Debian Bug report logs -
#905215
CVE-2018-2941
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 1 Aug 2018 14:48:01 UTC
Severity: grave
Tags: security
Fixed in version 11+26-1
Done: Markus Koschany <apo@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#905215
; Package src:openjfx
.
(Wed, 01 Aug 2018 14:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 01 Aug 2018 14:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjfx
Severity: grave
Tags: security
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#905215
; Package src:openjfx
.
(Sun, 07 Oct 2018 11:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Oct 2018 11:09:03 GMT) (full text, mbox, link).
Message #10 received at 905215@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff <jmm@debian.org>
wrote:
> Source: openjfx
> Severity: grave
> Tags: security
>
> http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
> fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.
We have recently upgraded OpenJFX to version 11. It is not listed as a
vulnerable version in Oracle's security advisory. I presume if it has
been vulnerable they would have fixed it in OpenJFX 11 too by now. Do
you have more information about this vulnerability because I can't find
any details on the web.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#905215
; Package src:openjfx
.
(Sun, 07 Oct 2018 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Oct 2018 11:21:03 GMT) (full text, mbox, link).
Message #15 received at 905215@bugs.debian.org (full text, mbox, reply):
On Sun, Oct 07, 2018 at 01:04:38PM +0200, Markus Koschany wrote:
> Hi,
>
> On Wed, 01 Aug 2018 16:45:30 +0200 Moritz Muehlenhoff <jmm@debian.org>
> wrote:
> > Source: openjfx
> > Severity: grave
> > Tags: security
> >
> > http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
> > fixed CVE-2018-2941 in JavaFX, which should affect our openjfx package.
>
> We have recently upgraded OpenJFX to version 11. It is not listed as a
> vulnerable version in Oracle's security advisory. I presume if it has
> been vulnerable they would have fixed it in OpenJFX 11 too by now. Do
> you have more information about this vulnerability because I can't find
> any details on the web.
No, unfortunately it's the same "we fix, but don't tell" bullshit policy
as with all other Oracle products.
Given that mediathekview is our only reverse dependency in stretch we
can probably mark it as ignored for stretch anyway?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#905215
; Package src:openjfx
.
(Sun, 07 Oct 2018 11:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Oct 2018 11:33:05 GMT) (full text, mbox, link).
Message #20 received at 905215@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 07.10.18 um 13:16 schrieb Moritz Muehlenhoff:
[...]
> No, unfortunately it's the same "we fix, but don't tell" bullshit policy
> as with all other Oracle products.
>
> Given that mediathekview is our only reverse dependency in stretch we
> can probably mark it as ignored for stretch anyway?
>
> Cheers,
> Moritz
Ok. MediathekView in Stretch only uses JavaFX to create some better
integrated Panel messages or to improve performance. If I read the
advisory correctly CVE-2018-2941 affects Java Web Start or Java applets
but MediathekView is a desktop application and doesn't use those
classes, so I believe it cannot be exploited. Ignored for Stretch makes
sense.
Cheers,
Markus
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Markus Koschany <apo@debian.org>
:
You have taken responsibility.
(Wed, 31 Oct 2018 12:03:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Wed, 31 Oct 2018 12:03:03 GMT) (full text, mbox, link).
Message #25 received at 905215-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 11+26-1
As previously stated I believe this issue was fixed in OpenJFX 11.
However there is no way to prove it because Oracle didn't release any
publicly available information about the details. I am going to close
this bug report now but feel free to reopen it, if you can share more
information about CVE-2018-2941.
Markus
[signature.asc (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:33:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.