CVE-2014-0416
Published: 15 January 2014
Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance.
Notes
| Author | Note |
|---|---|
| mdeslaur | in lucid+, NetX and the plugin moved to the icedtea-web package |
| jdstrand | sun-java6 is not redistributable, no longer in the archive and no longer tracked sun-java5 is EOL upstream and no longer tracked |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openjdk-6 Launchpad, Ubuntu, Debian |
lucid |
Released
(6b30-1.13.1-1ubuntu2~0.10.04.1)
|
| precise |
Released
(6b30-1.13.1-1ubuntu2~0.12.04.1)
|
|
| quantal |
Released
(6b30-1.13.1-1ubuntu2~0.12.10.1)
|
|
| raring |
Ignored
(end of life, was deferred)
|
|
| saucy |
Released
(6b30-1.13.1-1ubuntu2~0.13.10.1)
|
|
| upstream |
Needs triage
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Released
(7u51-2.4.4-0ubuntu0.12.04.2)
|
|
| quantal |
Released
(7u51-2.4.4-0ubuntu0.12.10.2)
|
|
| raring |
Released
(7u51-2.4.4-0ubuntu0.13.04.2)
|
|
| saucy |
Released
(7u51-2.4.4-0ubuntu0.13.10.1)
|
|
| upstream |
Released
(7u51-2.4.4-1)
|