Bug 32203

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, fri, herman.viaene, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-32-OK MGA9-64-OK
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk CVE:
Status comment:

Description Nicolas Salguero 2023-08-29 11:31:32 CEST 
RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2023:4178 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHBA-2023:4374 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2023:4169 (java-17-openjdk)

Corresponding Oracle CPUs:
https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
Nicolas Salguero 2023-08-29 11:31:44 CEST

CC: (none) => nicolas.salguero
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk

Nicolas Salguero 2023-08-29 16:40:36 CEST

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-08-29 16:44:27 CEST

Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 David Walser 2023-08-31 13:58:16 CEST 
*** Bug 31090 has been marked as a duplicate of this bug. ***
Comment 2 Nicolas Salguero 2023-08-31 17:24:13 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities and a file conflict :

Improper connection handling during TLS handshake. (CVE-2023-21930)

Incorrect enqueue of references in garbage collector. (CVE-2023-21954)

Certificate validation issue in TLS session negotiation. (CVE-2023-21967)

Swing HTML parsing issue. (CVE-2023-21939)

Incorrect handling of NULL characters in ProcessBuilder. (CVE-2023-21938)

Missing string checks for NULL characters. (CVE-2023-21937)

Missing check for slash characters in URI-to-path conversion. (CVE-2023-21968)

Array indexing integer overflow issue. (CVE-2023-22045)

Improper handling of slash characters in URI-to-path conversion. (CVE-2023-22049)

O(n^2) growth via consecutive marks. (CVE-2023-25193)

HTTP client insufficient file name validation. (CVE-2023-22006)

ZIP file parsing infinite loop. (CVE-2023-22036)

Modulo operator array indexing issue. (CVE-2023-22044)

Weakness in AES implementation. (CVE-2023-22041)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041
https://access.redhat.com/errata/RHSA-2023:1904
https://access.redhat.com/errata/RHSA-2023:1880
https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2023:4178
https://access.redhat.com/errata/RHBA-2023:4374
https://access.redhat.com/errata/RHSA-2023:4169
https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
========================

Updated packages in 8/core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-debugsource-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-demo-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-demo-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-demo-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-devel-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-devel-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-devel-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-javadoc-zip-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-headless-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-headless-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-headless-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-slowdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-src-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-src-fastdebug-1.8.0.382.b05-1.mga8
java-1.8.0-openjdk-src-slowdebug-1.8.0.382.b05-1.mga8

java-11-openjdk-11.0.20.0.8-1.mga8
java-11-openjdk-debugsource-11.0.20.0.8-1.mga8
java-11-openjdk-demo-11.0.20.0.8-1.mga8
java-11-openjdk-demo-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-demo-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-devel-11.0.20.0.8-1.mga8
java-11-openjdk-devel-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-devel-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-javadoc-11.0.20.0.8-1.mga8
java-11-openjdk-javadoc-zip-11.0.20.0.8-1.mga8
java-11-openjdk-jmods-11.0.20.0.8-1.mga8
java-11-openjdk-jmods-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-jmods-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-headless-11.0.20.0.8-1.mga8
java-11-openjdk-headless-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-headless-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-src-11.0.20.0.8-1.mga8
java-11-openjdk-src-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-src-slowdebug-11.0.20.0.8-1.mga8
java-11-openjdk-static-libs-11.0.20.0.8-1.mga8
java-11-openjdk-static-libs-fastdebug-11.0.20.0.8-1.mga8
java-11-openjdk-static-libs-slowdebug-11.0.20.0.8-1.mga8

openjfx-11.0.9.2-4.mga8
openjfx-devel-11.0.9.2-4.mga8

from SRPMS:
java-1.8.0-openjdk-1.8.0.382.b05-1.mga8.src.rpm
java-11-openjdk-11.0.20.0.8-1.mga8.src.rpm
openjfx-11.0.9.2-4.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-debugsource-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-demo-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-devel-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-headless-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-src-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.382.b05-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.382.b05-1.mga9

java-11-openjdk-11.0.20.0.8-1.mga9
java-11-openjdk-debugsource-11.0.20.0.8-1.mga9
java-11-openjdk-demo-11.0.20.0.8-1.mga9
java-11-openjdk-demo-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-demo-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-devel-11.0.20.0.8-1.mga9
java-11-openjdk-devel-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-devel-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-javadoc-11.0.20.0.8-1.mga9
java-11-openjdk-javadoc-zip-11.0.20.0.8-1.mga9
java-11-openjdk-jmods-11.0.20.0.8-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-headless-11.0.20.0.8-1.mga9
java-11-openjdk-headless-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-headless-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-src-11.0.20.0.8-1.mga9
java-11-openjdk-src-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-src-slowdebug-11.0.20.0.8-1.mga9
java-11-openjdk-static-libs-11.0.20.0.8-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.20.0.8-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.20.0.8-1.mga9

