ID

VAR-201410-1418

CVE

CVE-2014-3566

TITLE

HP Security Bulletin HPSBMU03416 1

DESCRIPTION

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. SSL protocol is the abbreviation of Secure Socket Layer protocol (Secure Socket Layer) developed by Netscape, which provides security and data integrity guarantee for Internet communication. There is a security vulnerability in the SSL protocol 3.0 version used in OpenSSL 1.0.1i and earlier versions. The vulnerability is caused by the program's use of non-deterministic CBC padding. Attackers can use padding-oracle attacks to exploit this vulnerability to implement man-in-the-middle attacks and obtain plaintext data. HP Storage Data Protector Cell Manager v8 before v8.13_206 and v9 before v9.03MMR running on HP-UX 11i, Windows Server 2008/2008R2/2012/2012R2, Redhat, CentOS, Oracle Linux, and SUSE Linux_x64. For the stable distribution (wheezy), these problems have been fixed in version 7u75-2.5.4-1~deb7u1. For the upcoming stable distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 7u75-2.5.4-1. We recommend that you upgrade your openjdk-7 packages. HP Asset Manager all supported versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04720842 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04720842 Version: 2 HPSBPI03360 rev.2 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-06-26 Last Updated: 2015-06-26 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP LaserJet Printers and MFPs, certain HP OfficeJet Printers and MFPs, and certain HP JetDirect Networking cards using OpenSSL. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE", which could be exploited remotely to allow disclosure of information. References: CVE-2014-3566 (SSRT101114) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for a list of impacted products. Note: all product versions are impacted prior to the fixed versions listed. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-3566 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided firmware updates for impacted printers as in the table below. To obtain the updated firmware, go to www.hp.com and follow these steps: Select "Drivers & Software". Enter the appropriate product name listed in the table below into the search field. Click on "Search". Click on the appropriate product. Under "Select operating system" click on "Cross operating system (BIOS, Firmware, Diagnostics, etc.)" Note: If the "Cross operating system ..." link is not present, select applicable Windows operating system from the list. Select the appropriate firmware update under "Firmware". Firmware Updates Table Product Name Model Number Firmware Revision HP Color LaserJet CP5525 CE707A,CE708A,CE709A 2305081_000127 (or higher) HP Color LaserJet Enterprise M552 B5L23A 2305076_518484 (or higher) HP Color LaserJet Enterprise M553 B5L24A, B5L25A, B5L26A 2305076_518484 (or higher) HP Color LaserJet Enterprise M651 CZ255A, CZ256A, CZ257A, CZ258A 2305076_518492 (or higher) HP Color LaserJet Enterprise M750 D3L08A, D3L09A, D3L10A 2305081_000144 (or higher) HP Color LaserJet M680 CZ250A, CA251A 2305076_518489 (or higher) HP LaserJet Enterprise 500 color MFP M575dn CD644A, CD645A 2305076_518499 (or higher) HP LaserJet Enterprise 500 MFP M525f CF116A, CF117A 2305076_518487 (or higher) HP LaserJet Enterprise 600 M601 CE989A, CE990A 2305083_000199 (or higher) HP LaserJet Enterprise 600 M602 CE991A, CE992A, CE993A 2305083_000199 (or higher) HP LaserJet Enterprise 600 M603xh CE994A, CE995A, CE996A 2305083_000199 (or higher) HP LaserJet Enterprise 700 color MFP M775 series CC522A, CC523A, CC524A 2305076_518498 (or higher) HP LaserJet Enterprise 700 M712xh CF235A, CF236A, CF238A 2305083_000196 (or higher) HP LaserJet Enterprise 800 color M855 A2W77A, A2W78A, A2W79A 2305076_518493 (or higher) HP LaserJet Enterprise 800 color MFP M880 A2W76A, A2W75A, D7P70A, D7P71A 2305076_518488 (or higher) HP LaserJet Enterprise Color 500 M551 Series CF081A,CF082A,CF083A 2305083_000200 (or higher) HP LaserJet Enterprise Color flow MFP M575c CD646A 2305076_518499 (or higher) HP LaserJet Enterprise flow M830z MFP CF367A 2305076_518490 (or higher) HP LaserJet Enterprise flow MFP M525c CF118A 2305076_518487 (or higher) HP LaserJet Enterprise Flow MFP M630z B3G85A 2305076_518483 (or higher) HP LaserJet Enterprise M4555 MFP CE503A, CE504A, CE738A 2305083_000222 (or higher) HP