Bug 29145

Summary:	java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk new security issues
Product:	Mageia	Reporter:	Nicolas Lécureuil <mageia>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, brtians1, davidwhodgins, java, mageia, nicolas.salguero, ouaurelien, security, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk	CVE:	CVE-2021-2161, CVE-2021-2163
Status comment:
Bug Depends on:
Bug Blocks:	28874

Description Nicolas Lécureuil 2021-06-16 21:47:53 CEST

+++ This bug was initially created as a clone of Bug #28874 +++

Fedora has issued several advisories:
  - for java-1.8.0-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFXOKM2233JVGYDOWW77BN54X3GZTIBK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CG7EWXSO6JUCVHP7R3SOZQ7WPNBOISJH/
  - for java-11-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UD3JEP4HPLK7MNZHVUMKIJPBP74M3A2V/
  - for java-latest-openjdk:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNRRXET6O5I74T5ZHSGPB5ZQTTJVIHQD/

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA

Nicolas Lécureuil 2021-06-16 21:48:22 CEST

Depends on: 28874 => (none)

Comment 1 Nicolas Lécureuil 2021-06-16 23:15:20 CEST

mageia 8 

     src:
            - java-11-openjdk-11.0.11.0.9-0.1.mga8
            - copy-jdk-configs-4.0-1.mga8
            - java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8

Assignee: bugsquad => qa-bugs
Depends on: (none) => 28874

Comment 2 Brian Rockwell 2021-06-26 21:39:50 CEST

openjdk 11

The following 6 packages are going to be installed:

- copy-jdk-configs-4.0-1.mga8.noarch
- java-11-openjdk-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-devel-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-headless-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-javadoc-zip-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-jmods-11.0.11.0.9-0.1.mga8.x86_64


$ java -version
openjdk version "11.0.11" 2021-04-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.11+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.11+9-LTS, mixed mode, sharing)

$ javac -version
javac 11.0.11


installed eclipse and java dev modules and created hello world app.

Eclipse is using 11.0.11.0.9 and compiled as such.

Working as designed.

CC: (none) => brtians1

Comment 3 Brian Rockwell 2021-06-26 22:14:35 CEST

MGA8 - 64, Gnome, Vbox

Installed the following - note 11 came along with 8

The following 19 packages are going to be installed:

- copy-jdk-configs-4.0-1.mga8.noarch
- java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-demo-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-demo-fastdebug-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-devel-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-devel-fastdebug-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-fastdebug-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-headless-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-headless-fastdebug-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-javadoc-zip-1.8.0.292.b10-1.1.mga8.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.292.b10-1.1.mga8.x86_64
- java-1.8.0-openjdk-openjfx-devel-1.8.0.292.b10-1.1.mga8.x86_64
- java-11-openjdk-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-devel-11.0.11.0.9-0.1.mga8.x86_64
- java-11-openjdk-headless-11.0.11.0.9-0.1.mga8.x86_64
- openjfx8-8.0.202-25.b07.2.mga8.x86_64
- openjfx8-devel-8.0.202-25.b07.2.mga8.x86_64
- x11-font-type1-1.0.0-16.mga8.noarch
- x11-font-xfree86-type1-1.0.4-9.mga8.noarch


Installed Eclipse and picked out java 8 environment.

Then set up this program:

package helloWorld;

public class Hellobrian {

	public static void main(String[] args) {
		System.out.println("Hello Java");
		System.out.println(System.getProperty("java.version"));

	}

}

----console output

Hello Java
1.8.0_292

Brian Rockwell 2021-06-26 22:14:58 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-06-27 02:56:59 CEST

Validating.

CC: (none) => andrewsfarm
Keywords: (none) => validated_update

Comment 5 Aurelien Oudelet 2021-06-28 22:18:28 CEST

Advisory:
========================

Updated java packages fix security vulnerabilities:

For java-1.8.0
## Security fixes 
- JDK-8227467: Better class method invocations
- JDK-8244473: Contextualize registration for JNDI
- JDK-8244543: Enhanced handling of abstract classes
- JDK-8249906, CVE-2021-2163: Enhance opening JARs
- JDK-8250568, CVE-2021-2161: Less ambiguous processing
- JDK-8253799: Make lists of normal filenames 

## Other significant changes
- JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
- JDK-8244286: Tools Warn If Weak Algorithms Are Used
- JDK-8256490: Disable TLS 1.0 and 1.1
- JDK-8242147: New System Properties to Configure the TLS Signature Schemes 
- JDK-8177368: Several incorporation steps are silently failing when an error should be reported

For java-11
## Security fixes
- JDK-8244473: Contextualize registration for JNDI
- JDK-8244543: Enhanced handling of abstract classes
- JDK-8249906, CVE-2021-2163: Enhance opening JARs  
- JDK-8250568, CVE-2021-2161: Less ambiguous processing
- JDK-8253799: Make lists of normal filenames
- JDK-8257001: Improve HTTP Client Support

## Other significant changes
- LDAP Channel Binding Support for Java GSS/Kerberos 
- Disable TLS 1.0 and 1.1
- jdeps --print-module-deps Reports Transitive Dependencies
- XML declaration is not followed by a newline 
- SystemTap tapsets updated to support OpenJDK 11

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29145
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFXOKM2233JVGYDOWW77BN54X3GZTIBK/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CG7EWXSO6JUCVHP7R3SOZQ7WPNBOISJH/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UD3JEP4HPLK7MNZHVUMKIJPBP74M3A2V/
 - https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
copy-jdk-configs-4.0-1.mga8

java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-demo-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-devel-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-headless-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-javadoc-zip-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.292.b10-1.1.mga8
java-1.8.0-openjdk-src-1.8.0.292.b10-1.1.mga8

java-11-openjdk-11.0.11.0.9-0.1.mga8
java-11-openjdk-demo-11.0.11.0.9-0.1.mga8
java-11-openjdk-devel-11.0.11.0.9-0.1.mga8
java-11-openjdk-headless-11.0.11.0.9-0.1.mga8
java-11-openjdk-javadoc-11.0.11.0.9-0.1.mga8
java-11-openjdk-javadoc-zip-11.0.11.0.9-0.1.mga8
java-11-openjdk-jmods-11.0.11.0.9-0.1.mga8
java-11-openjdk-src-11.0.11.0.9-0.1.mga8
java-11-openjdk-static-libs-11.0.11.0.9-0.1.mga8

from SRPM:

java-11-openjdk-11.0.11.0.9-0.1.mga8
copy-jdk-configs-4.0-1.mga8
java-1.8.0-openjdk-1.8.0.292.b10-1.1.mga8

Aurelien Oudelet 2021-06-28 22:19:49 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-06-29 00:52:51 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0298.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2021-07-01 18:31:42 CEST

Depends on: 28874 => (none)
Blocks: (none) => 28874