Vulnerabilities > CVE-2016-3503 - Unspecified vulnerability in Oracle JDK and JRE

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
oracle
nessus

Summary

Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Install.

Vulnerable Configurations

Part Description Count
Application
Oracle
6

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1477.NASL
    descriptionAn update for java-1.6.0-sun is now available for Oracle Java for Red Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux 6, and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 12 September 2016] This advisory has been updated to push packages into the Oracle Java for Red Hat Enterprise Linux 6 Compute Node channels. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 6 to version 6 Update 121. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3458, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3550)
    last seen2020-06-01
    modified2020-06-02
    plugin id92510
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92510
    titleRHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2016:1477)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:1477. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92510);
      script_version("2.9");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2016-3458", "CVE-2016-3500", "CVE-2016-3503", "CVE-2016-3508", "CVE-2016-3550");
      script_xref(name:"RHSA", value:"2016:1477");
    
      script_name(english:"RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2016:1477)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for java-1.6.0-sun is now available for Oracle Java for Red
    Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux 6,
    and Oracle Java for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    [Updated 12 September 2016] This advisory has been updated to push
    packages into the Oracle Java for Red Hat Enterprise Linux 6 Compute
    Node channels. The packages included in this revised update have not
    been changed in any way from the packages included in the original
    advisory.
    
    Oracle Java SE version 6 includes the Oracle Java Runtime Environment
    and the Oracle Java Software Development Kit.
    
    This update upgrades Oracle Java SE 6 to version 6 Update 121.
    
    Security Fix(es) :
    
    * This update fixes multiple vulnerabilities in the Oracle Java
    Runtime Environment and the Oracle Java Software Development Kit.
    Further information about these flaws can be found on the Oracle Java
    SE Critical Patch Update Advisory page, listed in the References
    section. (CVE-2016-3458, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508,
    CVE-2016-3550)"
      );
      # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?453b5f8c"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.oracle.com/technetwork/java/javase/documentation/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:1477"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3458"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3500"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3550"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-jdbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-plugin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-sun-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^(5|6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:1477";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-demo-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-demo-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-jdbc-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-jdbc-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-plugin-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-plugin-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"i586", reference:"java-1.6.0-sun-src-1.6.0.121-1jpp.1.el5_11")) flag++;
    
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"java-1.6.0-sun-src-1.6.0.121-1jpp.1.el5_11")) flag++;
    
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-demo-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-demo-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-jdbc-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-jdbc-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-plugin-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-plugin-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"java-1.6.0-sun-src-1.6.0.121-1jpp.1.el6_8")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"java-1.6.0-sun-src-1.6.0.121-1jpp.1.el6_8")) flag++;
    
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-demo-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"i686", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-devel-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-jdbc-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-plugin-1.6.0.121-1jpp.1.el7")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"java-1.6.0-sun-src-1.6.0.121-1jpp.1.el7")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.6.0-sun / java-1.6.0-sun-demo / java-1.6.0-sun-devel / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-977.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.(util, x509, pkcs) classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-05
    modified2016-08-16
    plugin id92978
    published2016-08-16
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92978
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-977)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2016-977.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92978);
      script_version("2.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-3458", "CVE-2016-3485", "CVE-2016-3498", "CVE-2016-3500", "CVE-2016-3503", "CVE-2016-3508", "CVE-2016-3511", "CVE-2016-3550", "CVE-2016-3598", "CVE-2016-3606", "CVE-2016-3610");
    
      script_name(english:"openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-977)");
      script_summary(english:"Check for the openSUSE-2016-977 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for java-1_7_0-openjdk fixes the following issues :
    
      - Update to 2.6.7 - OpenJDK 7u111
    
      - Security fixes
    
      - S8079718, CVE-2016-3458: IIOP Input Stream Hooking
        (bsc#989732)
    
      - S8145446, CVE-2016-3485: Perfect pipe placement (Windows
        only) (bsc#989734)
    
      - S8147771: Construction of static protection domains
        under Javax custom policy
    
      - S8148872, CVE-2016-3500: Complete name checking
        (bsc#989730)
    
      - S8149962, CVE-2016-3508: Better delineation of XML
        processing (bsc#989731)
    
      - S8150752: Share Class Data
    
      - S8151925: Font reference improvements
    
      - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733)
    
      - S8155981, CVE-2016-3606: Bolster bytecode verification
        (bsc#989722)
    
      - S8155985, CVE-2016-3598: Persistent Parameter Processing
        (bsc#989723)
    
