Ubuntu 3275-2: OpenJDK 7 vulnerabilities

    Date15 May 2017
    CategoryUbuntu
    105
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in OpenJDK 7.
    ==========================================================================
    Ubuntu Security Notice USN-3275-2
    May 15, 2017
    
    openjdk-7 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 14.04 LTS
    
    Summary:
    
    Several security issues were fixed in OpenJDK 7.
    
    Software Description:
    - openjdk-7: Open Source Java implementation
    
    Details:
    
    USN-3275-1 fixed vulnerabilities in OpenJDK 8. This update provides
    the corresponding updates for OpenJDK 7.
    
    Original advisory details:
    
    It was discovered that OpenJDK improperly re-used cached NTLM
    connections in some situations. A remote attacker could possibly
    use this to cause a Java application to perform actions with the
    credentials of a different user. (CVE-2017-3509)
    
    It was discovered that an untrusted library search path flaw existed
    in the Java Cryptography Extension (JCE) component of OpenJDK. A
    local attacker could possibly use this to gain the privileges of a
    Java application. (CVE-2017-3511)
    
    It was discovered that the Java API for XML Processing (JAXP) component
    in OpenJDK did not properly enforce size limits when parsing XML
    documents. An attacker could use this to cause a denial of service
    (processor and memory consumption). (CVE-2017-3526)
    
    It was discovered that the FTP client implementation in OpenJDK did
    not properly sanitize user inputs. If a user was tricked into opening
    a specially crafted FTP URL, a remote attacker could use this to
    manipulate the FTP connection. (CVE-2017-3533)
    
    It was discovered that OpenJDK allowed MD5 to be used as an algorithm
    for JAR integrity verification. An attacker could possibly use this
    to modify the contents of a JAR file without detection. (CVE-2017-3539)
    
    It was discovered that the SMTP client implementation in OpenJDK
    did not properly sanitize sender and recipient addresses. A remote
    attacker could use this to specially craft email addresses and gain
    control of a Java application's SMTP connections. (CVE-2017-3544)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 14.04 LTS:
      icedtea-7-jre-jamvm             7u131-2.6.9-0ubuntu0.14.04.1
      openjdk-7-jre                   7u131-2.6.9-0ubuntu0.14.04.1
      openjdk-7-jre-headless          7u131-2.6.9-0ubuntu0.14.04.1
      openjdk-7-jre-lib               7u131-2.6.9-0ubuntu0.14.04.1
      openjdk-7-jre-zero              7u131-2.6.9-0ubuntu0.14.04.1
    
    This update uses a new upstream release, which includes additional
    bug fixes. After a standard system update you need to restart any
    Java applications or applets to make all the necessary changes.
    
    References:
      http://www.ubuntu.com/usn/usn-3275-2
      http://www.ubuntu.com/usn/usn-3275-1
      CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533,
      CVE-2017-3539, CVE-2017-3544
    
    Package Information:
      https://launchpad.net/ubuntu/+source/openjdk-7/7u131-2.6.9-0ubuntu0.14.04.1
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"38","type":"x","order":"1","pct":52.05,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.7,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.25,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.