CVE-2012-2739
Published: 28 November 2012
Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8 before build 39, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Notes
Author | Note |
---|---|
sbeattie | openjdk-6b18 in oneiric has been superceded by openjdk-6 openjdk-6b18 in lucid & natty would be superceded by openjdk-6 except that openjdk-6 FTBFS on armel (LP: #1043003) |
jdstrand | this was actually fixed in usn-1619-1 as part of the new upstream releases, but it wasn't reported as such. |
Priority
Status
Package | Release | Status |
---|---|---|
openjdk-6 Launchpad, Ubuntu, Debian |
hardy |
Released
(6b27-1.12.3-0ubuntu1~08.04.1)
|
lucid |
Released
(6b24-1.11.5-0ubuntu1~10.04.2)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Released
(6b24-1.11.5-0ubuntu1~11.10.1)
|
|
precise |
Released
(6b24-1.11.5-0ubuntu1~12.04.1)
|
|
quantal |
Released
(6b24-1.11.5-0ubuntu1~12.10.1)
|
|
upstream |
Released
(6b24-1.11.5)
|
|
openjdk-6b18 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
upstream |
Needs triage
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Released
(7u9-2.3.3-0ubuntu1~11.10.1)
|
|
precise |
Released
(7u9-2.3.3-0ubuntu1~12.04.1)
|
|
quantal |
Released
(7u9-2.3.3-0ubuntu1~12.10.1)
|
|
upstream |
Released
(7u9-2.3.3)
|
|
sun-java5 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
upstream |
Needs triage
|
|
sun-java6 Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
lucid |
Does not exist
(removed from archive)
|
|
natty |
Does not exist
(removed from archive)
|
|
oneiric |
Does not exist
|
|
precise |
Does not exist
|
|
quantal |
Does not exist
|
|
upstream |
Needs triage
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2739
- http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html
- http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html
- http://www.openwall.com/lists/oss-security/2012/06/15/12
- http://www.openwall.com/lists/oss-security/2012/06/17/1
- https://ubuntu.com/security/notices/USN-1619-1
- NVD
- Launchpad
- Debian