Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <503C1BB6.70304@redhat.com>
Date: Mon, 27 Aug 2012 19:15:34 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: David Jorm <djorm@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>, hdm@...asploit.com,
        jdrake@...p.org
Subject: Re: CVE Request: Java 7 code execution 0day

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/2012 06:27 PM, David Jorm wrote:
> Hi All
> 
> A 0-day flaw exploited in the wild has been reported to affect Java
> 7:
> 
> http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
>
> 
http://pastie.org/4594319
> 
> This issue was confirmed to allow unsigned applet to bypass Java
> applet restrictions and run arbitrary code on users' systems. A lot
> of public information is now available for this flaw:
> 
> http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html
>
> 
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
> https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
>
> 
https://github.com/rapid7/metasploit-framework/commit/52ca1083c22de7022baf7dca8a1756909f803341
> 
> This flaw does not have a CVE ID assigned. I contacted Oracle
> asking if they have assigned one, but got no response. Can someone
> please assign a CVE ID to this flaw?
> 
> Thanks

Please use CVE-2012-3539 for this issue in Java from Oracle. Please
note that additional CVE's may be issued if it is discovered that this
issue affects over versions of Java/etc.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQPBu2AAoJEBYNRVNeJnmT1FkP/i9l3aCEN6O+f+u+gs3ShI0T
RGxQiJ3qkv58/rz608p/xbljRxUmVbjTBDZDN3tPbqzp7mTa4xDlBB/hU2okVAVD
yHqOPpWwnWv4rsZz5CvcEuGJda+mlhljLU1Ar6L+XoWZtDgDc7bxs9Ms6hESNM+X
qqQhaaHqZf+AuG5QIb975O4Pj/O8UxeK/B/XRoXCOZNeAuOT+XMQuhphQaJQ9sHS
2WwEIdeURcX2WOa5mNCG4EFIIOlkSN2hhzXB1SMX5bp0x8x9+CYLjlGUUKmx+kop
qk6WsoRuzDzFyC4C9ICKq8rapDN9DHhfqbYhjT9BOKZIdz+lWmzaXLdL8AdFGkdE
EAfzrwmkhrdQFYbZmrlG+Xlc6snhZSdAbBUO7W7C3hMzIyW8VT8VKlegz1F3vMbo
ZL8bPGdHQZZp7v/4vsxkXOzzt6iskjS9h4raJw6jO55gwNAZI7iMG38h68wK/84h
VmJDJVjkZoxdT1adbNpasefkXPJej6ZdH6a1fISPklm7jLUand3PHUCY6EeH+zfD
ntKSe4x1vIVShjJpoadEZL1LNhtP7WQYr+NiTUoK5z4Qir1MDBS251OW09n4aXZB
P7Drjne4IhrM+u8DkxdSPER1DmIlcrPrDYXbu6rrKaqSoJ+7FnaCQCzrf6LKDPYq
HKwv3A6E0w2ZESSIl4fe
=ib65
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.