CVE-2017-10388

Name	CVE-2017-10388
Description	Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1187-1, DSA-4015-1, DSA-4048-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openjdk-7 (PTS)	jessie, jessie (lts)	7u321-2.6.28-0+deb8u1	fixed
openjdk-8 (PTS)	jessie, jessie (lts)	8u402-ga-1~deb8u1	fixed
	stretch (security)	8u332-ga-1~deb9u1	fixed
	stretch (lts), stretch	8u402-ga-1~deb9u1	fixed
	sid	8u412-ga-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
openjdk-6	source	wheezy	(unfixed)	end-of-life
openjdk-6	source	(unstable)	(unfixed)
openjdk-7	source	experimental	7u151-2.6.11-2
openjdk-7	source	wheezy	7u151-2.6.11-2~deb7u2		DLA-1187-1
openjdk-7	source	jessie	7u151-2.6.11-2~deb8u1		DSA-4048-1
openjdk-7	source	(unstable)	(unfixed)
openjdk-8	source	stretch	8u151-b12-1~deb9u1		DSA-4015-1
openjdk-8	source	(unstable)	8u151-b12-1
openjdk-9	source	(unstable)	9.0.1+11-1