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.2.el7_0.src.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0067\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nNote: If the web browser plug-in provided by the icedtea-web package was\ninstalled, the issues exposed via Java applets could have been exploited\nwithout user interaction if a user visited a malicious website.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020889.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020891.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-accessibility\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-headless\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0067.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-01-21T05:42:52", "title": "java security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-21T07:12:16", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020889.html", "id": "CESA-2015:0067", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:25:37", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0068.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-src", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-javadoc", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-demo", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.src.rpm", "packageName": "java-1.7.0-openjdk", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.el5_11.x86_64.rpm", "packageName": "java-1.7.0-openjdk-src", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.7.0.75-2.5.4.0.el5_11", "packageFilename": "java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.el5_11.i386.rpm", "packageName": "java-1.7.0-openjdk-demo", "arch": "i386", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0068\n\n\nThe java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime\nEnvironment and the OpenJDK 7 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nAll users of java-1.7.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020888.html\n\n**Affected packages:**\njava-1.7.0-openjdk\njava-1.7.0-openjdk-demo\njava-1.7.0-openjdk-devel\njava-1.7.0-openjdk-javadoc\njava-1.7.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0068.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-01-21T05:35:44", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "java security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-21T05:35:44", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020888.html", "id": "CESA-2015:0068", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:25:00", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0085.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-demo", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-src", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageName": "java-1.6.0-openjdk-src", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageName": "java-1.6.0-openjdk-demo", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-src", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageName": "java-1.6.0-openjdk-javadoc", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "any", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el5_11.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "any", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-demo", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-devel", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-javadoc", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk-src", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-devel", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-src", "packageFilename": "java-1.6.0-openjdk-src-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-devel", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk-devel", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk-javadoc", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "i386", "packageName": "java-1.6.0-openjdk-demo", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el5_11.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-javadoc", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-javadoc", "packageFilename": "java-1.6.0-openjdk-javadoc-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "x86_64", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el7_0.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageName": "java-1.6.0-openjdk-devel", "packageFilename": "java-1.6.0-openjdk-devel-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.6.0.34-1.13.6.1.el5_11", "arch": "x86_64", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el5_11.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.6.0.34-1.13.6.1.el7_0", "arch": "any", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el7_0.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "x86_64", "packageName": "java-1.6.0-openjdk-demo", "packageFilename": "java-1.6.0-openjdk-demo-1.6.0.34-1.13.6.1.el6_6.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.6.0.34-1.13.6.1.el6_6", "arch": "i686", "packageName": "java-1.6.0-openjdk", "packageFilename": "java-1.6.0-openjdk-1.6.0.34-1.13.6.1.el6_6.i686.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0085\n\n\nThe java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime\nEnvironment and the OpenJDK 6 Java Software Development Kit.\n\nA flaw was found in the way the Hotspot component in OpenJDK verified\nbytecode from the class files. An untrusted Java application or applet\ncould possibly use this flaw to bypass Java sandbox restrictions.\n(CVE-2014-6601)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nand RMI components in OpenJDK. An untrusted Java application or applet\ncould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,\nCVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020898.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020900.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020903.html\n\n**Affected packages:**\njava-1.6.0-openjdk\njava-1.6.0-openjdk-demo\njava-1.6.0-openjdk-devel\njava-1.6.0-openjdk-javadoc\njava-1.6.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0085.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-01-26T19:17:49", "title": "java security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412"], "modified": "2015-01-26T21:20:38", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020898.html", "id": "CESA-2015:0085", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:26:14", "references": ["https://rhn.redhat.com/errata/RHSA-2015-0069.