Bug 23071

Summary: java-1.8.0-openjdk Spectre V4 mitigation (CVE-2018-3639)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm CVE: CVE-2018-3639
Status comment:

Description David Walser 2018-05-22 23:11:01 CEST
RedHat has issued an advisory on May 21:
https://access.redhat.com/errata/RHSA-2018:1649

This update is not yet available in Fedora.
Comment 1 Marja Van Waes 2018-05-23 08:41:16 CEST
Assigning to the Java Stack maintainers, CC'ing the registered maintainer.

CC: (none) => mageia, marja11
Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2018-06-14 13:16:53 CEST
Hi,

I tried to synch with fedora (java-1.8.0-openjdk-1.8.0.172-3.b11.fc29) but the build fail:
"""
BuildJaxws.gmk:110: Building /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip [...]
/usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip
+ /usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip
I: [iurt_root_command] ERROR: chroot
"""

See, for example: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20180614094159.ns80.duvel.16124/log/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7/build.0.20180614094207.log.

I do not understand what the problem is.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2018-06-17 02:22:12 CEST
Tips on updating this package:
1) Sync with the oldest still-supported Fedora release (to make sure there aren't any changes that won't work with our older Java stack)
2) Only sync changes that were actually changed since the last sync, i.e.
3) Don't do a full re-sync

Once I re-did the update as such, all I had to do was disable systemtap for now (not clear why that wasn't working as it looked like it should) and it built.  Maybe in Mageia 6 it'll work with systemtap; we'll see.
Comment 4 Nicolas Salguero 2018-06-18 15:43:02 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
========================

Updated package in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6

from SRPMS:
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2018-3639
Assignee: java => qa-bugs

Comment 5 David Walser 2018-06-23 17:21:15 CEST
Changes synced into Mageia 5 SVN.  Not pushing a build for this issue.
Comment 6 David Walser 2018-06-25 23:08:06 CEST
We should include the copy-jdk-configs update with this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4I24YKXTTHZRA6EVCABUSI7PP5DLAAIL/
Comment 7 Nicolas Salguero 2018-06-26 09:33:44 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
========================

Updated package in core/updates_testing:
========================
copy-jdk-configs-3.7-1.mga6
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6

from SRPMS:
copy-jdk-configs-3.7-1.mga6.src.rpm
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm
Comment 8 David Walser 2018-06-26 12:55:13 CEST
Thanks.  copy-jdk-configs update checked into Mageia 5 SVN as well.
Comment 9 Herman Viaene 2018-06-29 11:00:02 CEST
MGA6-32 on IBM Thinkpad R50e
No installation issues.
Searching installed jar on the machine, found bsh.jar. Run that one and found an example at http://www.beanshell.org/manual/quickstart.html, works OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 10 PC LX 2018-06-29 13:39:09 CEST
Installed and tested without issues.

Tested using several applications and tools (e.g. netbeans, yuicompressor, htmlcleaner, nvidia-visual-profiler, nvidia-nsight, freecol). No regressions noticed.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 4.14.50-desktop-2.mga6 #1 SMP Mon Jun 18 11:23:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep java-1.8.0
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 11 Dave Hodgins 2018-07-01 04:07:24 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2018-07-01 19:18:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0298.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED