| Summary: | java-1.8.0-openjdk Spectre V4 mitigation (CVE-2018-3639) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, mageia, mageia, marja11, nicolas.salguero, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm | CVE: | CVE-2018-3639 |
| Status comment: | |||
|
Description
David Walser
2018-05-22 23:11:01 CEST
Assigning to the Java Stack maintainers, CC'ing the registered maintainer. CC:
(none) =>
mageia, marja11 Hi, I tried to synch with fedora (java-1.8.0-openjdk-1.8.0.172-3.b11.fc29) but the build fail: """ BuildJaxws.gmk:110: Building /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip [...] /usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip + /usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip I: [iurt_root_command] ERROR: chroot """ See, for example: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20180614094159.ns80.duvel.16124/log/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7/build.0.20180614094207.log. I do not understand what the problem is. CC:
(none) =>
nicolas.salguero Tips on updating this package: 1) Sync with the oldest still-supported Fedora release (to make sure there aren't any changes that won't work with our older Java stack) 2) Only sync changes that were actually changed since the last sync, i.e. 3) Don't do a full re-sync Once I re-did the update as such, all I had to do was disable systemtap for now (not clear why that wasn't working as it looked like it should) and it built. Maybe in Mageia 6 it'll work with systemtap; we'll see. Suggested advisory: ======================== The updated packages fix a security vulnerability: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 ======================== Updated package in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6 from SRPMS: java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm Status:
NEW =>
ASSIGNED Changes synced into Mageia 5 SVN. Not pushing a build for this issue. We should include the copy-jdk-configs update with this: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4I24YKXTTHZRA6EVCABUSI7PP5DLAAIL/ Suggested advisory: ======================== The updated packages fix a security vulnerability: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639 ======================== Updated package in core/updates_testing: ======================== copy-jdk-configs-3.7-1.mga6 java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6 from SRPMS: copy-jdk-configs-3.7-1.mga6.src.rpm java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm Thanks. copy-jdk-configs update checked into Mageia 5 SVN as well. MGA6-32 on IBM Thinkpad R50e No installation issues. Searching installed jar on the machine, found bsh.jar. Run that one and found an example at http://www.beanshell.org/manual/quickstart.html, works OK. CC:
(none) =>
herman.viaene Installed and tested without issues. Tested using several applications and tools (e.g. netbeans, yuicompressor, htmlcleaner, nvidia-visual-profiler, nvidia-nsight, freecol). No regressions noticed. System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.50-desktop-2.mga6 #1 SMP Mon Jun 18 11:23:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep java-1.8.0 java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6 java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6 Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK Advisory committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0298.html Status:
ASSIGNED =>
RESOLVED |