Date: Wed, 15 Apr 2015 09:55:49 +0200 From: Moritz Muehlenhoff <jmm@...ian.org> To: oss-security@...ts.openwall.com Cc: cherepan@...me.ru Subject: Re: jar(1) -- directory traversal On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote: > Hi! > > jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a > directory traversal vulnerability via absolute and relative paths. Other > distros could also be interested in this issue. > > Initial report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953 > > Not sure if this is just CVE-2005-1080 not fixed or something else. But > please note that CVE-2005-1080 talks about .. only. > > Debian security team forwarded the report to Oracle Security Team at > 2015-01-12 11:01 +0100. Thanks! This appears to have been fixed in the recent Java CPU and was assigned CVE-2015-0480: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.