      - S8158571, CVE-2016-3610: Additional method handle
        validation (bsc#989725)
    
      - CVE-2016-3511 (bsc#989727)
    
      - CVE-2016-3503 (bsc#989728)
    
      - CVE-2016-3498 (bsc#989729)
    
      - Import of OpenJDK 7 u111 build 0
    
      - S6953295: Move few sun.security.(util, x509, pkcs)
        classes used by keytool/jarsigner to another package
    
      - S7060849: Eliminate pack200 build warnings
    
      - S7064075: Security libraries don't build with javac
        -Xlint:all,-deprecation -Werror
    
      - S7069870: Parts of the JDK erroneously rely on generic
        array initializers with diamond
    
      - S7102686: Restructure timestamp code so that jars and
        modules can more easily share the same code
    
      - S7105780: Add SSLSocket client/SSLEngine server to
        templates directory
    
      - S7142339: PKCS7.java is needlessly creating SHA1PRNG
        SecureRandom instances when timestamping is not done
    
      - S7152582: PKCS11 tests should use the NSS libraries
        available in the OS
    
      - S7192202: Make sure keytool prints both unknown and
        unparseable extensions
    
      - S7194449: String resources for Key Tool and Policy Tool
        should be in their respective packages
    
      - S7196855: autotest.sh fails on ubuntu because
        libsoftokn.so not found
    
      - S7200682: TEST_BUG: keytool/autotest.sh still has
        problems with libsoftokn.so
    
      - S8002306: (se) Selector.open fails if invoked with
        thread interrupt status set [win]
    
      - S8009636: JARSigner including TimeStamp PolicyID
        (TSAPolicyID) as defined in RFC3161
    
      - S8019341: Update CookieHttpsClientTest to use the newer
        framework.
    
      - S8022228: Intermittent test failures in
        sun/security/ssl/javax/net/ssl/NewAPIs
    
      - S8022439: Fix lint warnings in sun.security.ec
    
      - S8022594: Potential deadlock in <clinit> of
        sun.nio.ch.Util/IOUtil
    
      - S8023546: sun/security/mscapi/ShortRSAKey1024.sh fails
        intermittently
    
      - S8036612: [parfait] JNI exception pending in
        jdk/src/windows/native/sun/security/mscapi/security.cpp
    
      - S8037557: test SessionCacheSizeTests.java timeout
    
      - S8038837: Add support to jarsigner for specifying
        timestamp hash algorithm
    
      - S8079410: Hotspot version to share the same update and
        build version from JDK
    
      - S8130735: javax.swing.TimerQueue: timer fires late when
        another timer starts
    
      - S8139436: sun.security.mscapi.KeyStore might load
        incomplete data
    
      - S8144313: Test SessionTimeOutTests can be timeout
    
      - S8146387: Test SSLSession/SessionCacheSizeTests socket
        accept timed out
    
      - S8146669: Test SessionTimeOutTests fails intermittently
    
      - S8146993: Several javax/management/remote/mandatory
        regression tests fail after JDK-8138811
    
      - S8147857: [TEST] RMIConnector logs attribute names
        incorrectly
    
      - S8151841, PR3098: Build needs additional flags to
        compile with GCC 6
    
      - S8151876: (tz) Support tzdata2016d
    
      - S8157077: 8u101 L10n resource file updates
    
      - S8161262: Fix jdk build with gcc 4.1.2:
        -fno-strict-overflow not known.
    
      - Import of OpenJDK 7 u111 build 1
    
      - S7081817:
        test/sun/security/provider/certpath/X509CertPath/Illegal
        Certificates.java failing
    
      - S8140344: add support for 3 digit update release numbers
    
      - S8145017: Add support for 3 digit hotspot minor version
        numbers
    
      - S8162344: The API changes made by CR 7064075 need to be
        reverted
    
      - Backports
    
      - S2178143, PR2958: JVM crashes if the number of bound
        CPUs changed during runtime
    
      - S4900206, PR3101: Include worst-case rounding tests for
        Math library functions
    
      - S6260348, PR3067: GTK+ L&F JTextComponent not respecting
        desktop caret blink rate
    
      - S6934604, PR3075: enable parts of EliminateAutoBox by
        default
    
      - S7043064, PR3020: sun/java2d/cmm/ tests failed against
        RI b141 & b138-nightly
    
      - S7051394, PR3020: NullPointerException when running
        regression tests LoadProfileTest by using openjdk-7-b144
    
      - S7086015, PR3013: fix
        test/tools/javac/parser/netbeans/JavacParserTest.java
    
      - S7119487, PR3013: JavacParserTest.java test fails on
        Windows platforms
    
      - S7124245, PR3020: [lcms] ColorConvertOp to color space
        CS_GRAY apparently converts orange to 244,244,0
    
      - S7159445, PR3013: (javac) emits inaccurate diagnostics
        for enhanced for-loops
    
      - S7175845, PR1437, RH1207129: 'jar uf' changes file
        permissions unexpectedly
    
      - S8005402, PR3020: Need to provide benchmarks for color
        management
    
      - S8005530, PR3020: [lcms] Improve performance of
        ColorConverOp for default destinations
    
      - S8005930, PR3020: [lcms] ColorConvertOp: Alpha channel
        is not transferred from source to destination.
    
      - S8013430, PR3020: REGRESSION:
        closed/java/awt/color/ICC_Profile/LoadProfileTest/LoadPr
        ofileTest.java fails with
        java.io.StreamCorruptedException: invalid type code: EE
        since 8b87
    
      - S8014286, PR3075: failed java/lang/Math/DivModTests.java
        after 6934604 changes
    
      - S8014959, PR3075:
        assert(Compile::current()->live_nodes() <
        (uint)MaxNodeLimit) failed: Live Node limit exceeded
        limit
    
      - S8019247, PR3075: SIGSEGV in compiled method
        c8e.e.t_.getArray(Ljava/lang/Class;)[Ljava/lang/Object
    
      - S8024511, PR3020: Crash during color profile destruction
    
      - S8025429, PR3020: [parfait] warnings from b107 for
        sun.java2d.cmm: JNI exception pending
    
      - S8026702, PR3020: Fix for 8025429 breaks jdk build on
        windows
    
      - S8026780, PR3020, RH1142587: Crash on PPC and PPC v2 for
        Java_awt test suit
    
      - S8047066, PR3020: Test
        test/sun/awt/image/bug8038000.java fails with
        ClassCastException
    
      - S8069181, PR3012, RH1015612: java.lang.AssertionError
        when compiling JDK 1.4 code in JDK 8
    
      - S8158260, PR2992, RH1341258: PPC64: unaligned
        Unsafe.getInt can lead to the generation of illegal
        instructions (bsc#988651)
    
      - S8159244, PR3075: Partially initialized string object
        created by C2's string concat optimization may escape
    
      - Bug fixes
    
      - PR2799, RH1195203: Files are missing from resources.jar
    
      - PR2900: Don't use WithSeed versions of NSS functions as
        they don't fully process the seed
    
      - PR3091: SystemTap is heavily confused by multiple JDKs
    
      - PR3102: Extend 8022594 to AixPollPort
    
      - PR3103: Handle case in clean-fonts where
        linux.fontconfig.Gentoo.properties.old has not been
        created
    
      - PR3111: Provide option to disable SystemTap tests
    
      - PR3114: Don't assume system mime.types supports
        text/x-java-source
    
      - PR3115: Add check for elliptic curve cryptography
        implementation
    
      - PR3116: Add tests for Java debug info and source files
    
      - PR3118: Path to agpl-3.0.txt not updated
    
      - PR3119: Makefile handles cacerts as a symlink, but the
        configure check doesn't
    
      - AArch64 port
    
      - S8148328, PR3100: aarch64: redundant lsr instructions in
        stub code.
    
      - S8148783, PR3100: aarch64: SEGV running SpecJBB2013
    
      - S8148948, PR3100: aarch64: generate_copy_longs calls
        align() incorrectly
    
      - S8150045, PR3100: arraycopy causes segfaults in SATB
        during garbage collection
    
      - S8154537, PR3100: AArch64: some integer rotate
        instructions are never emitted
    
      - S8154739, PR3100: AArch64: TemplateTable::fast_xaccess
        loads in wrong mode
    
      - S8157906, PR3100: aarch64: some more integer rotate
        instructions are never emitted
    
      - Enable SunEC for SLE12 and Leap (bsc#982366)
    
      - Fix aarch64 running with 48 bits va space (bsc#984684)
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982366"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=984684"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=988651"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989722"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989723"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989725"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989727"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989728"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989729"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989730"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989731"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989732"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989733"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=989734"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected java-1_7_0-openjdk packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-accessibility-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-devel-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-headless-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-debugsource-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-demo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-demo-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-devel-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-devel-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-headless-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-headless-debuginfo-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-javadoc-1.7.0.111-34.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"java-1_7_0-openjdk-src-1.7.0.111-34.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1_7_0-openjdk-bootstrap / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2012-1.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (bsc#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3552 (bsc#989726) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-01
    modified2020-06-02
    plugin id93281
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93281
    titleSUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2016:2012-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201610-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201610-08 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle&rsquo;s JRE and JDK. Please review the referenced CVE&rsquo;s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id94085
    published2016-10-17
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94085
    titleGLSA-201610-08 : Oracle JRE/JDK: Multiple vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1475.NASL
    descriptionAn update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 12 September 2016] This advisory has been updated to push packages into the Oracle Java for Red Hat Enterprise Linux 6 Compute Node channels. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 101. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3458, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92508
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92508
    titleRHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:1475)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-982.NASL
    descriptionUpdate to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729)
    last seen2020-06-05
    modified2016-08-17
    plugin id92992
    published2016-08-17
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92992
    titleopenSUSE Security Update : OpenJDK7 (openSUSE-2016-982)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1476.NASL
    descriptionAn update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux 6, and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 12 September 2016] This advisory has been updated to push packages into the Oracle Java for Red Hat Enterprise Linux 6 Compute Node channels. The packages included in this revised update have not been changed in any way from the packages included in the original advisory. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 111. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-3458, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3606)
    last seen2020-06-01
    modified2020-06-02
    plugin id92509
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92509
    titleRHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2016:1476)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1997-1.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.{util, x509, pkcs} classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-01
    modified2020-06-02
    plugin id93272
    published2016-09-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93272
    titleSUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:1997-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-944.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (boo#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (boo#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (boo#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (boo#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (boo#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (boo#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (boo#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (boo#989723) - S8158571, CVE-2016-3610: Additional method handle validation (boo#989725) - CVE-2016-3552 (boo#989726) - CVE-2016-3511 (boo#989727) - CVE-2016-3503 (boo#989728) - CVE-2016-3498 (boo#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-05
    modified2016-08-08
    plugin id92774
    published2016-08-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92774
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-944)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-978.NASL
    descriptionThis update for java-1_8_0-openjdk fixes the following issues : - Upgrade to version jdk8u101 (icedtea 3.1.0) - New in release 3.1.0 (2016-07-25) : - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8146514: Enforce GCM limits - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149070: Enforce update ordering - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8153312: Constrain AppCDS behavior - S8154475, CVE-2016-3587: Clean up lookup visibility (bsc#989721) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3552 (bsc#989726) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - New features - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux - PR2821: Support building OpenJDK with --disable-headful - PR2931, G478960: Provide Infinality Support via fontconfig - PR3079: Provide option to build Shenandoah on x86_64 - Import of OpenJDK 8 u92 build 14 - S6869327: Add new C2 flag to keep safepoints in counted loops. - S8022865: [TESTBUG] Compressed Oops testing needs to be revised - S8029630: Thread id should be displayed as a hex number in error report - S8029726: On OS X some dtrace probe names are mismatched with Solaris - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired. - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header - S8041900: [macosx] Java forces the use of discrete GPU - S8044363: Remove special build options for unpack200 executable - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH - S8046611: Build errors with gcc on sparc/fastdebug - S8047763: Recognize sparc64 as a sparc platform - S8048232: Fix for 8046471 breaks PPC64 build - S8052396: Catch exceptions resulting from missing font cmap - S8058563: InstanceKlass::_dependencies list isn
    last seen2020-06-05
    modified2016-08-16
    plugin id92979
    published2016-08-16
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92979
    titleopenSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-978)
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_JUL_2016_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 101, 7 Update 111, or 6 Update 121. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the CORBA subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3458) - An unspecified flaw exists in the Networking subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the JavaFX subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3498) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3500) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3503) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3508) - An unspecified flaw exists in the Deployment subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3550) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3552) - A flaw exists in the Hotspot subcomponent due to improper access to the MethodHandle::invokeBasic() function. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3587) - A flaw exists in the Libraries subcomponent within the MethodHandles::dropArguments() function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3598) - A flaw exists in the Hotspot subcomponent within the ClassVerifier::ends_in_athrow() function when handling bytecode verification. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3606) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92517
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92517
    titleOracle Java SE Multiple Vulnerabilities (July 2016 CPU) (Unix)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-976.NASL
    descriptionThis update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.7 - OpenJDK 7u111 - Security fixes - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732) - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (bsc#989734) - S8147771: Construction of static protection domains under Javax custom policy - S8148872, CVE-2016-3500: Complete name checking (bsc#989730) - S8149962, CVE-2016-3508: Better delineation of XML processing (bsc#989731) - S8150752: Share Class Data - S8151925: Font reference improvements - S8152479, CVE-2016-3550: Coded byte streams (bsc#989733) - S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722) - S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723) - S8158571, CVE-2016-3610: Additional method handle validation (bsc#989725) - CVE-2016-3511 (bsc#989727) - CVE-2016-3503 (bsc#989728) - CVE-2016-3498 (bsc#989729) - Import of OpenJDK 7 u111 build 0 - S6953295: Move few sun.security.(util, x509, pkcs) classes used by keytool/jarsigner to another package - S7060849: Eliminate pack200 build warnings - S7064075: Security libraries don
    last seen2020-06-05
    modified2016-08-12
    plugin id92932
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92932
    titleopenSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-976)
  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_JUL_2016.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 101, 7 Update 111, or 6 Update 121. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the CORBA subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-3458) - An unspecified flaw exists in the Networking subcomponent that allows a local attacker to impact integrity. (CVE-2016-3485) - An unspecified flaw exists in the JavaFX subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3498) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3500) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3503) - An unspecified flaw exists in the JAXP subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-3508) - An unspecified flaw exists in the Deployment subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3511) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information. (CVE-2016-3550) - An unspecified flaw exists in the Install subcomponent that allows a local attacker to gain elevated privileges. (CVE-2016-3552) - A flaw exists in the Hotspot subcomponent due to improper access to the MethodHandle::invokeBasic() function. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3587) - A flaw exists in the Libraries subcomponent within the MethodHandles::dropArguments() function that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3598) - A flaw exists in the Hotspot subcomponent within the ClassVerifier::ends_in_athrow() function when handling bytecode verification. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3606) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3610)
    last seen2020-06-01
    modified2020-06-02
    plugin id92516
    published2016-07-22
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92516
    titleOracle Java SE Multiple Vulnerabilities (July 2016 CPU)

Redhat

advisories
  • rhsa
    idRHSA-2016:1475
  • rhsa
    idRHSA-2016:1476
  • rhsa
    idRHSA-2016:1477
rpms
  • java-1.8.0-oracle-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-devel-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-devel-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-javafx-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-javafx-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-jdbc-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-jdbc-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-plugin-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-plugin-1:1.8.0.101-1jpp.1.el7
  • java-1.8.0-oracle-src-1:1.8.0.101-1jpp.1.el6_8
  • java-1.8.0-oracle-src-1:1.8.0.101-1jpp.1.el7
  • java-1.7.0-oracle-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-1:1.7.0.111-1jpp.1.el7
  • java-1.7.0-oracle-devel-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-devel-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-devel-1:1.7.0.111-1jpp.1.el7
  • java-1.7.0-oracle-javafx-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-javafx-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-javafx-1:1.7.0.111-1jpp.1.el7
  • java-1.7.0-oracle-jdbc-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-jdbc-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-jdbc-1:1.7.0.111-1jpp.1.el7
  • java-1.7.0-oracle-plugin-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-plugin-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-plugin-1:1.7.0.111-1jpp.1.el7
  • java-1.7.0-oracle-src-1:1.7.0.111-1jpp.1.el5_11
  • java-1.7.0-oracle-src-1:1.7.0.111-1jpp.1.el6_8
  • java-1.7.0-oracle-src-1:1.7.0.111-1jpp.1.el7
  • java-1.6.0-sun-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-1:1.6.0.121-1jpp.1.el7
  • java-1.6.0-sun-demo-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-demo-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-demo-1:1.6.0.121-1jpp.1.el7
  • java-1.6.0-sun-devel-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-devel-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-devel-1:1.6.0.121-1jpp.1.el7
  • java-1.6.0-sun-jdbc-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-jdbc-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-jdbc-1:1.6.0.121-1jpp.1.el7
  • java-1.6.0-sun-plugin-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-plugin-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-plugin-1:1.6.0.121-1jpp.1.el7
  • java-1.6.0-sun-src-1:1.6.0.121-1jpp.1.el5_11
  • java-1.6.0-sun-src-1:1.6.0.121-1jpp.1.el6_8
  • java-1.6.0-sun-src-1:1.6.0.121-1jpp.1.el7