Debian Bug report logs -
#888530
openjfx: CVE-2018-2581
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 26 Jan 2018 19:45:02 UTC
Severity: important
Tags: security, upstream
Found in version openjfx/8u151-b12-1
Fixed in version openjfx/8u161-b12-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#888530; Package src:openjfx.
(Fri, 26 Jan 2018 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 26 Jan 2018 19:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: openjfx
Version: 8u151-b12-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for openjfx, apart the CVE
description not much is available:
CVE-2018-2581[0]:
| Vulnerability in the Java SE component of Oracle Java SE
| (subcomponent: JavaFX). Supported versions that are affected are Java
| SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols to
| compromise Java SE. Successful attacks require human interaction from
| a person other than the attacker and while the vulnerability is in
| Java SE, attacks may significantly impact additional products.
| Successful attacks of this vulnerability can result in unauthorized
| read access to a subset of Java SE accessible data. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes from
| the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed by
| an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality impacts).
| CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-2581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2581
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Wed, 04 Apr 2018 22:45:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Apr 2018 22:45:03 GMT) (full text, mbox, link).
Message #10 received at 888530-close@bugs.debian.org (full text, mbox, reply):
Source: openjfx
Source-Version: 8u161-b12-1
We believe that the bug you reported is fixed in the latest version of
openjfx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 888530@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated openjfx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Apr 2018 00:18:00 +0200
Source: openjfx
Binary: openjfx libopenjfx-java libopenjfx-jni libopenjfx-java-doc openjfx-source
Architecture: source
Version: 8u161-b12-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libopenjfx-java - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
libopenjfx-java-doc - JavaFX/OpenJFX 8 - Rich client application platform for Java (Jav
libopenjfx-jni - JavaFX/OpenJFX 8 - Rich client application platform for Java (nat
openjfx - JavaFX/OpenJFX 8 - Rich client application platform for Java
openjfx-source - JavaFX/OpenJFX 8 - Rich client application platform for Java (sou
Closes: 888530
Changes:
openjfx (8u161-b12-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- Fixes CVE-2018-2581 (Closes: #888530)
- Refreshed the patches
* Standards-Version updated to 4.1.3
* Switch to debhelper level 11
Checksums-Sha1:
45a64a353d259c29d3785dc2a70e0bb0e646b1ea 2763 openjfx_8u161-b12-1.dsc
552d7889f4401a98dc313dabdb0f37ff1b50c141 61885740 openjfx_8u161-b12.orig.tar.xz
8ac36dbd3e4478c8465371a97429fa1144ee6f18 16708 openjfx_8u161-b12-1.debian.tar.xz
ba3019b9c63d5f30d770b5aae666b30222db1446 22734 openjfx_8u161-b12-1_source.buildinfo
Checksums-Sha256:
6c3ef9b1aa83199a40b5d3feae5ef7ac9316f30213c1a3f495a080d47ec839f9 2763 openjfx_8u161-b12-1.dsc
1502d685cfd8f4046b0cfa9f304e11f6f0ca18ecb72aa1460cb33d6ce8838155 61885740 openjfx_8u161-b12.orig.tar.xz
35f82bd033a5c749b92b087523ef8224490d846b9caa968afcedcffdc5024270 16708 openjfx_8u161-b12-1.debian.tar.xz
86f7d89d54aa98889eb754d00157d519aac1a8b5322be7ddb34ebc1b6683129e 22734 openjfx_8u161-b12-1_source.buildinfo
Files:
619d9cc35b0a27f657c3b9ed35b153ae 2763 java optional openjfx_8u161-b12-1.dsc
42b66473b34900b0d63dda417fd17aa3 61885740 java optional openjfx_8u161-b12.orig.tar.xz
6f7e1c1167f92c94ace9d634023d1fe0 16708 java optional openjfx_8u161-b12-1.debian.tar.xz
f0e219d65faabbcaa992d77f5a041a67 22734 java optional openjfx_8u161-b12-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlrFT3ASHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsEJUP/AscozOjbsRCcPkzYN5BlOlAipSJS6Su
zES+sEICn7vST55Hm6BkV8d7RxD/aAEO6/NzA6IO2P4bOTJiAnZ6Dt9r/3prW42J
RIIPuYxZ4AHfG5elWUnyE5B3Gx1Vl4st186UEVgNxSHYc46lQ4fba/ca9+VpsLTb
V2l422h+gahsryhZzDMDBiB5CDMP3fpAkjDQlBZhlfkOJClRPG1rBGBNiOkMYw0g
Fqhzft/30qy7/El8u0z6flUjsjAJ2Uxsg0GQelQREAQENIm5jChRZsc4nCS5DX+f
yeb+ijaJJxvU4s3LfGds1p4n2WbOd2OS478ZhSOZ5BX4ezg196Lxin/lo01ASDw+
d0VlH1TWbwvd6TnkUBA/DfTX8ObmqqxfgOnnL7L9PAcSX8lnpUFQUD6Ili1CL5Q1
sJ9jkaQ0y5Mi4No7MgOf43dDWX6W9aYggUtRs0CaA+SohHQIhAljHSle4k6LAEiG
12/ZVBY5uP/p2mfyvlKTvUHQnJFDG6vMPqyJqKjU6AdLRY/7fEYBBPho6dBqJV2t
MIVKDh/1vEz2NsNaIBkuMt9EznTThTXiOulIWABEpmoJ4amXES6lWOtORxow0PLB
XKFNujed+C4W5U4dPl20iv2eFicKBN5/QEKy0XlL38SpJitTkO6aU0rKsX8lz+Ki
A6Yhb9mzgDYG
=vLhv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 03 May 2018 07:26:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:35:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon