USN-3275-1: OpenJDK 8 vulnerabilities<\/p>\n
11th May, 2017<\/em><\/p>\n A security issue affects these releases of Ubuntu and its Several security issues were fixed in OpenJDK 8.\n<\/p>\n It was discovered that OpenJDK improperly re-used cached NTLM It was discovered that an untrusted library search path flaw existed It was discovered that the Java API for XML Processing (JAXP) component It was discovered that the FTP client implementation in OpenJDK did It was discovered that OpenJDK allowed MD5 to be used as an algorithm It was discovered that the SMTP client implementation in OpenJDK The problem can be corrected by updating your system to the following To update your system, please follow these instructions: This update uses a new upstream release, which includes additional CVE-2017-3509<\/a>, <\/p>\n CVE-2017-3511<\/a>, <\/p>\n CVE-2017-3526<\/a>, <\/p>\n CVE-2017-3533<\/a>, <\/p>\n CVE-2017-3539<\/a>, <\/p>\n CVE-2017-3544<\/a><\/p>\n Source: USN-3275-1: OpenJDK 8 vulnerabilities<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" USN-3275-1: OpenJDK 8 vulnerabilities Ubuntu Security Notice USN-3275-1 11th May, 2017 openjdk-8 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.10 Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenJDK 8. Software description openjdk-8 – Open Source Java implementation Details It was discovered that OpenJDK improperly re-used cached NTLMconnections in some situations. A remote attacker could possiblyuse this to cause a Java application to perform actions with thecredentials of a different user. (CVE-2017-3509) It was discovered that an untrusted library search path flaw existedin the Java Cryptography Extension (JCE) component of OpenJDK. Alocal attacker could possibly use this to gain the privileges of aJava application. (CVE-2017-3511) It was discovered that the Java API for XML Processing (JAXP) componentin OpenJDK did not properly enforce size limits when parsing XMLdocuments. An attacker could [ more… ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[586],"tags":[587],"class_list":["post-16064","post","type-post","status-publish","format-standard","hentry","category-ubuntu-usn","tag-ubuntu-usn"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/16064","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=16064"}],"version-history":[{"count":1,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/16064\/revisions"}],"predecessor-version":[{"id":16065,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/16064\/revisions\/16065"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=16064"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=16064"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=16064"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}openjdk-8 vulnerabilities<\/h3>\n
\n derivatives:<\/p>\n\n
Summary<\/h3>\n
Software description<\/h3>\n
\n
\n – Open Source Java implementation<\/p>\n<\/li>\n<\/ul>\nDetails<\/h3>\n
connections in some situations. A remote attacker could possibly
use this to cause a Java application to perform actions with the
credentials of a different user. (CVE-2017-3509<\/a>)<\/p>\n
in the Java Cryptography Extension (JCE) component of OpenJDK. A
local attacker could possibly use this to gain the privileges of a
Java application. (CVE-2017-3511<\/a>)<\/p>\n
in OpenJDK did not properly enforce size limits when parsing XML
documents. An attacker could use this to cause a denial of service
(processor and memory consumption). (CVE-2017-3526<\/a>)<\/p>\n
not properly sanitize user inputs. If a user was tricked into opening
a specially crafted FTP URL, a remote attacker could use this to
manipulate the FTP connection. (CVE-2017-3533<\/a>)<\/p>\n
for JAR integrity verification. An attacker could possibly use this
to modify the contents of a JAR file without detection. (CVE-2017-3539<\/a>)<\/p>\n
did not properly sanitize sender and recipient addresses. A remote
attacker could use this to specially craft email addresses and gain
control of a Java application's SMTP connections. (CVE-2017-3544<\/a>)<\/p>\nUpdate instructions<\/h3>\n
\npackage version:<\/p>\n\n
\n
\n 8u131-b11-0ubuntu1.17.04.1<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.17.04.1<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.17.04.1<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.10.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.10.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.10.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.10.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.04.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.04.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.04.2<\/a>
\n <\/span>\n <\/dd>\n
\n
\n 8u131-b11-0ubuntu1.16.04.2<\/a>
\n <\/span>\n <\/dd>\n<\/dl>\n
\nhttps:\/\/wiki.ubuntu.com\/Security\/Upgrades<\/a>.\n<\/p>\n
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.<\/p>\nReferences<\/h3>\n