Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 15 Apr 2015 09:55:49 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cherepan@...me.ru
Subject: Re: jar(1) -- directory traversal

On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote:
> Hi!
> 
> jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a
> directory traversal vulnerability via absolute and relative paths. Other
> distros could also be interested in this issue.
> 
> Initial report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953
> 
> Not sure if this is just CVE-2005-1080 not fixed or something else. But
> please note that CVE-2005-1080 talks about .. only.
> 
> Debian security team forwarded the report to Oracle Security Team at
> 2015-01-12 11:01 +0100. Thanks!

This appears to have been fixed in the recent Java CPU and was assigned
CVE-2015-0480:
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Cheers,
        Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