| Summary: | java-1.8.0-openjdk new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | brtians1, mageia, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK mga6-64-ok mga6-32-ok | ||
| Source RPM: | java-1.8.0-openjdk-1.8.0.161-1.b14.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-04-21 18:37:13 CEST
(In reply to David Walser from comment #0) > RedHat has issued an advisory on April 19: > https://access.redhat.com/errata/RHSA-2018:1191 > > Corresponding Oracle CPU: > http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html > > The update is also available in Fedora, so I'll sync it in when I can. Thanks :-) You didn't assign to yourself, so assigning to the java stack maintainers and CC'ing the registered maintainer Assignee:
bugsquad =>
java I have the changes synced into mga5/mga6/Cauldron SVN, but again I can't update the Source4 as the script gives me a 404. Asking Nicolas Salguero for help again. Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Fedora has issued an advisory for this today (April 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YXDNLAT5DN3VAXFJVYPB64CG2NA7K2VU/ Thanks Nicolas for the help again with Source4. Mageia 6 update built, Mageia 5 update building now. java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6 from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5 from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm I need to check if there's any needed update to copy-jdk-configs, so advisory to come later. Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html https://access.redhat.com/errata/RHSA-2018:1191 ======================== Updated packages in core/updates_testing: ======================== copy-jdk-configs-3.3-1.1.mga5 java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5 copy-jdk-configs-3.3-1.1.mga6 java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6 from SRPMS: copy-jdk-configs-3.3-1.1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm copy-jdk-configs-3.3-1.1.mga6.src.rpm java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm Assignee:
java =>
qa-bugs https://www.java.com/verify/ https://www.w3.org/People/mimasa/test/object/java/ Works fine on Mageia 5 x86_64. Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK $ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 6 packages are going to be installed: - copy-jdk-configs-3.3-1.1.mga6.noarch - java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch - java-1.8.0-openjfx-1.8.0.171-1.b11.2.mga6.x86_64 $ java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode) I ran some programs using the cryptography library as well as some swing/jfx routines that serialize and deserialize a bunch of class. Working as designed.
Brian Rockwell
2018-05-03 15:48:37 CEST
CC:
(none) =>
brtians1 $ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux The following 8 packages are going to be installed: - copy-jdk-configs-3.3-1.1.mga6.noarch - java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch - java-atk-wrapper-0.33.2-3.mga6.i586 $ java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK Server VM (build 25.171-b10, mixed mode) Installed icedtea-web. Tried - https://www.java.com/verify/ - worked Ran another application from command line. compiled a simple class using javac working as designed. Whiteboard:
MGA5TOO MGA5-64-OK mga6-64-ok =>
MGA5TOO MGA5-64-OK mga6-64-ok mga6-32-ok @Brian : thanks for doing all the testing. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0218.html Resolution:
(none) =>
FIXED |