| Summary: | java-17-openjdk new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, fri, herman.viaene, mageia, nicolas.salguero, pkg-bugs, security, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | java-17-openjdk-17.0.8.0.7-1.mga9.src.rpm | CVE: | CVE-2023-22081, CVE-2023-22025, CVE-2024-20932, CVE-2024-20918, CVE-2024-20952, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945 |
| Status comment: | |||
| Bug Depends on: | 32413 | ||
| Bug Blocks: | 32724 | ||
|
Description
Nicolas Salguero
2023-11-21 10:22:34 CET
Nicolas Salguero
2023-11-21 10:22:49 CET
Whiteboard:
(none) =>
MGA9TOO
Nicolas Salguero
2023-11-21 10:23:07 CET
Assignee:
bugsquad =>
java
Nicolas Salguero
2024-01-17 10:26:16 CET
Depends on:
(none) =>
32724 Suggested advisory: ======================== The updated packages fix a security vulnerability: Certificate path validation issue during client authentication. (CVE-2023-22081) Memory corruption issue on x86_64 with AVX-512. (CVE-2023-22025) Incorrect handling of ZIP files with duplicate entries. (CVE-2024-20932) Array out-of-bounds access due to missing range check in C1 compiler. (CVE-2024-20918) RSA padding issue and timing side-channel attack against TLS. (CVE-2024-20952) JVM class file verifier flaw allows unverified bytecode execution. (CVE-2024-20919) Range check loop optimization issue. (CVE-2024-20921) Logging of digital signature private keys. (CVE-2024-20945) References: https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixJAVA https://access.redhat.com/errata/RHSA-2023:5752 https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA https://access.redhat.com/errata/RHSA-2024:0241 ======================== Updated packages in core/updates_testing: ======================== java-17-openjdk-17.0.10.0.7-1.mga9 java-17-openjdk-demo-17.0.10.0.7-1.mga9 java-17-openjdk-demo-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-demo-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-devel-17.0.10.0.7-1.mga9 java-17-openjdk-devel-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-devel-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-headless-17.0.10.0.7-1.mga9 java-17-openjdk-headless-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-headless-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-javadoc-17.0.10.0.7-1.mga9 java-17-openjdk-javadoc-zip-17.0.10.0.7-1.mga9 java-17-openjdk-jmods-17.0.10.0.7-1.mga9 java-17-openjdk-jmods-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-jmods-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-src-17.0.10.0.7-1.mga9 java-17-openjdk-src-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-src-slowdebug-17.0.10.0.7-1.mga9 java-17-openjdk-static-libs-17.0.10.0.7-1.mga9 java-17-openjdk-static-libs-fastdebug-17.0.10.0.7-1.mga9 java-17-openjdk-static-libs-slowdebug-17.0.10.0.7-1.mga9 from SRPM: java-17-openjdk-17.0.10.0.7-1.mga9.src.rpm Blocks:
(none) =>
32724
katnatek
2024-03-07 02:41:43 CET
Keywords:
(none) =>
advisory
Nicolas Salguero
2024-03-07 09:24:56 CET
Severity:
normal =>
major
PC LX
2024-03-07 11:50:03 CET
CC:
(none) =>
mageia RH Mageia 9 x86_64 I just have 2 packages, updated without issues installing //home/katnatek/qa-testing/x86_64/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64.rpm //home/katnatek/qa-testing/x86_64/java-17-openjdk-headless-17.0.10.0.7-1.mga9.x86_64.rpm Use the updated packages to run and update jdownloader , the application and its update works as expected MGA9-64 PLasma Wayland on HP Pavillion No installation issues. Checked that LO is refereing to this version and exercized LO Base and Calc application, all works OK mga9, x64 Most of the listed packages were missing from this system. Installed all of them from Core Release then updated the 23 packages via qarepo and drakrpm-update without any issues. $ strace -o low.trace libreoffice --writer $ grep java low.trace read(6, "/usr/lib/jvm/java-17-openjdk-17."..., 4096) = 285 Comments 2 and 3 show that it works. Tried out the Notepad demo from /usr/lib/jvm/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64/demo/jfc/Notepad/ as a HelloWorld test of one of the demo branches. $ path ... /usr/lib/jvm/java-17-openjdk-17.0.8.0.7-1.mga9.x86_64/jre $ java -jar Notepad.jar which generated a simple notepad. Created and saved some random text to a local file. CC:
(none) =>
tarazed25
Len Lawrence
2024-03-13 13:19:27 CET
Whiteboard:
(none) =>
MGA9-64-OK Another oops! The path had not been updated when the demo test was done so the code was run against the previous version of the codebase ... which had just been replaced. Fixed .bashrc and logged in again. $ path ..... /usr/lib/jvm/java-17-openjdk-17.0.10.0.7-1.mga9.x86_64/jre Opened the notebook application and added a line, saved the file and exited. Checked the addition by opening the file again in the notebook. All is well. Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0056.html Resolution:
(none) =>
FIXED |