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-demo", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-demo-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-demo", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-devel-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-headless", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.src.rpm", "packageName": "java-1.8.0-openjdk", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-1.b13.el6_6.x86_64.rpm", "packageName": "java-1.8.0-openjdk-src", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-src-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-src", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-headless-1.8.0.31-1.b13.el6_6.i686.rpm", "packageName": "java-1.8.0-openjdk-headless", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-javadoc-1.8.0.31-1.b13.el6_6.noarch.rpm", "packageName": "java-1.8.0-openjdk-javadoc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.8.0.31-1.b13.el6_6", "packageFilename": "java-1.8.0-openjdk-javadoc-1.8.0.31-1.b13.el6_6.noarch.rpm", "packageName": "java-1.8.0-openjdk-javadoc", "arch": "noarch", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2015:0069\n\n\nThe java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime\nEnvironment and the OpenJDK 8 Java Software Development Kit.\n\nMultiple flaws were found in the way the Hotspot component in OpenJDK\nverified bytecode from the class files, and in the way this component\ngenerated code for bytecode. An untrusted Java application or applet could\npossibly use these flaws to bypass Java sandbox restrictions.\n(CVE-2014-6601, CVE-2015-0437)\n\nMultiple improper permission check issues were discovered in the JAX-WS,\nLibraries, and RMI components in OpenJDK. An untrusted Java application or\napplet could use these flaws to bypass Java sandbox restrictions.\n(CVE-2015-0412, CVE-2014-6549, CVE-2015-0408)\n\nA flaw was found in the way the Hotspot garbage collector handled phantom\nreferences. An untrusted Java application or applet could use this flaw to\ncorrupt the Java Virtual Machine memory and, possibly, execute arbitrary\ncode, bypassing Java sandbox restrictions. (CVE-2015-0395)\n\nA flaw was found in the way the DER (Distinguished Encoding Rules) decoder\nin the Security component in OpenJDK handled negative length values. A\nspecially crafted, DER-encoded input could cause a Java application to\nenter an infinite loop when decoded. (CVE-2015-0410)\n\nA flaw was found in the way the SSL 3.0 protocol handled padding bytes when\ndecrypting messages that were encrypted using block ciphers in cipher block\nchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle\n(MITM) attacker to decrypt portions of the cipher text using a padding\noracle attack. (CVE-2014-3566)\n\nNote: This update disables SSL 3.0 by default to address this issue.\nThe jdk.tls.disabledAlgorithms security property can be used to re-enable\nSSL 3.0 support if needed. For additional information, refer to the Red Hat\nBugzilla bug linked to in the References section.\n\nIt was discovered that the SSL/TLS implementation in the JSSE component in\nOpenJDK failed to properly check whether the ChangeCipherSpec was received\nduring the SSL/TLS connection handshake. An MITM attacker could possibly\nuse this flaw to force a connection to be established without encryption\nbeing enabled. (CVE-2014-6593)\n\nAn information leak flaw was found in the Swing component in OpenJDK. An\nuntrusted Java application or applet could use this flaw to bypass certain\nJava sandbox restrictions. (CVE-2015-0407)\n\nA NULL pointer dereference flaw was found in the MulticastSocket\nimplementation in the Libraries component of OpenJDK. An untrusted Java\napplication or applet could possibly use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2014-6587)\n\nMultiple boundary check flaws were found in the font parsing code in the 2D\ncomponent in OpenJDK. A specially crafted font file could allow an\nuntrusted Java application or applet to disclose portions of the Java\nVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)\n\nMultiple insecure temporary file use issues were found in the way the\nHotspot component in OpenJDK created performance statistics and error log\nfiles. A local attacker could possibly make a victim using OpenJDK\noverwrite arbitrary files using a symlink attack. (CVE-2015-0383)\n\nThe CVE-2015-0383 issue was discovered by Red Hat.\n\nAll users of java-1.8.0-openjdk are advised to upgrade to these updated\npackages, which resolve these issues. All running instances of OpenJDK Java\nmust be restarted for the update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-January/020890.html\n\n**Affected packages:**\njava-1.8.0-openjdk\njava-1.8.0-openjdk-demo\njava-1.8.0-openjdk-devel\njava-1.8.0-openjdk-headless\njava-1.8.0-openjdk-javadoc\njava-1.8.0-openjdk-src\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0069.html", "edition": 1, "reporter": "CentOS Project", "published": "2015-01-21T05:43:50", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "java security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0437"], "modified": "2015-01-21T05:43:50", "href": "http://lists.centos.org/pipermail/centos-announce/2015-January/020890.html", "id": "CESA-2015:0069", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:42", "references": ["https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0421", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0412", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6549", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6593", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0403", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0395", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6587", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6585", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6601", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0437", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0408", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0406", "http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html#JAVA", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0407", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6591", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0400", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0413"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "8.u31-1", "packageName": "jdk8-openjdk", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "- CVE-2014-3566 (man-in-the-middle)\nNondeterministic CBC padding, which makes it easier for\nman-in-the-middle attackers to obtain cleartext data via a\npadding-oracle attack, aka the "POODLE" issue.\n\n- CVE-2014-6549 (arbitrary code execution)\nIncorrect class loader permission check in ClassLoader getParent()\nallows remote attackers to affect confidentiality, integrity, and\navailability.\n\n- CVE-2014-6585 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6587 (privilege escalation)\nMulticastSocket NULL pointer dereference allows local users to affect\nconfidentiality, integrity, and availability.\n\n- CVE-2014-6591 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6593 (man-in-the-middle)\nIncorrect tracking of ChangeCipherSpec during SSL/TLS handshake allows\nremote attackers to affect confidentiality and integrity.\n\n- CVE-2014-6601 (arbitrary code execution)\nClass verifier insufficient invokespecial calls verification related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0383 (denial of service)\nInsecure hsperfdata temporary file handling related to Hotspot allows\nlocal users to affect integrity and availability.\n\n- CVE-2015-0395 (arbitrary code execution)\nPhantom references handling issue in garbage collector related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0400 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of Java SE accessible data.\n\n- CVE-2015-0403 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0406 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of accessible data and\nability to cause a partial denial of service.\n\n- CVE-2015-0407 (information disclosure)\nDirectory information leak via file chooser related to Swing allows\nremote attackers to affect confidentiality.\n\n- CVE-2015-0408 (arbitrary code execution)\nIncorrect context class loader use in RMI transport allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0410 (denial of service)\nDER decoder infinite loop allows remote attackers to affect availability.\n\n- CVE-2015-0412 (arbitrary code execution)\nInsufficient code privileges checks related to JAX-WS allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0413 (unauthorized modification)\nSuccessful attack of this vulnerability can result in unauthorized\nupdate, insert or delete access to some Java SE accessible data.\n\n- CVE-2015-0421 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0437 (arbitrary code execution)\nCode generation issue related to Hotspot allows remote attackers to\naffect confidentiality, integrity, and availability.", "reporter": "Arch Linux", "published": "2015-01-23T00:00:00", "title": "jdk8-openjdk: multiple issues", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2015-01-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000210.html", "id": "ASA-201501-14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:45", "references": ["https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0421", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0412", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6549", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6593", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0403", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0395", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6587", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6585", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6601", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0437", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0408", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0406", "http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html#JAVA", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0407", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6591", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0400", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0413"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "8.u31-1", "packageFilename": "UNKNOWN", "packageName": "jre8-openjdk", "arch": "any", "operator": "lt"}], "edition": 1, "description": "- CVE-2014-3566 (man-in-the-middle)\nNondeterministic CBC padding, which makes it easier for\nman-in-the-middle attackers to obtain cleartext data via a\npadding-oracle attack, aka the "POODLE" issue.\n\n- CVE-2014-6549 (arbitrary code execution)\nIncorrect class loader permission check in ClassLoader getParent()\nallows remote attackers to affect confidentiality, integrity, and\navailability.\n\n- CVE-2014-6585 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6587 (privilege escalation)\nMulticastSocket NULL pointer dereference allows local users to affect\nconfidentiality, integrity, and availability.\n\n- CVE-2014-6591 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6593 (man-in-the-middle)\nIncorrect tracking of ChangeCipherSpec during SSL/TLS handshake allows\nremote attackers to affect confidentiality and integrity.\n\n- CVE-2014-6601 (arbitrary code execution)\nClass verifier insufficient invokespecial calls verification related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0383 (denial of service)\nInsecure hsperfdata temporary file handling related to Hotspot allows\nlocal users to affect integrity and availability.\n\n- CVE-2015-0395 (arbitrary code execution)\nPhantom references handling issue in garbage collector related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0400 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of Java SE accessible data.\n\n- CVE-2015-0403 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0406 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of accessible data and\nability to cause a partial denial of service.\n\n- CVE-2015-0407 (information disclosure)\nDirectory information leak via file chooser related to Swing allows\nremote attackers to affect confidentiality.\n\n- CVE-2015-0408 (arbitrary code execution)\nIncorrect context class loader use in RMI transport allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0410 (denial of service)\nDER decoder infinite loop allows remote attackers to affect availability.\n\n- CVE-2015-0412 (arbitrary code execution)\nInsufficient code privileges checks related to JAX-WS allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0413 (unauthorized modification)\nSuccessful attack of this vulnerability can result in unauthorized\nupdate, insert or delete access to some Java SE accessible data.\n\n- CVE-2015-0421 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0437 (arbitrary code execution)\nCode generation issue related to Hotspot allows remote attackers to\naffect confidentiality, integrity, and availability.", "reporter": "Arch Linux", "published": "2015-01-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "title": "jre8-openjdk: multiple issues", "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2015-01-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000211.html", "id": "ASA-201501-15", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:40", "references": ["https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0412", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6593", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0403", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0395", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6587", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6585", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6601", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0408", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0406", "http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html#JAVA", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0407", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6591", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0400", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0413"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "7.u75_2.5.4-1", "packageName": "jre7-openjdk", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "- CVE-2014-3566 (man-in-the-middle)\nNondeterministic CBC padding, which makes it easier for\nman-in-the-middle attackers to obtain cleartext data via a\npadding-oracle attack, aka the "POODLE" issue.\n\n- CVE-2014-6585 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6587 (privilege escalation)\nMulticastSocket NULL pointer dereference allows local users to affect\nconfidentiality, integrity, and availability.\n\n- CVE-2014-6591 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6593 (man-in-the-middle)\nIncorrect tracking of ChangeCipherSpec during SSL/TLS handshake allows\nremote attackers to affect confidentiality and integrity.\n\n- CVE-2014-6601 (arbitrary code execution)\nClass verifier insufficient invokespecial calls verification related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0383 (denial of service)\nInsecure hsperfdata temporary file handling related to Hotspot allows\nlocal users to affect integrity and availability.\n\n- CVE-2015-0395 (arbitrary code execution)\nPhantom references handling issue in garbage collector related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0400 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of Java SE accessible data.\n\n- CVE-2015-0403 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0406 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of accessible data and\nability to cause a partial denial of service.\n\n- CVE-2015-0407 (information disclosure)\nDirectory information leak via file chooser related to Swing allows\nremote attackers to affect confidentiality.\n\n- CVE-2015-0408 (arbitrary code execution)\nIncorrect context class loader use in RMI transport allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0410 (denial of service)\nDER decoder infinite loop allows remote attackers to affect availability.\n\n- CVE-2015-0412 (arbitrary code execution)\nInsufficient code privileges checks related to JAX-WS allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0413 (unauthorized modification)\nSuccessful attack of this vulnerability can result in unauthorized\nupdate, insert or delete access to some Java SE accessible data.\n\n- CVE-2015-0421 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0437 (arbitrary code execution)\nCode generation issue related to Hotspot allows remote attackers to\naffect confidentiality, integrity, and availability.", "reporter": "Arch Linux", "published": "2015-01-23T00:00:00", "title": "jre7-openjdk: multiple issues", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2015-01-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000217.html", "id": "ASA-201501-19", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:40", "references": ["https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0412", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6593", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0403", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0395", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6587", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6585", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6601", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0408", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0406", "http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html#JAVA", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0407", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6591", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0400", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0413"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "7.u75_2.5.4-1", "packageName": "jdk7-openjdk", "arch": "any", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "- CVE-2014-3566 (man-in-the-middle)\nNondeterministic CBC padding, which makes it easier for\nman-in-the-middle attackers to obtain cleartext data via a\npadding-oracle attack, aka the "POODLE" issue.\n\n- CVE-2014-6585 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6587 (privilege escalation)\nMulticastSocket NULL pointer dereference allows local users to affect\nconfidentiality, integrity, and availability.\n\n- CVE-2014-6591 (out-of-bounds read)\nAllows remote attackers to affect confidentiality via font parsing\nout-of-bounds read related to 2D.\n\n- CVE-2014-6593 (man-in-the-middle)\nIncorrect tracking of ChangeCipherSpec during SSL/TLS handshake allows\nremote attackers to affect confidentiality and integrity.\n\n- CVE-2014-6601 (arbitrary code execution)\nClass verifier insufficient invokespecial calls verification related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0383 (denial of service)\nInsecure hsperfdata temporary file handling related to Hotspot allows\nlocal users to affect integrity and availability.\n\n- CVE-2015-0395 (arbitrary code execution)\nPhantom references handling issue in garbage collector related to\nHotspot allows remote attackers to affect confidentiality, integrity,\nand availability.\n\n- CVE-2015-0400 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of Java SE accessible data.\n\n- CVE-2015-0403 (arbitrary code execution)\nSuccessful attack of this vulnerability can result in unauthorized\nOperating System takeover including arbitrary code execution.\n\n- CVE-2015-0406 (information disclosure)\nSuccessful unauthenticated network attacks via multiple protocols can\nresult in unauthorized read access to a subset of accessible data and\nability to cause a partial denial of service.\n\n- CVE-2015-0407 (information disclosure)\nDirectory information leak via file chooser related to Swing allows\nremote attackers to affect confidentiality.\n\n- CVE-2015-0408 (arbitrary code execution)\nIncorrect context class loader use in RMI transport allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0410 (denial of service)\nDER decoder infinite loop allows remote attackers to affect availability.\n\n- CVE-2015-0412 (arbitrary code execution)\nInsufficient code privileges checks related to JAX-WS allows remote\nattackers to affect confidentiality, integrity, and availability.\n\n- CVE-2015-0413 (unauthorized modification)\nSuccessful attack of this vulnerability can result in unauthorized\nupdate, insert or delete access to some Java SE accessible data.", "reporter": "Arch Linux", "published": "2015-01-23T00:00:00", "title": "jdk7-openjdk: multiple issues", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "archlinux", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-01-23T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-January/000216.html", "id": "ASA-201501-18", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2018-12-06T13:23:39", "references": [], "description": "### *CVSS*:\n10.0\n\n### *Detect date*:\n01/13/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle products. Malicious users can exploit these vulnerabilities to cause loss of integrity, denial of service and obtain sensitive information.\n\n### *Affected products*:\nOracle Java SE versions 5u75, 6u85, 7u72 and 8u25 \nOracle Java SE Embeded 7u71 and 8u6 \nJRockit 27.8.4 and 28.3.4\n\n### *Solution*:\nUpdate to latest version \n[Get JRockit](<http://www.oracle.com/technetwork/middleware/jrockit/overview/index-101826.html>) \n[Get Java SE](<http://www.oracle.com/technetwork/java/javase/downloads/index.html>)\n\n### *Original advisories*:\n[Oracle advisory](<http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Oracle Java JRE 1.7.x](<https://threats.kaspersky.com/en/product/Oracle-Java-JRE-1.7.x/>)\n\n### *CVE-IDS*:\n[CVE-2015-0400](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400>) \n[CVE-2015-0413](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0413>) \n[CVE-2015-0408](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408>) \n[CVE-2015-0407](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407>) \n[CVE-2015-0412](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412>) \n[CVE-2014-6601](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601>) \n[CVE-2015-0403](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403>) \n[CVE-2015-0383](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383>) \n[CVE-2014-6593](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593>) \n[CVE-2015-0437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0437>) \n[CVE-2014-3566](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566>) \n[CVE-2014-6585](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585>) \n[CVE-2015-0421](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0421>) \n[CVE-2015-0410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410>) \n[CVE-2014-6591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591>) \n[CVE-2014-6549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549>) \n[CVE-2015-0395](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395>) \n[CVE-2014-6587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587>) \n[CVE-2015-0406](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406>)", "edition": 28, "reporter": "Kaspersky Lab", "published": "2015-01-13T00:00:00", "title": "\r KLA10447Multiple vulnerabilities in Java SE ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0437"], "modified": "2018-12-04T00:00:00", "id": "KLA10447", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10447", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:42", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400", "https://bugs.gentoo.org/show_bug.cgi?id=537214", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.7.0.76", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-java/oracle-jdk-bin", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.7.0.76", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-java/oracle-jre-bin", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.8.0.31", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-java/oracle-jdk-bin", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.8.0.31", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-java/oracle-jre-bin", "operator": "lt"}], "edition": 1, "description": "### Background\n\nThe Oracle Java Development Kit (JDK) and the Oracle Java Runtime Environment (JRE) provide the Oracle Java platform. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Oracle JRE/JDK. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn context-dependent attacker may be able to influence the confidentiality, integrity, and availability of Java applications/runtime. \n\n### Workaround\n\nThere is no workaround at this time.\n\n### Resolution\n\nAll Oracle JRE 8 users should upgrade to the latest stable version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/oracle-jre-bin-1.8.0.31\n \n\nAll Oracle JDK 8 users should upgrade to the latest stable version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/oracle-jdk-bin-1.8.0.31\n \n\nAll Oracle JRE 7 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/oracle-jre-bin-1.7.0.76\n \n\nAll Oracle JDK 7 users should upgrade to the latest stable version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/oracle-jdk-bin-1.7.0.76", "reporter": "Gentoo Foundation", "published": "2015-07-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "gentoo", "title": "Oracle JRE/JDK: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0395", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2015-0383", "CVE-2014-6587", "CVE-2015-0406", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-0421", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400"], "modified": "2015-07-11T00:00:00", "id": "GLSA-201507-14", "href": "https://security.gentoo.org/glsa/201507-14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:55", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4883", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2628", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2613", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4881", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4872", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4871", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2625", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2632", "https://bugs.gentoo.org/show_bug.cgi?id=567850", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4803", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4733", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4748", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0402", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4893", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4860", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4840", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4731", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4835", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4749", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4732", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4805", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4806", "https://bugs.gentoo.org/show_bug.cgi?id=565842", "https://bugs.gentoo.org/show_bug.cgi?id=572716", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0448", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4842", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4903", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2590", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2601", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4844", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2621", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0483", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4734", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4760", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4882", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4911", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4843", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0494", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591", "https://bugs.gentoo.org/show_bug.cgi?id=559532", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0466", "https://bugs.gentoo.org/show_bug.cgi?id=537940"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "7.2.6.4", "packageName": "dev-java/icedtea", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "7.2.6.4", "packageName": "dev-java/icedtea-bin", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nIcedTea\u2019s aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. \n\n### Description\n\nVarious OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. This includes the possibility of remote execution of arbitrary code, information disclosure, or Denial of Service. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please reference the CVEs listed for specific details. \n\n### Impact\n\nRemote attackers may remotely execute arbitrary code, compromise information, or cause Denial of Service. \n\n### Workaround\n\nThere is no known work around at this time.\n\n### Resolution\n\nIcedTea 7.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-7.2.6.4\"\n \n\nIcedTea bin 7.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-7.2.6.4\"\n \n\nIcedTea 6.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-6.1.13.9\"\n \n\nIcedTea bin 6.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-java/icedtea-bin-6.1.13.9\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2016-03-12T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "IcedTea: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2015-2601", "CVE-2015-4749", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-4732", "CVE-2015-4860", "CVE-2015-0395", "CVE-2015-4903", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4872", "CVE-2015-2613", "CVE-2015-4883", "CVE-2015-0407", "CVE-2014-6585", "CVE-2016-0483", "CVE-2016-0448", "CVE-2015-4882", "CVE-2015-4734", "CVE-2015-0383", "CVE-2015-4871", "CVE-2015-4803", "CVE-2014-6587", "CVE-2015-2590", "CVE-2015-4805", "CVE-2015-4806", "CVE-2016-0466", "CVE-2015-2628", "CVE-2016-0494", "CVE-2016-0402", "CVE-2015-4733", "CVE-2014-6593", "CVE-2014-6601", "CVE-2015-4835", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-2621", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-4731", "CVE-2015-4911", "CVE-2015-4844", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4748", "CVE-2015-4893", "CVE-2015-4760"], "modified": "2016-04-19T00:00:00", "id": "GLSA-201603-14", "href": "https://security.gentoo.org/glsa/201603-14", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "aix": [{"lastseen": "2018-08-31T00:08:35", "aixFileset": [{"productVersions": ["any"], "versionGte": "7.1.0.75", "fileset": "Java71_64.sdk", "versionLte": "7.1.0.75", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "7.0.0.195", "fileset": "Java7_64.sdk", "versionLte": "7.0.0.195", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "7.1.0.75", "fileset": "Java71.sdk", "versionLte": "7.1.0.75", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "6.0.0.470", "fileset": "Java6.sdk", "versionLte": "6.0.0.470", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "5.0.0.590", "fileset": "Java5_64.sdk", "versionLte": "5.0.0.590", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "5.0.0.590", "fileset": "Java5.sdk", "versionLte": "5.0.0.590", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "6.0.0.470", "fileset": "Java6_64.sdk", "versionLte": "6.0.0.470", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "7.0.0.195", "fileset": "Java7.sdk", "versionLte": "7.0.0.195", "productName": "aix"}], "references": [], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Thu Feb 19 10:53:54 CST 2015\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc\n===============================================================================\n VULNERABILITY SUMMARY\n\nVULNERABILITY: Multiple vulnerabilities in current releases of the IBM\u00ae SDK,\n Java Technology Edition; issues disclosed in the Oracle Feburary\n 2015 Critical Patch Update vulnerability and two additional \n vulnerability.