CVE-2016-5542

Priority
Description
Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java
SE Embedded 8u101 allows remote attackers to affect integrity via vectors
related to Libraries.
Ubuntu-Description
It was discovered that OpenJDK did not restrict the set of algorithms
used for Jar integrity verification. An attacker could use this
to modify without detection the content of a JAR file, affecting
system integrity.
Notes
sbeattieThe following algorithms and key sizes are restricted in
this release:
- MD2 (in either the digest or signature algorithm)
- RSA keys less than 1024 bits
Upstream is planning to restrict MD5-based signatures in
signed JARs in the January 2017 CPU.
.
The list of disabled algorithms is controlled via a new security
property, jdk.jar.disabledAlgorithms, in the java.security
file. This property contains a list of disabled algorithms and
key sizes for cryptographically signed JAR files.
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [6b40-1.13.12-0ubuntu0.14.04.3])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [7u121-2.6.8-1ubuntu0.14.04.1])
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8u111-b14-2ubuntu0.16.04.2)
More Information

Updated: 2019-12-05 18:45:45 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)