java-17-openjdk-17.0.8.0.7-1.mga9
java-17-openjdk-demo-17.0.8.0.7-1.mga9
java-17-openjdk-demo-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-demo-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-devel-17.0.8.0.7-1.mga9
java-17-openjdk-devel-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-devel-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-headless-17.0.8.0.7-1.mga9
java-17-openjdk-headless-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-headless-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-javadoc-17.0.8.0.7-1.mga9
java-17-openjdk-javadoc-zip-17.0.8.0.7-1.mga9
java-17-openjdk-jmods-17.0.8.0.7-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-src-17.0.8.0.7-1.mga9
java-17-openjdk-src-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-src-slowdebug-17.0.8.0.7-1.mga9
java-17-openjdk-static-libs-17.0.8.0.7-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.8.0.7-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.8.0.7-1.mga9

java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-demo-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-demo-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-demo-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-devel-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-devel-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-devel-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-headless-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-headless-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-headless-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-javadoc-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-javadoc-zip-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-jmods-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-jmods-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-jmods-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-src-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-src-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-src-slowdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-static-libs-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-static-libs-fastdebug-20.0.2.0.9-1.rolling.2.mga9
java-latest-openjdk-static-libs-slowdebug-20.0.2.0.9-1.rolling.2.mga9

from SRPMS:
java-1.8.0-openjdk-1.8.0.382.b05-1.mga9.src.rpm
java-11-openjdk-11.0.20.0.8-1.mga9.src.rpm
java-17-openjdk-17.0.8.0.7-1.mga9.src.rpm
java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9.src.rpm

Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-03 22:02:35 CEST

CC: (none) => mageia

Comment 3 Morgan Leijström 2023-09-04 11:37:01 CEST 
mga9-64 mini test OK:

Updated the java packages my workstation have to:

java-1.8.0-openjdk-1:1.8.0.382.b05-1.mga9.x86_64
java-1.8.0-openjdk-headless-1:1.8.0.382.b05-1.mga9.x86_64
java-17-openjdk-1:17.0.8.0.7-1.mga9.x86_64
java-17-openjdk-headless-1:17.0.8.0.7-1.mga9.x86_64

My old java based invoicing & book-keeping application FriBOK still works :)
Will report any issues.

CC: (none) => fri

Comment 4 Herman Viaene 2023-09-04 15:01:09 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues, installing everything except the debug packages.
Ref bug 30401 for tests
$ java -version
openjdk version "11.0.20" 2023-07-18 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.20+8-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.20+8-LTS, mixed mode, sharing)
$ javac -version
javac 11.0.20
$ javac -cp . Helloworldnojfx.java
$ java -cp . Helloworldnojfx
Hello World!
and corresponding pop-up window appears.

Checked LO Base is running correctly with my odb application: all works OK.
In view of this and Morgan's input OK'ing.

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Brian Rockwell 2023-09-22 22:21:02 CEST 
The following 16 packages are going to be installed:

- java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-demo-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-demo-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-devel-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-devel-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-headless-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-headless-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-javadoc-zip-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-jmods-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-jmods-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-static-libs-20.0.2.0.9-1.rolling.2.mga9.i586
- java-latest-openjdk-static-libs-slowdebug-20.0.2.0.9-1.rolling.2.mga9.i586
- x11-font-bitstream-type1-1.0.3-10.mga9.noarch
- x11-font-type1-1.0.0-17.mga9.noarch
- x11-font-xfree86-type1-1.0.4-10.mga9.noarch

1.1GB of additional disk space will be used.

rebooted

not quite what I expected:

[brian@localhost ~]$ java -version
openjdk version "17.0.7" 2023-04-18 LTS
OpenJDK Runtime Environment 21.9 (build 17.0.7+7-LTS)
OpenJDK Server VM 21.9 (build 17.0.7+7-LTS, mixed mode, sharing)
[brian@localhost ~]$ javac -version
javac 20.0.2
[brian@localhost ~]$


# urpmi java-latest-openjdk
Package java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9.i586 is already installed


okay - java17 is linked to libreoffice.  uninstalled 17 uninstalls libreoffice


[brian@localhost ~]$ java -version
openjdk version "20.0.2" 2023-07-18 LTS
OpenJDK Runtime Environment 22.3 (build 20.0.2+9-LTS)
OpenJDK Server VM 22.3 (build 20.0.2+9-LTS, mixed mode, sharing)
[brian@localhost ~]$ javac -version
javac 20.0.2
[brian@localhost ~]$ 


installing libreoffice brings back 17


I went ahead and compiled a tiny helloworld program using SWING

It worked.

Approving.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-32-OK
CC: (none) => brtians1

Comment 6 Thomas Andrews 2023-09-23 13:51:03 CEST 
Adding a MGA9-64 OK based on comment 3. Validating. Advisory in comment 2.

Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA8-64-OK MGA9-32-OK => MGA8TOO MGA8-64-OK MGA9-32-OK MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Marja Van Waes 2023-09-27 21:46:18 CEST

Keywords: (none) => advisory
CC: (none) => marja11

Comment 7 Mageia Robot 2023-09-30 21:18:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0272.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED