| Summary: | java-1.8.0-openjdk new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2020-01-15 09:56:36 CET
Nicolas Salguero
2020-01-15 09:57:02 CET
Whiteboard:
(none) =>
MGA7TOO RedHat has issued an advisory yesterday (January 20): https://access.redhat.com/errata/RHSA-2020:0157 @Nicolas: Have you an idea why tomcat fails to build on mga7 and Cauldron? https://bugs.mageia.org/show_bug.cgi?id=25987#c4 CC:
(none) =>
geiger.david68210 (In reply to David GEIGER from comment #2) > @Nicolas: > > Have you an idea why tomcat fails to build on mga7 and Cauldron? > > https://bugs.mageia.org/show_bug.cgi?id=25987#c4 I am trying to look at that problem. For what I understand, it does not correctly detect that we use a java 8 compiler and that the compilation must be done accordingly. I will try to find a way to force it to take that information into account. I did not understand correctly the problem but I manage to solve it. I now think the problem is with our version of ECJ that do not have "CompilerOptions.VERSION_12" so, in my patch, I did the same thing as for "13" and replaced CompilerOptions.VERSION_12 by "12". Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use of unsafe RSA-MD5 checkum in Kerberos TGS (Security, 8229951) (CVE-2020-2601) Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) (CVE-2020-2604) Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) (CVE-2020-2590) Incorrect isBuiltinStreamHandler causing URL normalization issues (Networking, 8228548) (CVE-2020-2593) Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909) (CVE-2020-2583) Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795) (CVE-2020-2659) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659 https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA https://access.redhat.com/errata/RHSA-2020:0157 ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-headless-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-devel-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-demo-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-src-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-javadoc-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-javadoc-zip-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-accessibility-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-openjfx-1.8.0.242-1.b07.1.mga7 java-1.8.0-openjdk-openjfx-devel-1.8.0.242-1.b07.1.mga7 from SRPMS: java-1.8.0-openjdk-1.8.0.242-1.b07.1.mga7.src.rpm Status:
NEW =>
ASSIGNED MGA7-64 Plasma on Lenovo B50 No installation issues $ java -version openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-b07) OpenJDK 64-Bit Server VM (build 25.242-b07, mixed mode) Took example file from bug 20220 $ javac helloworld.java [tester7@mach5 Documenten]$ java helloworld Gtk-Message: 10:46:40.386: Failed to load module "canberra-gtk-module" Hello World! Hello World! pressing the button twice. OK for me. Whiteboard:
(none) =>
MGA7-64-OK Validating. Advisory in Comment 5. CC:
(none) =>
andrewsfarm, sysadmin-bugs That version of openjdk prevents building scilab (see bug 26061). Keywords:
validated_update =>
(none) RedHat has issued another advisory: https://access.redhat.com/errata/RHSA-2020:0202 Blocks:
(none) =>
26061 Suggested advisory: ======================== The updated packages fix security vulnerabilities: Use of unsafe RSA-MD5 checkum in Kerberos TGS (Security, 8229951) (CVE-2020-2601) Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422) (CVE-2020-2604) Improper checks of SASL message properties in GssKrb5Base (Security, 8226352) (CVE-2020-2590) Incorrect isBuiltinStreamHandler causing URL normalization issues (Networking, 8228548) (CVE-2020-2593) Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909) (CVE-2020-2583) Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795) (CVE-2020-2659) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659 https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA https://access.redhat.com/errata/RHSA-2020:0202 ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-headless-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-devel-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-demo-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-src-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-javadoc-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-javadoc-zip-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-accessibility-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-openjfx-1.8.0.242-1.b08.2.mga7 java-1.8.0-openjdk-openjfx-devel-1.8.0.242-1.b08.2.mga7 from SRPMS: java-1.8.0-openjdk-1.8.0.242-1.b08.2.mga7.src.rpm Blocks:
26061 =>
(none) Installed new version. $ java -version openjdk version "1.8.0_242" OpenJDK Runtime Environment (build 1.8.0_242-b08) OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode) $ javac helloworld.java $ java helloworld Gtk-Message: 09:54:08.825: Failed to load module "canberra-gtk-module" Hello World! Hello World! pressing the button twice. OK for me, but giving Nicolas the final word on the scilab issue. Hi, The problem with scilab is now solved by reverting some changes introduced in 8u242 to get the same behaviour as 8u232. Best regards, Nico.
Herman Viaene
2020-01-28 13:12:02 CET
Whiteboard:
(none) =>
MGA7-64-OK Well then, validating once more. Advisory in Comment 10 this time. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-01-30 18:19:41 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0069.html Resolution:
(none) =>
FIXED |