Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3132.2
[DLA 1886-1] openjdk-7 security update
23 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: openjdk-7
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-2816 CVE-2019-2769 CVE-2019-2762
CVE-2019-2745
Reference: ASB-2019.0212
ESB-2019.2879
ESB-2019.2705
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/08/msg00020.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00027.html
Comment: This bulletin contains two (2) Debian security advisories.
Revision History: August 23 2019: openjdk-7 - regression update
August 16 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : openjdk-7
Version : 7u231-2.6.19-1~deb8u1
CVE ID : CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in denial of
service, sandbox bypass, information disclosure or the execution
of arbitrary code.
For Debian 8 "Jessie", these problems have been fixed in version
7u231-2.6.19-1~deb8u1.
We recommend that you upgrade your openjdk-7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1V1VJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTbtBAAknW2ics3eHtzXXnFEC9adxyJneR4YsdTn9832fcDDVQp7FPgdl5IfBcF
CLHx2Ajx0Pr292uw3Gb8Sy+88v3xbeLvHcK28BY6mtFueR8FY0iaS7bajbjBWRlp
gwN4ziGw9hTX9iJgMoNpR2o4K0fhKUfC9QFzhYpIREiWEN6D2On/l7u+broaqJq7
OsQ/71ySlJSlh3dqNTB+r9rtegx9YRL6F98ZNSCswDyTFMC9vAfud1YoFtIlu9yK
VVsF6rUjxqeDPoTtzGpmZUOJCsYw6dvvDAgb8eV8y/xQsr7yBnlhsqW6H7/bUxD0
yKBg5VkV1ElRLECsTnzsnQfO4xZ670aRbC5N+u33AhfbMzvf7KZePJnHTrrUrIG9
OQobqv7dFBTlYuuqCfaQWW+1oaWcfioRTF4NZDGRhLWqnATU8JYEQENSUthaDZN2
ucOzSHueGHpCmzQaDCSLMPSYhDUzkcjSpfcHcxizTsEe2eu6/88jruMtOBLNgi14
ff69CnKT2e93Fi2tKMrjHaOx7qxvFBxZZKZR3Y8gpIVnfEsysq5ihl3G/78jTLh1
deJlqZw/s1CXYsuO51HASj6WpkgDtjiZ3fLpPpzcuzJlgrwXQxaL9Ym36N9g7Ah1
s6b3A7azTw+JY2lRXcgdFs8L3iWsxIiLnITBz2Jg/x8sJrcZQho=
=KuF2
- -----END PGP SIGNATURE-----
===============================================================================
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : openjdk-7
Version : 7u231-2.6.19-1~deb8u2
Debian Bug : 935082 750400
The latest security update of openjdk-7 caused a regression when
applications relied on elliptic curve algorithms to establish SSL
connections. Several duplicate classes were removed from rt.jar by the
upstream developers of OpenJDK because they were also present in
sunec.jar. However Debian never shipped the SunEC security provider in
OpenJDK 7.
The issue was resolved by building sunec.jar and its corresponding
native library libsunec.so from source. In order to build these
libraries from source, an update of nss to version 2:3.26-1+debu8u6 is
required.
Updates for the amd64 architecture are already available, new packages
for i386, armel and armhf will be available within the next 24 hours.
For Debian 8 "Jessie", this problem has been fixed in version
7u231-2.6.19-1~deb8u2.
We recommend that you upgrade your openjdk-7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1fEMlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSd8A//UdO5lVUTRNtqnMJmwdhNGeKHxOwgZb4ntXM4lM0Su+BCNvO2mceN/vl5
XfK2Y4xfjfUXxWswHCobWImuA84YEW9d1xGIwsFtN8NqPSqnPwlnXN0XBij0hvEy
IkLNwgOj4j71gBnVGZlYZrVgx3MqHVDTYF9rqUPEsLt627JIe9l6tkq3Juf+FgcE
Gl1uG14D2/A/MR6+HvhoLT8RkGb+7mru32x/w9RpkdltbguoH7xXH4mUo4q3QFqN
z/fz1/JxFz8+Udrls3yd6e7bN8WH81MLnLOmLz7ZlD/mnIRXcS6aaHHR4UbS5gGE
JB/9ame93ApViIMuCHf4QU1V4TIJFeSMrVRfXwwcyz1j4j8606/3rM3Ex3JVERli
ammtleXBdvfmjNtNRvNYu+M2NboworzJBbf6mo3o6P9p2bLmjMMK6yMl1I4SroXz
5zHsh8xPik9x+orm36lrfYuaOL3TNL82JIEe2Wd0pWGhXM8BSemCoqZ+2wC8/ZoM
uzlTLWHIPE20YOYSCx02tCruZ7K0eJ0CbQYjPYsUM9D4Nb5RKVjg2ImfdaaOlAOR
K4DTKhoU3CdWMeZQrIw22Y8kH+dmvYSYhwYYz4pFvDl0o6GUciIzCcclW87sdqq7
IIX0AwA+hJm5ubBCKDFp4xNGptYQjnfhz+T/BqeBpIAQlAyaDGA=
=xQVq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXV8odGaOgq3Tt24GAQgzBg/9Ey3BU+R+PnpgoIPMdNDrGoftxlSIH2Af
yjdAtZFNb/JMEJRpFX8FNNY6A61SAP3wKzoDVHXrGBFrowVT68rLNNzSiVuSGbYu
pDJDIRbD18HOYLgYEmKum/TV7up9okzOoGDaWv1fMeapMEXl1QDEV7ncNwwqo4At
iqHslnprR/7HjBNdYeeS1d1FlT4uZ7wsS1KkU31Ant1JX208KKvKrSGPBlz6K2rU
b5oVmEhWCF//+Hoc/gSUIYBrwrxymPaQQTHbDq5NeBzR4YH3sFNwUN+wImBnzDpB
LKb0/S3CdmYANuQaSonY3jF9CKOzZiDMQcgAgd15WC2NJyQoUc3J0izeZgGC+rQG
J6enb5GPNZKZEUWtGohAyffPC9Spy6F8Not7HzFFJ1bnFehCkGRAPV3Iq8xfxFgP
QT4PIIyakQFXiJHXad4yDS4sV22upQZ8rDIp6yI+KtKqP4Bqam6KFolGK3cHWGoM
1CmYBhRdkN9V0iNBLgLLnUYLitate9Yzlh4QNNlRnSl3ukpcYSbVousEiafarFJw
zAzEGDuXG51alXORNc8dj0DNG39Mtuv6RzlJJx5qUKgdFcaeHP23fcTjw2rg2JIP
5Ah6BBHSWR2XFl025ZmBnpDuVMLHAbBJI5n8IS+YhyraYef9zCAYLZ5G6WySFEEJ
O7cnWqzmHvI=
=EB+D
-----END PGP SIGNATURE-----