Date: Wed, 15 Apr 2015 09:55:49 +0200 From: Moritz Muehlenhoff <jmm@...ian.org> To: oss-security@...ts.openwall.com Cc: cherepan@...me.ru Subject: Re: jar(1) -- directory traversal On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote: > Hi! > > jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a > directory traversal vulnerability via absolute and relative paths. Other > distros could also be interested in this issue. > > Initial report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953 > > Not sure if this is just CVE-2005-1080 not fixed or something else. But > please note that CVE-2005-1080 talks about .. only. > > Debian security team forwarded the report to Oracle Security Team at > 2015-01-12 11:01 +0100. Thanks! This appears to have been fixed in the recent Java CPU and was assigned CVE-2015-0480: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