|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: java-1_5_0-ibm,java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: IBM July 2015 Java update | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Johannes Segitz <jsegitz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | astieger, bugproxy, hannsj_uhl, jreuter, mcowley, meissner, smash_bz, tstaudt |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/119126/ | ||
| See Also: | https://bugzilla.linux.ibm.com/show_bug.cgi?id=127869 | ||
| Whiteboard: | maint:released:sle10-sp3:62271 CVSSv2:RedHat:CVE-2015-1931:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2590:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-2596:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2015-2597:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-2601:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2613:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2619:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2621:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2625:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2627:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2628:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-2632:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2637:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2015-2638:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-2659:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2664:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4729:4.0:(AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSSv2:NVD:CVE-2015-4731:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4732:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4733:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4736:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4748:7.6:(AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2015-4749:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-4760:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2015-2590:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2596:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:RedHat:CVE-2015-2597:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2015-2601:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2613:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2619:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2621:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2625:2.6:(AV:N/AC:H/Au:N/C:N/I:P/A:N) CVSSv2:RedHat:CVE-2015-2627:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2628:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2632:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2632:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2637:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2015-2638:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2659:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2664:4.4:(AV:L/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4729:4.0:(AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSSv2:RedHat:CVE-2015-4731:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4732:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4733:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4736:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4748:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:RedHat:CVE-2015-4749:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-4760:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-4760:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:UNK(Oracle):CVE-2015-2590:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-2596:4.3:(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSSv2:UNK(Oracle):CVE-2015-2597:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-2601:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2613:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2619:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2621:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2625:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2627:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2628:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-2632:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2637:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:UNK(Oracle):CVE-2015-2638:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-2659:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:UNK(Oracle):CVE-2015-2664:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4729:4.0:(AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSSv2:UNK(Oracle):CVE-2015-4731:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4732:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4733:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4736:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4748:7.6:(AV:N/AC:H/Au:N/C:C/I:C/A:C) CVSSv2:UNK(Oracle):CVE-2015-4749:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:UNK(Oracle):CVE-2015-4760:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 925378 | ||
|
Description
Johannes Segitz
2015-07-21 09:59:41 UTC
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62226 CVE-2015-4000 is bug 931600 CVE-2015-2808 is bug 925378 (RC4) Atm it ain't downloadable, will try tomorrow: https://www-01.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=swg-sdk6&S_PKG=amd64_6.0.16.7&S_TACT=105AGX05&S_CMP=JDK HTTP Error 500: Internal Server Error https://www-01.ibm.com/marketing/iwm/iwm/web/preLogin.do?source=swg-sdk8&S_PKG=amd64_8.0.1.10&S_TACT=105AGX05&S_CMP=JDK HTTP Error 500: Internal Server Error Also java-1_5_0-ibm - CVE-2015-1931 - CVE-2015-2638 - CVE-2015-4733 - CVE-2015-4732 - CVE-2015-2590 - CVE-2015-4731 - CVE-2015-4760 - CVE-2015-4748 - CVE-2015-2664 - CVE-2015-2632 - CVE-2015-2637 - CVE-2015-2621 - CVE-2015-2601 - CVE-2015-4749 - CVE-2015-4000 - CVE-2015-2808 (In reply to Johannes Segitz from comment #5) > Also java-1_5_0-ibm . fyi ... with regard to the updated IBM Java "5.0.16.13" as outlined at http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_July_14_2015_CPU please note that there will be no further Java 5 updates on DeveloperWorks because of the Sept 2015 EOS date for IBM Java 5 ... . ... so to pick up 5.0.16.13 you will need to go to Fix Central: http://www-933.ibm.com/support/fixcentral/ . ... as an example here is a link to the fixpack for Linux 64-bit,zSeries: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/Java+Standard+Edition+%28Java+SE%29&release=5.0.16.13&platform=Linux+64-bit,zSeries&function=aparId&apars=IV75129 . (In reply to Hanns-Joachim Uhl from comment #6) > (In reply to Johannes Segitz from comment #5) > > Also java-1_5_0-ibm > . > fyi ... with regard to the updated IBM Java "5.0.16.13" as outlined at > http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_July_14_2015_CPU > please note that there will be no further Java 5 updates on DeveloperWorks > because of the Sept 2015 EOS date for IBM Java 5 ... > . > ... so to pick up 5.0.16.13 you will need to go to Fix Central: > http://www-933.ibm.com/support/fixcentral/ > . > ... as an example here is a link to the fixpack for Linux 64-bit,zSeries: > http://www-933.ibm.com/support/fixcentral/swg/ > selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/ > Java+Standard+Edition+%28Java+SE%29&release=5.0.16.13&platform=Linux+64-bit, > zSeries&function=aparId&apars=IV75129 > . Hm, when I tried to download this I failed because on using our arcane login it said it has not verified email address, which I dunno what was anyway, so I will have to create new account. (will do tomorrow) Slightly unrelated question: Do you have to redesign/tweak the wepage for regular downlaod with almost each release of ibmjava? I have to usually 1-2 hours tweaking the download scrapper just to get the resulting ~20 .bin files? Not having to go over 4 pages formular checking that "no I don't want to get promo materials" everytime is quite not what I would consider fun. Even with the two hours editing I consider it less pain than this form clicking :) Great solution would be if you guys set-up ftp for partners only where we could simply fetch the files and bypass this lovely download mechanisms. bugbot adjusting priority I am unable to download 7.0-9.10 for s390. It is not available on the page: https://www.ibm.com/services/forms/preLogin.do?source=swg-sdk7&S_PKG=zseries31_7.0.9.10&S_TACT=105AGX05&S_CMP=JDK (In reply to Hanns-Joachim Uhl from comment #6) > (In reply to Johannes Segitz from comment #5) > > Also java-1_5_0-ibm > . > fyi ... with regard to the updated IBM Java "5.0.16.13" as outlined at > http://www.ibm.com/developerworks/java/jdk/alerts/#Oracle_July_14_2015_CPU > please note that there will be no further Java 5 updates on DeveloperWorks > because of the Sept 2015 EOS date for IBM Java 5 ... > . > ... so to pick up 5.0.16.13 you will need to go to Fix Central: > http://www-933.ibm.com/support/fixcentral/ > . > ... as an example here is a link to the fixpack for Linux 64-bit,zSeries: > http://www-933.ibm.com/support/fixcentral/swg/ > selectFixes?parent=ibm~WebSphere&product=ibm/IBM+SDKs+for+Java+Technology/ > Java+Standard+Edition+%28Java+SE%29&release=5.0.16.13&platform=Linux+64-bit, > zSeries&function=aparId&apars=IV75129 > . I am unable to register new account for the fixcentral. When I click on the IBM My ID I get e-mail confirmation with link (and token) and that shows only blank empty page... 1.7.1 1.6.0 and 1.8.0 are updated in devel:ibmjava. Today I managed to get ibmjava 1.5.0 so we have it again in Devel:ibmjava. The 7.0 series s390 is nowhere to be found per c#9 -> we can't do jdk7 update. @security: should we wait or should I submit the rest right away? (In reply to Tomáš Chvátal from comment #11) Please submit right away since we don't know how long this will take All submissions done except the 1.7.0 which has missing s390 binary installer. Let me know if you wish some other platform too. (In reply to Tomáš Chvátal from comment #11) > Today I managed to get ibmjava 1.5.0 so we have it again in Devel:ibmjava. > > The 7.0 series s390 is nowhere to be found per c#9 -> we can't do jdk7 > update. > . Hello SUSE / Tomas, ... I just got the notice that the 31-bit version for System z for "IBM SDK, Java Technology Edition, Version 7, Service Refresh 9 Fix Pack 10" is now available from developerworks at e.g. from https://www-01.ibm.com/marketing/iwm/iwm/web/acceptSignup.do?source=swg-sdk7&S_PKG=zseries31_7.0.9.10&S_TACT=105AGX05&S_CMP=JDK&lang=en_US .. ... can you please check from your side whether this is working for you ..? Please advise .. Thanks in advance for your support. SUSE-SU-2015:1329-1: An update that fixes 20 vulnerabilities is now available. Category: security (important) Bug References: 935540,938895 CVE References: CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2619,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4729,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): java-1_7_1-ibm-1.7.1_sr3.10-3.1 SUSE Linux Enterprise Server 11-SP4 (src): java-1_7_1-ibm-1.7.1_sr3.10-3.1 ------- Comment From hannsj_uhl@de.ibm.com 2015-08-03 09:13 EDT------- . ------- Comment From hannsj_uhl@de.ibm.com 2015-08-04 06:07 EDT------- . SUSE-SU-2015:1345-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 935540,936844,938895 CVE References: CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760 Sources used: SUSE Linux Enterprise Module for Legacy Software 12 (src): java-1_6_0-ibm-1.6.0_sr16.7-22.2 SUSE-SU-2015:1375-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 935540,938895 CVE References: CVE-2015-0192,CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2613,CVE-2015-2619,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4729,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): java-1_7_0-ibm-1.7.0_sr9.10-9.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): java-1_7_0-ibm-1.7.0_sr9.10-9.1 SUSE Linux Enterprise Server 11-SP3 (src): java-1_7_0-ibm-1.7.0_sr9.10-9.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): java-1_7_0-ibm-1.7.0_sr9.10-9.1 all released I thinkl SUSE-SU-2015:1509-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 935540,936844,938895,941939 CVE References: CVE-2015-1931,CVE-2015-2590,CVE-2015-2601,CVE-2015-2621,CVE-2015-2625,CVE-2015-2632,CVE-2015-2637,CVE-2015-2638,CVE-2015-2664,CVE-2015-2808,CVE-2015-4000,CVE-2015-4731,CVE-2015-4732,CVE-2015-4733,CVE-2015-4748,CVE-2015-4749,CVE-2015-4760 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP3 (src): java-1_6_0-ibm-1.6.0_sr16.7-10.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): java-1_6_0-ibm-1.6.0_sr16.7-10.1 SUSE Linux Enterprise Server 11-SP3 (src): java-1_6_0-ibm-1.6.0_sr16.7-10.1 SUSE Linux Enterprise Server 11-SP2-LTSS (src): java-1_6_0-ibm-1.6.0_sr16.7-10.1 SUSE Linux Enterprise Server 11-SP1-LTSS (src): java-1_6_0-ibm-1.6.0_sr16.7-10.1 *** Bug 939382 has been marked as a duplicate of this bug. *** |