\n\nPLATFORMS: AIX 5.3, 6.1 and 7.1.\n VIOS 2.2.x\n\nSOLUTION: Apply the fix as described below.\n\nTHREAT: Varies threats described below.\n\nCVE Numbers: CVE-2014-6549 CVSS=10, CVE-2015-0408 CVSS=10, CVE-2015-0412 CVSS=10,\n CVE-2015-0403 CVSS=6.9, CVE-2015-0406 CVSS=5.8, CVE-2015-0410 VCSS=5,\n CVE-2015-0407 CVSS=5, CVE-2015-0400 CVSS=5, CVE-2014-3566 CVSS=4.3\n CVE-2014-6587 CVSS=4.3, CVE-2014-6593 CVSS=4, CVE-2014-6591 CVSS=2.6,\n CVE-2014-6585 CVSS=2.6, CVE-2014-8891 CVSS=6.8\n \n\nReboot required? NO\nWorkarounds? NO\n \n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION\n\n This bulletin covers all applicable IBM\u00ae Java SDK CVEs published by Oracle as part\n of their February 2015 Critical Patch Update. For more information please refer to \n Oracles's February 2015 CPU Advisory and the X-Force database entries referenced \n below.\n\nII. CVSS\n\n CVEID: CVE-2014-6549\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100141 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0408\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100142 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0412\n CVSS Base Score: 10\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100140 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0403\n CVSS Base Score: 6.9\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100145 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C) \n\n CVEID: CVE-2015-0406\n CVSS Base Score: 5.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100147 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P) \n\n CVEID: CVE-2015-0410\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100151 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n CVEID: CVE-2015-0407\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100150 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n CVEID: CVE-2015-0400\n CVSS Base Score: 5\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100149 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n CVEID: CVE-2014-3566\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n CVEID: CVE-2014-6587\n CVSS Base Score: 4.3\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100152 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:L/AC:L/Au:S/C:P/I:P/A:P) \n\n CVEID: CVE-2014-6593\n CVSS Base Score: 4\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100153 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n\n CVEID: CVE-2014-6591\n CVSS Base Score: 2.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100155 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N) \n\n\n Specific to IBM Java CVE(s):\n\n CVEID: CVE-2014-6585\n CVSS Base Score: 2.6\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/100154 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)\n\n\n CVEID: CVE-2014-8891\n CVSS Base Score: 6.8\n CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99010 for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)\n\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n The following fileset levels (VRMF) are vulnerable, if the respective Java version is installed:\n For Java5: Less than 5.0.0.590\n For Java6: Less than 6.0.0.470\n For Java7: Less than 7.0.0.195\n For Java7 Release 1: Less than 7.1.0.75\n\n Note: To find out whether the affected filesets are installed on your\n systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i java\n\nIV. FIXES\n\n AFFECTED PRODUCTS AND VERSIONS:\n AIX 5.3\n AIX 6.1\n AIX 7.1\n VIOS 2.2.x\n\n REMEDIATION:\n IBM SDK, Java Technology Edition, Version 5.0 Service Refresh 16 Fix Pack 9 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j5b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j5b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 3 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j6b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j6b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 7, Service Refresh 8 Fix Pack 10 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7b&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7b&S_TACT=105AGX05&S_CMP=JDK\n\n IBM SDK, Java Technology Edition, Version 7 Release 1 Service Refresh 2 Fix Pack 10 and later\n 32-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix32j7r1&S_TACT=105AGX05&S_CMP=JDK\n 64-bit: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=dka&S_PKG=aix64j7r1&S_TACT=105AGX05&S_CMP=JDK\n\n To learn more about AIX support levels and Java service releases, see the following:\n http://www.ibm.com/developerworks/java/jdk/aix/service.html#levels\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc.sig\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\nV. WORKAROUNDS\n\n None\n\nVI. CONTACT US\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n\n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\nVII. REFERENCES:\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n CVE-2014-6549: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549\n CVE-2015-0408: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408\n CVE-2015-0412: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412\n CVE-2015-0403: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0403\n CVE-2015-0406: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0406\n CVE-2015-0410: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410\n CVE-2015-0407: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407\n CVE-2015-0400: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0400\n CVE-2014-3566: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566\n CVE-2014-6587: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587\n CVE-2014-6593: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593\n CVE-2014-6591: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591\n CVE-2014-6585: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585\n CVE-2014-8891: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8891\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n", "edition": 3, "reporter": "CentOS Project", "published": "2015-02-19T10:53:54", "title": "Multiple vulnerabilities in current releases of IBM SDK Java Technology Edition; issues disclosed in the Oracle Feb 2015 Critical Patch Update vulnerability and two additional Vuln", "type": "aix", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "aix": {"apars": []}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-3566", "CVE-2015-0407", "CVE-2014-6585", "CVE-2015-0410", "CVE-2014-6549", "CVE-2014-6587", "CVE-2015-0406", "CVE-2014-6593", "CVE-2015-0403", "CVE-2015-0408", "CVE-2014-6591", "CVE-2015-0412", "CVE-2015-0400", "CVE-2014-8891"], "modified": "2015-02-19T10:53:54", "id": "JAVA_FEB2015_ADVISORY.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/java_feb2015_advisory.asc", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2018-08-31T04:13:47", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-03-10T00:00:00", "title": "Oracle Critical Patch Update - January 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle HCM Configuration Workbench", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.4.2", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.2", "operator": "le"}, {"name": "Workspace Manager", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u72", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Java SE", "version": "5.0u75", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.3", "operator": "le"}, {"name": "Workspace Manager", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "8.0", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.20", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "27.8.4", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.2.2", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1118", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u85", "operator": "le"}, {"name": "Java SE", "version": "8u25", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.1.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2240", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u71", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "1.x", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5.0", "operator": "le"}, {"name": "MICROS Retail", "version": "6.0.6", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1.1.7", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3.", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE", "version": "6u85", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.4", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "3.0.x", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.3", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.2.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.28", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u25", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "MICROS Retail", "version": "5.5.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "10.1.3.4.2", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "10.1.3.4.2", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.2.2", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.4", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "4.x", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7", "operator": "le"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.26", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Containers for J2EE", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.38", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.28", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "4", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "5.0u75", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "MICROS Retail", "version": "4.5.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "5.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Java SE", "version": "7u72", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.26", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.2.2", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.2.2", "operator": "le"}, {"name": "MICROS Retail", "version": "3.2.1", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.33.0", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.1.1", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1119", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "MICROS Retail", "version": "6.5.2", "operator": "le"}, {"name": "PL/SQL", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.4", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.40", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u6", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.2.2", "operator": "le"}, {"name": "Integrated Lights Out Manager(ILOM)", "version": "3.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.0.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.19", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2232", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.0", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.36", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "3.x", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Agile PLM for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.21", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.4", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.2", "operator": "le"}, {"name": "Recovery", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "2.x", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.5", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.2.1.0", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.2.2", "operator": "le"}, {"name": "PL/SQL", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.24", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "4.0.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "5.0.3", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.0", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.1.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6.0", "operator": "le"}, {"name": "MICROS Retail", "version": "4.8.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Waveset", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-20T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
