openjdk team mailing list archive

[Todd Taft <1224723@xxxxxxxxxxxxxxxxxx>]

CVE-2013-2465 is a CVE against Java, although it is against Oracle Java.
It's not immediately clear to me whether or not this vulnerability is
also applicable to openJDK.  Can you confirm that this vulnerability
does not apply to openJDK (or that  it is already patched in this
version)?

Labeling the file as a "virus" is probably incorrect, but my concern was
that it represented an unpatched security vulnerability.

Most of the other files in http://bazaar.launchpad.net/~ubuntu-security
/ubuntu-cve-tracker/master/view/head:/README.virus have obvious reasons
that they would constitute false positives (e.g. they are samples of
exploits/viruses), but I don't see an obvious reason why this particular
file would be a false positive.  If this really is a false positive,
then I would suggest that it's a bug in the clam database, since that
means that it is detecting a Java security problem where none exists.

** Changed in: openjdk-6 (Ubuntu)
       Status: Invalid => New

** Also affects: clamav (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-6 in Ubuntu.
https://bugs.launchpad.net/bugs/1224723

Title:
  Clamscan finds CVE-2013-2465 in openjdk-6-jre-headless

Status in “clamav” package in Ubuntu:
  New
Status in “openjdk-6” package in Ubuntu:
  New

Bug description:
  Running a clamscan on a Ubuntu 12.04.3 system reports that
  vunlerability CVE-2013-2465 was detected in version
  6b27-1.12.6-1ubuntu0.12.04.2 of openjdk-6-jre-headless:

  Run this:
  #/usr/bin/clamscan -ri --max-filesize=100M /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/

  Get this:
  /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar: Java.Exploit.CVE_2013_2465 FOUND

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1224723/+subscriptions