Color LaserJet CM4540 MFP CC419A, CC420A, CC421A 2305083_000206 (or higher) HP LaserJet Enterprise M604 E6B67A, E6B68A 2305076_518485 (or higher) HP LaserJet Enterprise M605 E6B69A, E6B70A. E6B71A 2305076_518485 (or higher) HP LaserJet Enterprise M606 E6B72A, E6B73A 2305076_518485 (or higher) HP LaserJet Enterprise M806 CZ244A, CZ245A 2305081_000143 (or higher) HP LaserJet Enterprise MFP M630 J7X28A 2305076_518483 (or higher) HP LaserJet Enterprise MFP M725 CF066A, CF067A, CF068A, CF069A 2305076_518496 (or higher) HP Scanjet Enterprise 8500FN1 Document Capture Workstation L2717A 2305076_518479 (or higher) HP OfficeJet Enterprise Color X555 C2S11A, C2S12A 2305076_518491 (or higher) HP OfficeJet Enterprise Color MFP X585 B5L04A, B5L05A,B5L07A 2305076_518486 (or higher) HP LaserJet P3005 Q7812A 02.190.3 (or higher) HP Color LaserJet CP3505 CB442A 03.160.2 (or higher) HP LaserJet 5200L Q7543A 08.241.0 (or higher) HP LaserJet 5200N Q7543A 08.241.0 (or higher) HP LaserJet 4240 Q7785A 08.250.2 (or higher) HP LaserJet 4250 Q5400A 08.250.2 (or higher) HP LaserJet 4350 Q5407A 08.250.2 (or higher) HP LaserJet 9040 Q7697A 08.260.3 (or higher) HP LaserJet 9050 Q7697A 08.260.3 (or higher) HP LaserJet 9040 Multifunction Printer Q3721A 08.290.2 (or higher) HP LaserJet 9050 Multifunction Printer Q3721A 08.290.2 (or higher) HP 9200c Digital Sender Q5916A 09.271.3 (or higher) HP LaserJet 4345 Multifunction Printer Q3942A 09.310.2 (or higher) HP LaserJet P2055 Printer CE456A, CE457A, CE459A, CE460A, 20141201 (or higher) HP Color LaserJet 3000 Q7534A 46.080.2 (or higher) HP Color LaserJet 3800 Q5981A 46.080.8 (or higher) HP Color LaserJet 4700 Q7492A 46.230.6 (or higher) HP Color LaserJet CP4005 CB503A 46.230.6 (or higher) HP Color LaserJet 4730 Multifunction Printer Q7517A 46.380.3 (or higher) HP LaserJet Pro 200 color Printer M251n, nw CF146A, CF147A 20150112 (or higher) HP LaserJet Pro 500 color MFP M570dn, dw CZ271A, CZ272A 20150112 (or higher) HP LaserJet Pro M521dn, dw MFP A8P79A, A8P80A 20150112 (or higher) HP Color LaserJet Pro MFP M476dn, dw, nw CF385A, CF386A, CF387A 20150112 (or higher) HP LaserJet Pro 400 MFP M425dn, dw CF286A, CF28A 20150112 (or higher) HP LaserJet Pro 200 color MFP M276n, nw CF144A, CF145A 20150112 (or higher) HP LaserJet Pro 400 M401a, d, dn, dne, dw, n CF270A, CF274A, CF278A, CF399A, CF285A, CZ195A 20150112 (or higher) HP LaserJet Pro P1566 Printer CE663A, CE749A 20150116 (or higher) HP LaserJet Pro 300 Color MFP M375nw CE903A 20150126 (or higher) HP LaserJet Pro 400 Color MFP M475dn, dw CE863A, CE864A 20150126 (or higher) HP TopShot LaserJet Pro M275 MFP CF040A 20150126 (or higher) HP LaserJet 300 color M351a CE955A 20150126 (or higher) HP LaserJet 400 color M451dn, dw, nw CE956A, CE957A, CE958A 20150126 (or higher) HP LaserJet Pro MFP M125a CZ172A 20150214 (or higher) HP LaserJet Pro MFP M126a CZ174A 20150215 (or higher) HP LaserJet Pro MFP M125nw CZ173A 20150228 (or higher) HP LaserJet Pro MFP M126nw CZ175A 20150228 (or higher) HP LaserJet Pro MFP M127fn, fw CZ181A, CZ183A 20150228 (or higher) HP LaserJet Pro MFP M128fn, fp, fw CZ184A, CZ185A, CZ186A 20150228 (or higher) HP Color LaserJet Pro MFP M176n, fw CF547A, CZ165A 20150228 (or higher) HP LaserJet Pro P1102, w CE651A, CE657A 20150313 (or higher) HP LaserJet Pro P1106 CE653A 20150313 (or higher) HP LaserJet Pro P1108 CE655A 20150313 (or higher) LaserJet Pro M435nw MFP A3E42A 20150316 (or higher) HP LaserJet Pro M701a, n B6S00A, B6S01A 20150316 (or higher) HP LaserJet Pro M706n B6S02A 20150316 (or higher) HP LaserJet Professional M1212nf MFP CE841A 20150405 (or higher) HP LaserJet Professional M1213nf MFP CE845A 20150405 (or higher) HP LaserJet Professional M1214nfh MFP CE843A 20150405 (or higher) HP LaserJet Professional M1216nfh MFP CE842A 20150405 (or higher) HP LaserJet Professional M1217nfw MFP CE844A 20150405 (or higher) HP HotSpot LaserJet Pro M1218nfs MFP B4K88A 20150405 (or higher) HP LaserJet Professional M1219nf MFP CE846A 20150405 (or higher) HP LaserJet Pro CP1025, nw CE913A, CE914A, CF346A, CF346A 20150413 (or higher) HP Officejet Pro X451dn Printer CN459A BNP1CN1502AR (or higher) HP Officejet Pro X451dw Printer CN463A BWP1CN1502AR (or higher) HP Officejet Pro X551dw Printer CV037A BZP1CN1502AR (or higher) HP Officejet Pro X476dn MFP CN460A LNP1CN1502BR (or higher) HP Officejet Pro X476dw MFP CN461A LWP1CN1502BR (or higher) HP Officejet Pro X576dw MFP CN598A LZP1CN1502BR (or higher) HP Officejet Pro 276dw MFP CR770A FRP1CN1517AR (or higher) HP Officejet Pro 8610/15/16 e-All-in-One Printer A7F64A, D7Z36A, J5T77A FDP1CN1502AR (or higher) HP Officejet Pro 8620/25 e-All-in-One Printer A7F65A, D7Z37A FDP1CN1502AR (or higher) HP Officejet Pro 8630 e-All-in-One Printer A7F66A FDP1CN1502AR (or higher) HP Jetdirect 620n EIO Card J7934G V29.26 (or higher) HP Jetdirect ew2500 802.11b/g Wireless Print Server J8021A V41.16 (or higher) HP Jetdirect 690n EIO Card J8007A V41.16 (or higher) HP Jetdirect 635n EIO Card J7961G V41.16 (or higher) HP Jetdirect 695n EIO Card J8024A V41.16 (or higher) HP Jetdirect 640n EIO Card J8025A V45.35 (or higher) HISTORY Version:1 (rev.1) - 26 June 2015 Initial release Version:2 (rev.2) - 26 June 2015 Corrected HPSB ID in the document title Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. - HP StoreVirtual VSA Software 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4130 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4130 600GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 2TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 3TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 450GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4630 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 China Hybrid Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 Hybrid Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 4TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4130 600GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4130 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 1TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 FC 900GB China SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4330 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 China Hybrid SAN Solution 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 China Hybrid Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 Hybrid SAN Solution 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4335 Hybrid Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 2TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 3TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 3TB MDL SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 450GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 450GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 4TB MDL SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4530 600GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4630 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 600GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 600GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 900GB SAS Storage/S-Buy 12.6, 12.5, 12.0, 11.5 - HP StoreVirtual 4730 FC 900GB SAS Storage 12.6, 12.5, 12.0, 11.5 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2010-5298 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L 4.0 (AV:N/AC:H/Au:N/C:N/I:P/A:P) CVE-2014-0076 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N) CVE-2014-0195 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2014-0198 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2014-0221 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2014-0224 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-2014-3470 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVE-2014-3566 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2016-0705 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE recommends applying the following software updates to resolve the vulnerabilities in the impacted versions of HPE StoreVirtual products running HPE LeftHand OS. LeftHand OS v11.5 - Patches 45019-00 and 45020 LeftHand OS v12.0 - Patches 50016-00 and 50017-00 LeftHand OS v12.5 - Patch 55016-00 LeftHand OS v12.6 - Patch 56002-00 **Notes:** These patches enable TLSv1.2 protocol and upgrades the OpenSSL RPM revision to OpenSSL v1.0.1e 48. These patches migrate Certificate Authority Hashing Algorithm from a weak hashing algorithm SHA1 to the stronger hashing algorithm SHA256. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201411-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Asterisk: Multiple Vulnerabilities Date: November 23, 2014 Bugs: #523216, #526208 ID: 201411-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service. Background ========== Asterisk is an open source telephony engine and toolkit. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/asterisk < 11.13.1 >= 11.13.1 Description =========== Multiple unspecified vulnerabilities have been discovered in Asterisk. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Asterisk users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-11.13.1" References ========== [ 1 ] CVE-2014-3566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566 [ 2 ] CVE-2014-6610 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6610 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.6.0-ibm security update Advisory ID: RHSA-2014:1877-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1877.html Issue date: 2014-11-19 CVE Names: CVE-2014-3065 CVE-2014-3566 CVE-2014-4288 CVE-2014-6457 CVE-2014-6458 CVE-2014-6492 CVE-2014-6493 CVE-2014-6502 CVE-2014-6503 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6515 CVE-2014-6531 CVE-2014-6532 CVE-2014-6558 ===================================================================== 1. Summary: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6457, CVE-2014-6458, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558) The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security. Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed. All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 6 SR16-FP2 release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1071210 - CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509) 1150155 - CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564) 1150651 - CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274) 1150669 - CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797) 1151046 - CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066) 1151063 - CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846) 1151517 - CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540) 1152756 - CVE-2014-6532 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152757 - CVE-2014-6503 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152759 - CVE-2014-6492 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152760 - CVE-2014-6493 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152761 - CVE-2014-4288 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152763 - CVE-2014-6458 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152766 - CVE-2014-6515 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack 1162554 - CVE-2014-3065 IBM JDK: privilege escalation via shared class cache 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.i386.rpm x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.i386.rpm ppc: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.s390.rpm java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.s390.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.s390.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.s390.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.s390.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-accessibility-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el5.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.i386.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el5.x86_64.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.i686.rpm ppc64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.ppc.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.ppc.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.ppc64.rpm s390x: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.s390x.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.s390x.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.s390.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.s390x.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.s390x.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.s390x.rpm x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.i686.rpm x86_64: java-1.6.0-ibm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-demo-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.i686.rpm java-1.6.0-ibm-devel-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-javacomm-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-jdbc-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-plugin-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm java-1.6.0-ibm-src-1.6.0.16.2-1jpp.1.el6_6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3065 https://access.redhat.com/security/cve/CVE-2014-3566 https://access.redhat.com/security/cve/CVE-2014-4288 https://access.redhat.com/security/cve/CVE-2014-6457 https://access.redhat.com/security/cve/CVE-2014-6458 https://access.redhat.com/security/cve/CVE-2014-6492 https://access.redhat.com/security/cve/CVE-2014-6493 https://access.redhat.com/security/cve/CVE-2014-6502 https://access.redhat.com/security/cve/CVE-2014-6503 https://access.redhat.com/security/cve/CVE-2014-6506 https://access.redhat.com/security/cve/CVE-2014-6511 https://access.redhat.com/security/cve/CVE-2014-6512 https://access.redhat.com/security/cve/CVE-2014-6515 https://access.redhat.com/security/cve/CVE-2014-6531 https://access.redhat.com/security/cve/CVE-2014-6532 https://access.redhat.com/security/cve/CVE-2014-6558 https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ https://www-01.ibm.com/support/docview.wss?uid=swg21688165 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUbOXcXlSAg2UNWIIRAjCgAKCn4vdPAvm3m43vrgn34KvXTHb0agCeK2ts NBTsOUThQgT3JYMT5S5ENd4= =ev0h -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ============================================================================ Ubuntu Security Notice USN-2487-1 January 28, 2015 openjdk-7 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS Summary: Several security issues were fixed in OpenJDK 7. Software Description: - openjdk-7: Open Source Java implementation Details: Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure, data integrity and availability. An attacker could exploit these to cause a denial of service or expose sensitive data over the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395, CVE-2015-0408, CVE-2015-0412) Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400, CVE-2015-0407) A vulnerability was discovered in the OpenJDK JRE related to information disclosure and integrity. An attacker could exploit this to expose sensitive data over the network. (CVE-2014-6593) A vulnerability was discovered in the OpenJDK JRE related to integrity and availability. An attacker could exploit this to cause a denial of service. (CVE-2015-0383) A vulnerability was discovered in the OpenJDK JRE related to availability. An attacker could this exploit to cause a denial of service. (CVE-2015-0410) A vulnerability was discovered in the OpenJDK JRE related to data integrity. (CVE-2015-0413) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: icedtea-7-jre-jamvm 7u75-2.5.4-1~utopic1 openjdk-7-jre 7u75-2.5.4-1~utopic1 openjdk-7-jre-headless 7u75-2.5.4-1~utopic1 openjdk-7-jre-lib 7u75-2.5.4-1~utopic1 openjdk-7-jre-zero 7u75-2.5.4-1~utopic1 openjdk-7-source 7u75-2.5.4-1~utopic1 Ubuntu 14.04 LTS: icedtea-7-jre-jamvm 7u75-2.5.4-1~trusty1 openjdk-7-jre 7u75-2.5.4-1~trusty1 openjdk-7-jre-headless 7u75-2.5.4-1~trusty1 openjdk-7-jre-lib 7u75-2.5.4-1~trusty1 openjdk-7-jre-zero 7u75-2.5.4-1~trusty1 openjdk-7-source 7u75-2.5.4-1~trusty1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. This update contains a known regression in the Zero alternative Java Virtual Machine on PowerPC and a future update will correct this issue. See https://launchpad.net/bugs/1415282 for details. We apologize for the inconvenience. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS), allow unauthorized access, or a man-in-the-middle (MitM) attack. The updates are available from the following site. https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =OPENSSL11I HP-UX Release HP-UX OpenSSL version B.11.11 (11i v1) A.00.09.08zc.001_HP-UX_B.11.11_32+64.depot B.11.23 (11i v2) A.00.09.08zc.002a_HP-UX_B.11.23_IA-PA.depot B.11.31 (11i v3) A.00.09.08zc.003_HP-UX_B.11.31_IA-PA.depot MANUAL ACTIONS: Yes - Update Install OpenSSL A.00.09.08zc or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08zc.001 or subsequent HP-UX B.11.23 ================== openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08zc.002a or subsequent HP-UX B.11.31 ================== openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08zc.003 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 28 October 2014 Initial release Version:2 (rev.2) - 3 November 2014 Updated download location Version:3 (rev.3) - 11 December 2014 updated version of 11i v2 depot for revised code Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

arbitrary, info disclosure

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES