Bug 30401

Summary:	java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk new security issues
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, bequimao.de, brtians1, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	java-1.8.0-openjdk, java-11-openjdk	CVE:
Status comment:
Attachments:	Hello World - pop-up instead of jfx

Description Nicolas Salguero 2022-05-09 15:24:06 CEST

RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2022:1491 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2022:1442 (java-11-openjdk)

Moreover, for Cauldron (java-latest-openjdk):
https://access.redhat.com/errata/RHSA-2022:1445

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA

Nicolas Salguero 2022-05-09 15:24:28 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk

Comment 1 Lewis Smith 2022-05-09 21:40:32 CEST

Both these SRPMs look good for NicolasL, so assigning to you.

Assignee: bugsquad => mageia

Comment 2 Nicolas Lécureuil 2022-05-30 08:24:48 CEST

working on it now

Status: NEW => ASSIGNED

Comment 3 Nicolas Lécureuil 2022-06-08 15:54:32 CEST

java-1.8.0-openjdk is now up to date on mga 8/9

Comment 4 Nicolas Lécureuil 2022-06-14 21:51:28 CEST

ok on cauldron.

java 1.8.0 java 11 java 17 and latest

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Nicolas Lécureuil 2022-06-15 10:51:43 CEST

Fixed in mga8 for java 8 and 11 ( 17 is on backport )

src:
  - java-11-openjdk-11.0.15.0.10-1.mga8
  - java-1.8.0-openjdk-1.8.0.332.b09-1.1.mga8

Assignee: mageia => qa-bugs

Comment 6 David Walser 2022-06-15 16:46:01 CEST

madb has the package list:
http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30401/application/0

Comment 7 David Walser 2022-06-16 22:32:39 CEST

(In reply to David Walser from comment #6)
> madb has the package list:
> http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30401/application/0

Addendum, the timezone update is part of this bug too.

timezone-2022a-1.mga8
timezone-java-2022a-1.mga8

from timezone-2022a-1.mga8.src.rpm

Comment 8 Herman Viaene 2022-06-17 09:48:42 CEST

Trying to load in QARepo gets me:
The following errors occured:
ava-1.8.0-openjdk-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-demo-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-devel-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-headless-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-src-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-demo-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-devel-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-headless-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-javadoc-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-javadoc-zip-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-jmods-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-src-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-static-libs-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository

CC: (none) => herman.viaene

Comment 9 Herman Viaene 2022-06-17 10:02:03 CEST

Sorry, selected the wrong RPM list

Comment 10 Herman Viaene 2022-06-17 10:49:52 CEST

MGA8-64 Plasma on Acer Aspire 5253
No installation issues
$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10-LTS, mixed mode, sharing)
$ javac -version
javac 11.0.15

But trying to compile the helloworld.java from bug 20220 runs into

helloworld.java:2: error: package javafx.application does not exist
import javafx.application.Application;

Tried to overcome this by installing openjfx 11.0.9.2 to no avail.
LO tested by running odb with forms and reports, all work OK
I wish someone could provide a simple helloworld.java......

Comment 11 Brian Rockwell 2022-06-20 17:08:28 CEST

Created attachment 13307 [details]
Hello World - pop-up instead of jfx

Ditching jfx since it is deprecated.  This uses a single swing component.

Compiled and tested, found online (see attached)

The following 4 packages are going to be installed:

- java-11-openjdk-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-devel-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.15.0.10-1.mga8.x86_64
- timezone-java-2022a-1.mga8.noarch

javac -cp . Helloworldnojfx.java
java -cp . Helloworldnojfx
Hello World!

CC: (none) => brtians1

Comment 12 Ulrich Beckmann 2022-06-22 20:51:02 CEST

I installed the package list without any error.

However, on reboot the KDE Plasma painel was crippled, systemtray missing. Is there any connection?

Ulrich

CC: (none) => bequimao.de

Comment 13 David Walser 2022-06-22 22:35:21 CEST

No, Plasma doesn't use Java.

Comment 14 Ulrich Beckmann 2022-06-23 17:01:40 CEST

@ David: thanks for clarification.
I could reconfigure the painel now. The issue is not reproducible.

I accessed various banking sites using java or javascript. No regression seen.

KDE Plasma amd64.

Ulrich

Comment 15 David Walser 2022-06-23 18:49:20 CEST

Java and Javascript are not related, and web browsers don't support the Java plug-in anymore, for some time now.  Java would have to be tested directly, by running Java applications.

Comment 16 Herman Viaene 2022-06-24 16:35:11 CEST

Tested own home-made LO-Base application (requires java) and it works OK.

Comment 17 Brian Rockwell 2022-06-29 16:01:23 CEST

Installing the following

- java-11-openjdk-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-devel-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.15.0.10-1.mga8.x86_64
- timezone-java-2022a-1.mga8.noarch


verified 11.0.15 was installed

$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10-LTS, mixed mode, sharing)

Ran Eclipse

It is reflecting java 11.0.15 as well.  Java 11 is validated

Comment 18 Thomas Andrews 2022-07-14 15:23:41 CEST

Not sure why no one gave this an OK, so I did my own small test. 

Downloaded all the many 64-bit rpms with qarepo, then ran drakrpm-update. It presented me with the timezone packages, java-11-openjdk and java-11-openjdk-headless. Packages installed without issue. 

I was given an option to use an rpmnew file with each package, but was advised that if I wasn't sure, do nothing. Not being very sure of anything these days, that's what I did - nothing.

I ran Libreoffice Calc and Writer on old documents, made some modifications, then closed without saving them. All went well.

OKing this based on my test and all the others, and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-15 23:32:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 19 Mageia Robot 2022-07-16 21:59:12 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0261.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED