- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201709-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Oracle JDK/JRE, IcedTea: Multiple vulnerabilities Date: September 24, 2017 Bugs: #625602, #626088, #627682 ID: 201709-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Oracle's JRE and JDK software suites, and IcedTea, the worst of which may allow execution of arbitrary code. Background ========== Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in todayas demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that todayas applications require. IcedTeaas aim is to provide OpenJDK in a form suitable for easy configuration, compilation and distribution with the primary goal of allowing inclusion in GNU/Linux distributions. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-java/oracle-jdk-bin < 1.8.0.141 >= 1.8.0.141 2 dev-java/oracle-jre-bin < 1.8.0.141 >= 1.8.0.141 3 dev-java/icedtea-bin < 3.5.0:8 *>= 3.5.0:8 < 7.2.6.11:7 *>= 7.2.6.11:7 ------------------------------------------------------------------- 3 affected packages Description =========== Multiple vulnerabilities have been discovered in Oracleas JRE, JDK and IcedTea. Please review the referenced CVE identifiers for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or gain access to information. Workaround ========== There is no known workaround at this time. Resolution ========== All Oracle JDK binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jdk-bin-1.8.0.141" All Oracle JRE binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-java/oracle-jre-bin-1.8.0.141" All IcedTea binary 7.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-7.2.6.11" All IcedTea binary 3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-3.5.0" References ========== [ 1 ] CVE-2017-10053 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10053 [ 2 ] CVE-2017-10067 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10067 [ 3 ] CVE-2017-10074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10074 [ 4 ] CVE-2017-10078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10078 [ 5 ] CVE-2017-10081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10081 [ 6 ] CVE-2017-10086 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10086 [ 7 ] CVE-2017-10087 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10087 [ 8 ] CVE-2017-10089 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10089 [ 9 ] CVE-2017-10090 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10090 [ 10 ] CVE-2017-10096 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10096 [ 11 ] CVE-2017-10101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10101 [ 12 ] CVE-2017-10102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10102 [ 13 ] CVE-2017-10105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10105 [ 14 ] CVE-2017-10107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10107 [ 15 ] CVE-2017-10108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10108 [ 16 ] CVE-2017-10109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10109 [ 17 ] CVE-2017-10110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10110 [ 18 ] CVE-2017-10111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10111 [ 19 ] CVE-2017-10114 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10114 [ 20 ] CVE-2017-10115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10115 [ 21 ] CVE-2017-10116 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10116 [ 22 ] CVE-2017-10117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10117 [ 23 ] CVE-2017-10118 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10118 [ 24 ] CVE-2017-10121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10121 [ 25 ] CVE-2017-10125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10125 [ 26 ] CVE-2017-10135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10135 [ 27 ] CVE-2017-10176 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10176 [ 28 ] CVE-2017-10193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10193 [ 29 ] CVE-2017-10198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10198 [ 30 ] CVE-2017-10243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-10243 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201709-22 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5