====================================================== Name: CVE-2013-1500 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130130 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows local users to affect confidentiality and integrity via unknown vectors related to 2D. ====================================================== Name: CVE-2013-1571 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130130 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier allows remote attackers to affect integrity via unknown vectors related to Javadoc. ====================================================== Name: CVE-2013-2400 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2400 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-3744. ====================================================== Name: CVE-2013-2407 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. ====================================================== Name: CVE-2013-2412 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. ====================================================== Name: CVE-2013-2437 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Deployment. ====================================================== Name: CVE-2013-2442 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2466 and CVE-2013-2468. ====================================================== Name: CVE-2013-2443 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. ====================================================== Name: CVE-2013-2444 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, and JavaFX 2.2.21 and earlier allows remote attackers to affect availability via vectors related to AWT. ====================================================== Name: CVE-2013-2445 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect availability via unknown vectors related to Hotspot. ====================================================== Name: CVE-2013-2446 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via vectors related to CORBA. ====================================================== Name: CVE-2013-2447 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Networking. ====================================================== Name: CVE-2013-2448 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. ====================================================== Name: CVE-2013-2449 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries. ====================================================== Name: CVE-2013-2450 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect availability via unknown vectors related to Serialization. ====================================================== Name: CVE-2013-2451 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Networking. ====================================================== Name: CVE-2013-2452 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. ====================================================== Name: CVE-2013-2453 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. ====================================================== Name: CVE-2013-2454 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. ====================================================== Name: CVE-2013-2455 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. ====================================================== Name: CVE-2013-2456 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Serialization. ====================================================== Name: CVE-2013-2457 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. ====================================================== Name: CVE-2013-2458 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. ====================================================== Name: CVE-2013-2459 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. ====================================================== Name: CVE-2013-2460 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. ====================================================== Name: CVE-2013-2461 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. ====================================================== Name: CVE-2013-2462 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2462 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. ====================================================== Name: CVE-2013-2463 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2464 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2465 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2466 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2468. ====================================================== Name: CVE-2013-2467 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2467 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 5.0 Update 45 and earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Java installer. ====================================================== Name: CVE-2013-2468 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2466. ====================================================== Name: CVE-2013-2469 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2470 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2471 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2472, and CVE-2013-2473. ====================================================== Name: CVE-2013-2472 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, and CVE-2013-2473. ====================================================== Name: CVE-2013-2473 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130305 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, and CVE-2013-2472. ====================================================== Name: CVE-2013-3743 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130603 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 45 and earlier and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. ====================================================== Name: CVE-2013-3744 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3744 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130603 Category: Reference: CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2400. Reproducible: Steps to Reproduce:
I'm not sure where these may apply...
We'll find out when a new IcedTea is released to address this, which hasn't happened yet. Because of changes in OpenJDK, a new icedtea-web will need to be provided with this update as well: http://blog.fuseyism.com/index.php/2013/06/19/imminent-icedtea-web-breakage/
CC: (none) => luigiwalserVersion: 2 => CauldronSummary: Multiple vulnerabilities in Java => Java: multiple vulnerabilities fixed in June updateWhiteboard: (none) => MGA3TOO, MGA2TOO
RedHat has issued an advisory for this on June 19: https://rhn.redhat.com/errata/RHSA-2013-0957.html They updated to IcedTea 2.3.10. I still don't see any announcements from the IcedTea project itself.
URL: (none) => http://lwn.net/Vulnerabilities/555689/CC: (none) => dmorganec
Still no announcements from upstream. Here's RedHat's bugfix advisory for icedtea-web to go along with this update: https://rhn.redhat.com/errata/RHBA-2013-0959.html Speaking of icedtea-web, after updating openjdk and patching icedtea-web, icedtea-web isn't building: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20130623011056.luigiwalser.valstar.1730/log/icedtea-web-1.3.2-2.mga4/build.0.20130623011107.log
We can't push this to QA until icedtea-web is fixed and built. Here's the packages currently built for this update: java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga3
OK I got icedtea-web to build by syncing some changes from Fedora. We won't build an icedtea-web update for Mageia 2 until java-1.6.0-openjdk has been updated. Packages built: icedtea-web-1.3.2-1.1.mga3 icedtea-web-javadoc-1.3.2-1.1.mga3 from icedtea-web-1.3.2-1.1.mga3.src.rpm
Version: Cauldron => 3Summary: Java: multiple vulnerabilities fixed in June update => java-1.7.0-openjdk new security issues fixed in IcedTea 2.3.10Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Assigning to QA. Advisory: ======================== Updated java-1.7.0-openjdk packages fix security vulnerabilities: Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption (CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469). Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application (CVE-2013-2459). Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2013-2448, CVE-2013-2454, CVE-2013-2458, CVE-2013-2457, CVE-2013-2453, CVE-2013-2460). Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information (CVE-2013-2456, CVE-2013-2447, CVE-2013-2455, CVE-2013-2452, CVE-2013-2443, CVE-2013-2446). It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine (CVE-2013-2445). It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service (CVE-2013-2444, CVE-2013-2450). It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service (CVE-2013-2407, CVE-2013-2461). It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information (CVE-2013-2412). It was discovered that GnomeFileTypeDetector did not check for read permissions when accessing files. An untrusted Java application or applet could possibly use this flaw to disclose potentially sensitive information (CVE-2013-2449). It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation (CVE-2013-1571). It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment (CVE-2013-1500). Additionally, this OpenJDK update causes icedtea-web, the Java browser plugin, to crash, so icedtea-web has been patched to fix this on Mageia 3. Note that on Mageia 2, icedtea-web uses java-1.6.0-openjdk, which has not yet been updated to fix these security issues. An ETA for that update is not known at this time. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473 http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html https://rhn.redhat.com/errata/RHSA-2013-0957.html https://rhn.redhat.com/errata/RHBA-2013-0959.html ======================== Updated packages in core/updates_testing: ======================== java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga2 java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-src-1.7.0.25-2.3.10.1.mga3 java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.1.mga3 icedtea-web-1.3.2-1.1.mga3 icedtea-web-javadoc-1.3.2-1.1.mga3 from SRPMS: java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga2.src.rpm java-1.7.0-openjdk-1.7.0.25-2.3.10.1.mga3.src.rpm icedtea-web-1.3.2-1.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Severity: normal => critical
No exploits on securityfocus. testing mga3-64
CC: (none) => wrw105
tested with Hello World and OddEven HelloWorld: http://docs.oracle.com/javase/tutorial/getStarted/cupojava/unix.html OddEven https://en.wikipedia.org/wiki/Java_%28programming_language%29#A_more_comprehensive_example OddEven is complaning: Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated. but works normally.
Whiteboard: MGA2TOO => MGA2TOO mga3-64-OK
Tested mga3-32 as above. No fontconfig warning. HelloWorld and OddEven both work normally. With IcedTea-web update, proper version shows up at javatester.org for both 32 and 64 bit.
Whiteboard: MGA2TOO mga3-64-OK => MGA2TOO mga3-64-OK mga3-32-ok
Tested mga2-32 as above. Both test cases work normally with java -version showing 1.7.0_25.
Whiteboard: MGA2TOO mga3-64-OK mga3-32-ok => MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK
Tested mga2-64 in VM as above, test cases work normally. Validating. Can someone from the sysadmin team please push from 2 and 3 core/updates_testing to core_updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK => MGA2TOO mga3-64-OK mga3-32-ok mga2-32-OK mga2-64-OKCC: (none) => sysadmin-bugs
Almost forgot! Advisory and SRPM list in comment 7
FYI. I extracted the lcms2 fixes from this update. Patch is applied, however I don't know what it fixes.
Created attachment 4164 [details] lcms2 fixes.
(In reply to Oden Eriksson from comment #14) > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however > I don't know what it fixes. Cool. I guess you can commit the patch in SVN for now.
(In reply to David Walser from comment #16) > (In reply to Oden Eriksson from comment #14) > > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however > > I don't know what it fixes. > > Cool. I guess you can commit the patch in SVN for now. Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I leave that for now.
Advisory uploaded
http://advisories.mageia.org/MGASA-2013-0185.html
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
(In reply to Oden Eriksson from comment #17) > (In reply to David Walser from comment #16) > > (In reply to Oden Eriksson from comment #14) > > > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however > > > I don't know what it fixes. > > > > Cool. I guess you can commit the patch in SVN for now. > > Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I > leave that for now. The upstream blog has finally announced this: http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for-openjdk-7-released/ I point it out because they link to 5 Sun bugs about the lcms2 security issues fixed within.
(In reply to David Walser from comment #20) > (In reply to Oden Eriksson from comment #17) > > (In reply to David Walser from comment #16) > > > (In reply to Oden Eriksson from comment #14) > > > > FYI. I extracted the lcms2 fixes from this update. Patch is applied, however > > > > I don't know what it fixes. > > > > > > Cool. I guess you can commit the patch in SVN for now. > > > > Done for mga2+mga3. Parts of it applies to lcms2-2.5rc1 in cauldron, but I > > leave that for now. > > The upstream blog has finally announced this: > http://blog.fuseyism.com/index.php/2013/06/28/security-icedtea-2-3-10-for- > openjdk-7-released/ > > I point it out because they link to 5 Sun bugs about the lcms2 security > issues fixed within. As you probably already saw, there's a mention about this on oss-sec now with more details: http://openwall.com/lists/oss-security/2013/07/18/7
CC: boklm => (none)