Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-2941

Source

Debian Bug report logs - #905215
CVE-2018-2941

Package: src:openjfx; Maintainer for src:openjfx is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 1 Aug 2018 14:48:01 UTC

Severity: grave

Tags: security

Fixed in version 11+26-1

Done: Markus Koschany <apo@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#905215; Package src:openjfx. (Wed, 01 Aug 2018 14:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Wed, 01 Aug 2018 14:48:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: openjfx
Severity: grave
Tags: security

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#905215; Package src:openjfx. (Sun, 07 Oct 2018 11:09:03 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 07 Oct 2018 11:09:03 GMT) (full text, mbox, link).

Message #10 received at 905215@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Source: openjfx
> Severity: grave
> Tags: security
> 
> http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
> fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.

We have recently upgraded OpenJFX to version 11. It is not listed as a
vulnerable version in Oracle's security advisory. I presume if it has
been vulnerable they would have fixed it in OpenJFX 11 too by now. Do
you have more information about this vulnerability because I can't find
any details on the web.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#905215; Package src:openjfx. (Sun, 07 Oct 2018 11:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 07 Oct 2018 11:21:03 GMT) (full text, mbox, link).

Message #15 received at 905215@bugs.debian.org (full text, mbox, reply):

On Sun, Oct 07, 2018 at 01:04:38PM +0200, Markus Koschany wrote:
> Hi,
> 
> On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff <jmm@debian.org>
> wrote:
> > Source: openjfx
> > Severity: grave
> > Tags: security
> > 
> > http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
> > fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.
> 
> We have recently upgraded OpenJFX to version 11. It is not listed as a
> vulnerable version in Oracle's security advisory. I presume if it has
> been vulnerable they would have fixed it in OpenJFX 11 too by now. Do
> you have more information about this vulnerability because I can't find
> any details on the web.

No, unfortunately it's the same "we fix, but don't tell" bullshit policy
as with all other Oracle products.

Given that mediathekview is our only reverse dependency in stretch we
can probably mark it as ignored for stretch anyway?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#905215; Package src:openjfx. (Sun, 07 Oct 2018 11:33:05 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 07 Oct 2018 11:33:05 GMT) (full text, mbox, link).

Message #20 received at 905215@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Am 07.10.18 um 13:16 schrieb Moritz Muehlenhoff:
[...]
> No, unfortunately it's the same "we fix, but don't tell" bullshit policy
> as with all other Oracle products.
> 
> Given that mediathekview is our only reverse dependency in stretch we
> can probably mark it as ignored for stretch anyway?
> 
> Cheers,
>         Moritz

Ok. MediathekView in Stretch only uses JavaFX to create some better
integrated Panel messages or to improve performance. If I read the
advisory correctly CVE-2018-2941 affects Java Web Start or Java applets
but MediathekView is a desktop application and doesn't use those
classes, so I believe it cannot be exploited. Ignored for Stretch makes
sense.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Markus Koschany <apo@debian.org>:
You have taken responsibility. (Wed, 31 Oct 2018 12:03:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 31 Oct 2018 12:03:03 GMT) (full text, mbox, link).

Message #25 received at 905215-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 11+26-1

As previously stated I believe this issue was fixed in OpenJFX 11.
However there is no way to prove it because Oracle didn't release any
publicly available information about the details. I am going to close
this bug report now but feel free to reopen it, if you can share more
information about CVE-2018-2941.

Markus

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:33:16 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-2941

Debian Bug report logs - #905215
CVE-2018-2941

Vulmon Search

About

Products

Connect

CVE-2018-2941

Debian Bug report logs - #905215 CVE-2018-2941

Vulmon Search

About

Products

Connect

Debian Bug report logs - #905215
CVE-2018-2941