Bug 28874

Summary:	java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk new security issues
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	Java Stack Maintainers <java>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	davidwhodgins, mageia, ouaurelien, sysadmin-bugs
Version:	7
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk	CVE:	CVE-2021-2161, CVE-2021-2163
Status comment:
Bug Depends on:	29145
Bug Blocks:
Attachments:	urpmi --test log up until canceled urpmi --debug log

Description Nicolas Salguero 2021-05-04 10:22:45 CEST

Fedora has issued several advisories:
  - for java-1.8.0-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFXOKM2233JVGYDOWW77BN54X3GZTIBK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CG7EWXSO6JUCVHP7R3SOZQ7WPNBOISJH/
  - for java-11-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UD3JEP4HPLK7MNZHVUMKIJPBP74M3A2V/
  - for java-latest-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNRRXET6O5I74T5ZHSGPB5ZQTTJVIHQD/

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA

Nicolas Salguero 2021-05-04 10:24:01 CEST

Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk
Whiteboard: (none) => MGA8TOO, MGA7TOO
CVE: (none) => CVE-2021-2161, CVE-2021-2163

Comment 1 Aurelien Oudelet 2021-05-04 15:33:46 CEST

Hi, thanks reporting this.
Assigning to Java Stack maintainers.

CC: (none) => ouaurelien
Assignee: bugsquad => java

Comment 2 Nicolas Lécureuil 2021-05-04 17:16:21 CEST

ok, taking it.

Status: NEW => ASSIGNED
CC: (none) => mageia

Comment 3 Nicolas Lécureuil 2021-05-20 15:16:31 CEST

Java8:
      -mga7:
            - copy-jdk-configs-4.0-1.mga7
            - java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7
      -mga8:
            - copy-jdk-configs-4.0-1.mga8
            - java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8

Java 11 in progress.

Comment 4 Dave Hodgins 2021-05-21 01:59:42 CEST

Fails to install in Mageia 7 i586 ...
A requested package cannot be installed:
copy-jdk-configs-4.0-1.mga7.noarch (due to unsatisfied /usr/bin/lua)

Not clear why ...
# ll /usr/bin/lua*
lrwxrwxrwx 1 root root     21 Sep 25  2020 /usr/bin/lua -> /etc/alternatives/lua*
-rwxr-xr-x 1 root root 234180 Sep  2  2020 /usr/bin/lua5.2*
lrwxrwxrwx 1 root root     22 Sep 25  2020 /usr/bin/luac -> /etc/alternatives/luac*
-rwxr-xr-x 1 root root 158468 Sep  2  2020 /usr/bin/luac5.2*
[root@i7v ~]# ll /etc/alternatives/lua
lrwxrwxrwx 1 root root 15 Sep 25  2020 /etc/alternatives/lua -> /usr/bin/lua5.2*

CC: (none) => davidwhodgins

Comment 5 Nicolas Lécureuil 2021-05-26 15:57:55 CEST

Java8:
      -mga7:
            - timezone-2021a-1.1.mga7
            - copy-jdk-configs-4.0-1.1.mga7
            - java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7
      -mga8:
            - copy-jdk-configs-4.0-1.mga8
            - java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8

Comment 6 David Walser 2021-05-26 18:12:48 CEST

Nicolas, you need to build the mga7 timezone update without the subrel.

Comment 7 Dave Hodgins 2021-05-27 00:36:12 CEST

Also on Mageia 7 ...
Sorry, the following package cannot be selected:

- java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7.x86_64 (due to unsatisfied libXcomposite(x86-64))

# rpm -q --provides lib64xcomposite1
lib64xcomposite1 = 0.4.5-1.mga7
lib64xcomposite1(x86-64) = 0.4.5-1.mga7
libXcomposite.so.1()(64bit)
libxcomposite = 0.4.5

That's not a problem on Mageia 8 ...
$ rpm -q --provides lib64xcomposite1
lib64xcomposite1 = 0.4.5-3.mga8
lib64xcomposite1(x86-64) = 0.4.5-3.mga8
libXcomposite(x86-64) = 0.4.5
libXcomposite.so.1()(64bit)
libxcomposite = 0.4.5

Comment 8 Dave Hodgins 2021-05-27 03:07:57 CEST

Now getting ...
Sorry, the following package cannot be selected:

- java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7.x86_64 (due to unsatisfied xorg-x11-fonts-Type1)

# urpmq -y xorg-x11|grep font|sort -u
xorg-x11-100dpi-fonts
xorg-x11-75dpi-fonts
[root@x3 ~]# rpm -q --provides xorg-x11-100dpi-fonts
X11-100dpi-fonts
XFree86-100dpi-fonts = 7.7-8.mga7
XFree86-ISO8859-2-100dpi-fonts
XFree86-ISO8859-9-100dpi-fonts
xorg-x11-100dpi-fonts = 7.7-8.mga7
xorg-x11-100dpi-fonts(x86-64) = 7.7-8.mga7
xorg-x11-fonts

# rpm -q --provides xorg-x11-75dpi-fonts
X11-75dpi-fonts
XFree86-75dpi-fonts = 7.7-8.mga7
xorg-x11-75dpi-fonts = 7.7-8.mga7
xorg-x11-75dpi-fonts(x86-64) = 7.7-8.mga7
xorg-x11-fonts

# urpmq -y Type1
No package named Type1
# urpmq -y type1
fonts-type1-cyrillic
fonts-type1-greek
fonts-type1-hebrew
x11-font-adobe-utopia-type1
x11-font-bh-type1
x11-font-bitstream-type1
x11-font-type1
x11-font-xfree86-type1

Comment 9 David Walser 2021-06-01 03:48:16 CEST

java-1.8.0-openjdk is still not installable, causing rootcerts not to be buildable for the Firefox update.

Comment 10 Dave Hodgins 2021-06-01 16:49:08 CEST

Adding sysadmin team to cc list.

Please remove java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7.src.rpm and it's
associated rpm packages from the Mageia 7 Core Updates Testing repositories.

CC: (none) => sysadmin-bugs

Comment 11 Dave Hodgins 2021-06-13 20:40:03 CEST

Ping

To get this security update going again, I recommend splitting it into two. One
for Mageia 7 and one for Mageia 8.

The Mageia 8 update looks ready to go.

The Mageia 7 update either needs to be redone using the starting with the
latest working Mageia 7 srpm, or it also has to include all of the packages
used as dependencies of openjdk that have changed names between Mageia 7 and 8.
Another option for Mageia 7 is to simply drop this update for it since m7 will
reach end of support in a little over 2 weeks.

Regardless, the java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7.src.rpm and associated
rpm packages need to be removed from the Mageia 7 updates testing repos.

Comment 12 Nicolas Lécureuil 2021-06-13 22:52:54 CEST

why remove java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga7.src.rpm from repos ? 
It still does not install ? i removed all and fixed/rebuilded.

for mageia 8 i need to understand why java11 fails to bundle all the files :)

Comment 13 Dave Hodgins 2021-06-13 23:34:19 CEST

Created attachment 12771 [details]
urpmi --test log up until canceled

I wasn't aware it had been rebuilt. It is still not ok.
Attaching the urpmi log up until I canceled.

Comment 14 Nicolas Lécureuil 2021-06-14 09:58:51 CEST

thank you for the log, i found an error.

Btw new java 11 available on cauldron, i backport on mga8

Comment 15 Nicolas Lécureuil 2021-06-15 15:25:08 CEST

can you test new java8 on mga7 please ?

Comment 16 Dave Hodgins 2021-06-15 18:01:39 CEST

Still fails ...
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjvm.so()(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjvm.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjava.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjli.so(SUNWprivate_1.1)(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjava.so()(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libawt.so()(64bit)
installed java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 is conflicting because of unsatisfied libjli.so()(64bit)

Comment 17 Nicolas Lécureuil 2021-06-15 21:51:42 CEST

please provide the whole logs, this part isn't useful.

Comment 18 Nicolas Lécureuil 2021-06-15 21:52:22 CEST

java11 mageia 8 

     src:
         - java-11-openjdk-11.0.11.0.9-0.1.mga8

Comment 19 Dave Hodgins 2021-06-15 22:43:43 CEST

Created attachment 12774 [details]
urpmi --debug log

full urpmi --debug log

Attachment 12771 is obsolete: 0 => 1

Comment 20 Dave Hodgins 2021-06-15 22:44:12 CEST

On Mageia 8 the update installs cleanly.

Comment 21 Nicolas Lécureuil 2021-06-16 21:38:46 CEST

Comment 22 Nicolas Lécureuil 2021-06-16 21:39:12 CEST

can you tell me on mageia 7 what requires "libjawt.so(SUNWprivate_1.1)(64bit)" ?

they will need a rebuild

Nicolas Lécureuil 2021-06-16 21:47:25 CEST

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Nicolas Lécureuil 2021-06-16 21:47:53 CEST

Blocks: (none) => 29145

Nicolas Lécureuil 2021-06-16 21:48:22 CEST

Whiteboard: MGA7TOO => (none)
Version: 8 => 7
Blocks: 29145 => (none)

Comment 23 Dave Hodgins 2021-06-16 23:13:26 CEST

urpmq --whatrequires only works with package names, not files or provides as far as I know.

While the command urpmq --whatprovides 'libjawt.so(SUNWprivate_1.1)(64bit)'
does show that the java openjdk package provides the file, I don't know of
any way to find which packages require the file.

The command 'urpmq --whatrequires-recursive java-1.8.0-openjdk' shows which
packages requires it by package name, but it's missing things like libreoffice
that require by file name/arch.

I suspect that a search is the Mageia svn repo will be required to find all of
the package names.

Nicolas Lécureuil 2021-06-16 23:15:20 CEST

Blocks: (none) => 29145

Comment 24 David Walser 2021-07-01 18:31:42 CEST

https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Depends on: (none) => 29145
Blocks: 29145 => (none)
Status: ASSIGNED => RESOLVED