Overview

File _patchinfo of Package patchinfo.8424

<patchinfo incident="8424">
  <issue tracker="bnc" id="1104668">VUL-0: IBM Java 8 SR5 FP20 was released</issue>
  <issue tracker="cve" id="2018-2964"/>
  <issue tracker="cve" id="2016-0705"/>
  <issue tracker="cve" id="2018-2973"/>
  <issue tracker="cve" id="2018-1656"/>
  <issue tracker="cve" id="2018-12539"/>
  <issue tracker="cve" id="2018-2952"/>
  <issue tracker="cve" id="2018-1517"/>
  <issue tracker="cve" id="2017-3736"/>
  <issue tracker="cve" id="2018-2940"/>
  <issue tracker="cve" id="2017-3732"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>scarabeus_iv</packager>
  <description>This update for java-1_8_0-ibm to 8.0.5.20 fixes the following security issues:

- CVE-2018-2952: Vulnerability in subcomponent: Concurrency. Difficult to
  exploit vulnerability allowed unauthenticated attacker with network access via
  multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful
  attacks of this vulnerability can result in unauthorized ability to cause a
  partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit
  (bsc#1104668)
- CVE-2018-2940: Vulnerability in subcomponent: Libraries. Easily exploitable
  vulnerability allowed unauthenticated attacker with network access via multiple
  protocols to compromise Java SE, Java SE Embedded. Successful attacks require
  human interaction from a person other than the attacker. Successful attacks of
  this vulnerability can result in unauthorized read access to a subset of Java
  SE, Java SE Embedded accessible data (bsc#1104668)
- CVE-2018-2973: Vulnerability in subcomponent: JSSE. Difficult to exploit
  vulnerability allowed unauthenticated attacker with network access via SSL/TLS
  to compromise Java SE, Java SE Embedded. Successful attacks of this
  vulnerability can result in unauthorized creation, deletion or modification
  access to critical data or all Java SE, Java SE Embedded accessible data
  (bsc#1104668)
- CVE-2018-2964: Vulnerability in subcomponent: Deployment. Difficult to
  exploit vulnerability allowed unauthenticated attacker with network access via
  multiple protocols to compromise Java SE. Successful attacks require human
  interaction from a person other than the attacker. Successful attacks of this
  vulnerability can result in takeover of Java SE. (bsc#1104668)
- CVE-2016-0705: Prevent double free in the dsa_priv_decode function that
  allowed remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via a malformed DSA private key
  (bsc#1104668)
- CVE-2017-3732: Prevent carry propagating bug in the x86_64 Montgomery
  squaring procedure (bsc#1104668)
- CVE-2017-3736: Prevent carry propagating bug in the x86_64 Montgomery
  squaring procedure (bsc#1104668)
- CVE-2018-1517: Unspecified vulnerability (bsc#1104668)
- CVE-2018-1656: Unspecified vulnerability (bsc#1104668)
- CVE-2018-12539: Users other than the process owner might have been able to
  use Java Attach API to connect to an IBM JVM on the same machine and use Attach
  API operations, which includes the ability to execute untrusted native code
  (bsc#1104668)

</description>
  <summary>Security update for java-1_8_0-ibm</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places