Bug 31090

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, java, mageia, nicolas.salguero, security
Version: 8Keywords: feedback
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk CVE:
Status comment:
Bug Depends on: 30753    
Bug Blocks:    

Description Nicolas Salguero 2022-11-08 09:31:06 CET 
+++ This bug was initially created as a clone of Bug #30753 +++

RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2022:5726 (java-17-openjdk)
https://access.redhat.com/errata/RHSA-2022:6999 (java-17-openjdk)

Corresponding Oracle CPUs:
https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA
https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA
Nicolas Salguero 2022-11-08 09:31:54 CET

Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk => java-17-openjdk, java-latest-openjdk

Comment 1 Lewis Smith 2022-11-08 10:56:21 CET 
Assigning to the Java maintainers.

Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2023-01-24 11:08:04 CET 
RedHat has issued another advisory:
https://access.redhat.com/errata/RHSA-2023:0194 (java-17-openjdk)

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA
Comment 3 Nicolas Salguero 2023-01-27 11:52:52 CET 
Hi,

java-17-openjdk-17.0.6.0.10-1.mga9 solves those issues.

java-latest-openjdk needs to be updated.

Best regards,

Nico.
Comment 4 Nicolas Salguero 2023-05-25 16:34:55 CEST 
RedHat has issued another advisory:
https://access.redhat.com/errata/RHSA-2023:1904 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2023:1880 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2023:1879 (java-17-openjdk)

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA

Source RPM: java-17-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
Summary: java-17-openjdk and java-latest-openjdk new security issues => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues

Nicolas Salguero 2023-05-25 17:05:06 CEST

Whiteboard: (none) => MGA8TOO

Comment 5 Nicolas Salguero 2023-06-02 14:58:09 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Improper connection handling during TLS handshake. (CVE-2023-21930)

Incorrect enqueue of references in garbage collector. (CVE-2023-21954)

Certificate validation issue in TLS session negotiation. (CVE-2023-21967)

Swing HTML parsing issue. (CVE-2023-21939)

Incorrect handling of NULL characters in ProcessBuilder. (CVE-2023-21938)

Missing string checks for NULL characters. (CVE-2023-21937)

Missing check for slash characters in URI-to-path conversion. (CVE-2023-21968)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
https://access.redhat.com/errata/RHSA-2023:1904
https://access.redhat.com/errata/RHSA-2023:1880
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-debugsource-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-demo-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-demo-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-demo-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-devel-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-devel-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-devel-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-javadoc-zip-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-headless-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-headless-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-slowdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-src-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-src-fastdebug-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-src-slowdebug-1.8.0.372.b07-1.mga8

java-11-openjdk-11.0.19.0.7-2.mga8
java-11-openjdk-debugsource-11.0.19.0.7-2.mga8
java-11-openjdk-demo-11.0.19.0.7-2.mga8
java-11-openjdk-demo-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-demo-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-devel-11.0.19.0.7-2.mga8
java-11-openjdk-devel-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-devel-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-javadoc-11.0.19.0.7-2.mga8
java-11-openjdk-javadoc-zip-11.0.19.0.7-2.mga8
java-11-openjdk-jmods-11.0.19.0.7-2.mga8
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-headless-11.0.19.0.7-2.mga8
java-11-openjdk-headless-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-headless-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-src-11.0.19.0.7-2.mga8
java-11-openjdk-src-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-src-slowdebug-11.0.19.0.7-2.mga8
java-11-openjdk-static-libs-11.0.19.0.7-2.mga8
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-2.mga8
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-2.mga8

from SRPMS:
java-1.8.0-openjdk-1.8.0.372.b07-1.mga8.src.rpm
java-11-openjdk-11.0.19.0.7-2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: java => qa-bugs

Comment 6 Herman Viaene 2023-06-03 12:14:06 CEST 
1 installation transactions failed

There was a problem during the installation:

file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-3:11.0.9.2-3.mga8.x86_64

file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-devel-3:11.0.9.2-3.mga8.x86_64

CC: (none) => herman.viaene

PC LX 2023-06-13 20:47:22 CEST

CC: (none) => mageia

Comment 7 Thomas Andrews 2023-06-24 14:34:42 CEST 
(In reply to Herman Viaene from comment #6)
> 1 installation transactions failed
> 
> There was a problem during the installation:
> 
> file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from
> install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from
> package openjfx-3:11.0.9.2-3.mga8.x86_64
> 
> file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from
> install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from
> package openjfx-devel-3:11.0.9.2-3.mga8.x86_64

This issue came up in https://bugs.mageia.org/show_bug.cgi?id=30753#c11 but was later ignored. What can be done to resolve it?

CC: (none) => andrewsfarm
Keywords: (none) => feedback

Comment 8 PC LX 2023-06-30 16:58:19 CEST 
Installed and tested without issues.

I don't have the package openjfx installed so I do not see the file conflict reported by @Herman Viaene.

Tested with:
- netbeans (upstream)
- edugraphe
- ganttproject
- libreoffice
- yuicompressor
- freecol.

No regressions noticed.



System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -P '(java-11|java-1.8.0|openjfx)' | sort
java-11-openjdk-11.0.19.0.7-2.mga8
java-11-openjdk-headless-11.0.19.0.7-2.mga8
java-1.8.0-openjdk-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-headless-1.8.0.372.b07-1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.372.b07-1.mga8
openjfx8-8.0.202-25.b07.2.mga8
Comment 9 PC LX 2023-07-29 15:22:34 CEST 
(In reply to Thomas Andrews from comment #7)
> (In reply to Herman Viaene from comment #6)
> > 1 installation transactions failed
> > 
> > There was a problem during the installation:
> > 
> > file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from
> > install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from
> > package openjfx-3:11.0.9.2-3.mga8.x86_64
> > 
> > file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from
> > install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from
> > package openjfx-devel-3:11.0.9.2-3.mga8.x86_64
> 
> This issue came up in https://bugs.mageia.org/show_bug.cgi?id=30753#c11 but
> was later ignored. What can be done to resolve it?

I think the file conflict should be fixed but since this is a security update and is already waiting for over a month and the file conflict issue is not a regression I think it would be best for this to be pushed forward and a new bug report for the file conflict should be open.
Comment 10 Nicolas Salguero 2023-08-31 13:10:23 CEST 
Hi,

I close that bug because it is replaced by bug 32203.

Best regards,

Nico.

Status: ASSIGNED => RESOLVED
Resolution: (none) => OLD

Comment 11 David Walser 2023-08-31 13:58:16 CEST 
Linking the bugs so the info isn't lost.

*** This bug has been marked as a duplicate of bug 32203 ***

Resolution: OLD => DUPLICATE