[Secure-testing-commits] r35547 - in data: CVE DSA

[Florian Weimer]

Author: fw
Date: 2015-07-18 12:13:25 +0000 (Sat, 18 Jul 2015)
New Revision: 35547

Modified:
   data/CVE/list
   data/DSA/list
Log:
CVE-2014-8873 DSA-3235-1 in openjdk-7, openjdk-8


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2015-07-18 11:22:09 UTC (rev 35546)
+++ data/CVE/list	2015-07-18 12:13:25 UTC (rev 35547)
@@ -17963,8 +17963,18 @@
 	NOT-FOR-US: Revive Adserver
 CVE-2014-8874 (The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses ...)
 	NOT-FOR-US: TYPO3 Extension ke_questionnaire
-CVE-2014-8873
+CVE-2014-8873 [MIME type registration for JAR files in the Debian OpenJDK packages enable user-initiated remote code execution]
 	RESERVED
+	- openjdk-8 8u45-b14-1 (high)
+	- openjdk-7 7u79-2.5.5-1 (high)
+	- openjdk-6 <removed> (high)
+	[squeeze] - openjdk-6 <not-affected> (MIME type setting is harmless on squeeze)
+	[wheezy] - openjdk-6 <not-affected> (MIME type setting is harmless on wheezy)
+	[squeeze] - openjdk-7 <not-affected> (MIME type setting is harmless on this squeeze)
+	[wheezy] - openjdk-7 <not-affected> (MIME type setting is harmless on wheezy)
+	NOTE: Starting with mime-support 3.53, MimeType entries in desktop
+	NOTE: files end up in /etc/mailcap, which introduces the user-initiated
+	NOTE: code execution.
 CVE-2014-8872
 	RESERVED
 CVE-2014-8871

Modified: data/DSA/list
===================================================================
--- data/DSA/list	2015-07-18 11:22:09 UTC (rev 35546)
+++ data/DSA/list	2015-07-18 12:13:25 UTC (rev 35547)
@@ -267,7 +267,7 @@
 	[wheezy] - libreoffice 1:3.5.4+dfsg2-0+deb7u4
 	[jessie] - libreoffice 1:4.3.3-2+deb8u1
 [24 Apr 2015] DSA-3235-1 openjdk-7 - security update
-	{CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488}
+	{CVE-2015-0460 CVE-2015-0469 CVE-2015-0470 CVE-2015-0477 CVE-2015-0478 CVE-2015-0480 CVE-2015-0488 CVE-2014-8873}
 	[wheezy] - openjdk-7 7u79-2.5.5-1~deb7u1
 	[jessie] - openjdk-7 7u79-2.5.5-1~deb8u1
 [24 Apr 2015] DSA-3234-1 openjdk-6 - security update