| Summary: | java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, fri, herman.viaene, mageia, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk | CVE: | CVE-2024-20918, CVE-2024-20952, CVE-2024-20926, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945 |
| Status comment: | |||
| Bug Depends on: | 32545 | ||
| Bug Blocks: | |||
| Attachments: |
Log of install & uninstall packages java-1.8.0-openjdk
Log of install & uninstall packages java-11-openjdk Log of install & uninstall packages java-latest-openjdk |
||
|
Description
Nicolas Salguero
2024-01-17 10:12:35 CET
Nicolas Salguero
2024-01-17 10:12:43 CET
Whiteboard:
(none) =>
MGA9TOO
Nicolas Salguero
2024-01-17 10:26:16 CET
Blocks:
(none) =>
32545 java-1.8.0-openjdk ns80 java-17-openjdk ns80 java-latest-openjdk ns80 It looks as if you are the current maintainer for all this, Nicolas, so assigning it to you. Assignee:
bugsquad =>
nicolas.salguero
Nicolas Salguero
2024-01-18 08:53:49 CET
Assignee:
nicolas.salguero =>
java
Nicolas Salguero
2024-03-06 10:40:03 CET
Depends on:
(none) =>
32545 java-17-openjdk is handled in bug 32545. For java-11-openjdk, here is the list of packages: java-11-openjdk-11.0.22.0.7-1.mga9 java-11-openjdk-demo-11.0.22.0.7-1.mga9 java-11-openjdk-demo-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-demo-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-devel-11.0.22.0.7-1.mga9 java-11-openjdk-devel-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-devel-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-headless-11.0.22.0.7-1.mga9 java-11-openjdk-headless-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-headless-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-javadoc-11.0.22.0.7-1.mga9 java-11-openjdk-javadoc-zip-11.0.22.0.7-1.mga9 java-11-openjdk-jmods-11.0.22.0.7-1.mga9 java-11-openjdk-jmods-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-jmods-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-src-11.0.22.0.7-1.mga9 java-11-openjdk-src-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-src-slowdebug-11.0.22.0.7-1.mga9 java-11-openjdk-static-libs-11.0.22.0.7-1.mga9 java-11-openjdk-static-libs-fastdebug-11.0.22.0.7-1.mga9 java-11-openjdk-static-libs-slowdebug-11.0.22.0.7-1.mga9 from SRPM: java-11-openjdk-11.0.22.0.7-1.mga9.src.rpm For java-1.8.0-openjdk, here is the list of packages: java-1.8.0-openjdk-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-demo-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-demo-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-demo-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-devel-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-devel-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-devel-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-headless-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-headless-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-headless-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-javadoc-1.8.0.402.b06-1.mga9.noarch.rpm java-1.8.0-openjdk-javadoc-zip-1.8.0.402.b06-1.mga9.noarch.rpm java-1.8.0-openjdk-openjfx-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-openjfx-devel-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-slowdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-src-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-src-fastdebug-1.8.0.402.b06-1.mga9 java-1.8.0-openjdk-src-slowdebug-1.8.0.402.b06-1.mga9 from SRPM: java-1.8.0-openjdk-1.8.0.402.b06-1.mga9.src.rpm Nicolas is normal that i586 have fewer packages than x86_64? (In reply to katnatek from comment #4) > Nicolas is normal that i586 have fewer packages than x86_64? Yes, it is. i586 does not have fastdebug and openjfx is limited to 64bits arches. For java-latest-openjdk, here is the list of packages: java-latest-openjdk-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-demo-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-demo-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-demo-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-devel-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-devel-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-devel-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-headless-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-headless-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-headless-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-javadoc-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-javadoc-zip-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-jmods-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-jmods-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-jmods-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-src-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-src-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-src-slowdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-static-libs-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-static-libs-fastdebug-21.0.2.0.13-1.rolling.1.mga9 java-latest-openjdk-static-libs-slowdebug-21.0.2.0.13-1.rolling.1.mga9 from SRPM: java-latest-openjdk-21.0.2.0.13-1.rolling.1.mga9.src.rpm Suggested advisory: ======================== The updated packages fix security vulnerabilities: Array out-of-bounds access due to missing range check in C1 compiler. (CVE-2024-20918) RSA padding issue and timing side-channel attack against TLS. (CVE-2024-20952) Arbitrary Java code execution in Nashorn. (CVE-2024-20926) JVM class file verifier flaw allows unverified bytecode execution. (CVE-2024-20919) Range check loop optimization issue. (CVE-2024-20921) Logging of digital signature private keys. (CVE-2024-20945) References: https://access.redhat.com/errata/RHSA-2024:0225 https://access.redhat.com/errata/RHSA-2024:0234 https://access.redhat.com/errata/RHSA-2024:0249 https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA Source RPM:
java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk =>
java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk
PC LX
2024-03-07 11:50:06 CET
CC:
(none) =>
mageia mga9-64 mini test OK: Updated java-1.8.0-openjdk and -headless My old java based invoicing & book-keeping application FriBOK that use it still works, incl printing. CC:
(none) =>
fri
katnatek
2024-03-07 19:38:12 CET
Keywords:
(none) =>
advisory MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Configured LO to run java11, and run my LO Base application: forms run OK but on a report I get error: An exception occurred Type: com.sun.star.uno.RuntimeException Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/layouting/LibLayoutInfo has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0 CC:
(none) =>
herman.viaene Same tests with 1.8.0 and similar error: BASIC runtime error. An exception occurred Type: com.sun.star.uno.RuntimeException Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/report/JFreeReportBoot has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0 Confirm that switching LO back to latest 17 version gets rid of the reported error above. Created attachment 14457 [details]
Log of install & uninstall packages java-1.8.0-openjdk
RH mageia 9 x86_64
Not issues detected on install or uninstall packages of java-1.8.0-openjdk
(In reply to katnatek from comment #12) > Created attachment 14457 [details] > Log of install & uninstall packages java-1.8.0-openjdk > > RH mageia 9 x86_64 Sorry is VM > > Not issues detected on install or uninstall packages of java-1.8.0-openjdk BTW I not include the src packgaes Created attachment 14458 [details]
Log of install & uninstall packages java-11-openjdk
VM mageia 9 x86_64
Install/uninstall java-11-openjdk packages except src packages
Not issues detected
Created attachment 14459 [details]
Log of install & uninstall packages java-latest-openjdk
VM mageia 9 x86_64
Exclude src packages
Not issues detected
katnatek
2024-03-14 19:38:51 CET
CC:
(none) =>
andrewsfarm
katnatek
2024-03-14 19:39:03 CET
Whiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0061.html Status:
ASSIGNED =>
RESOLVED mga9-64 mini test OK: Updated java-1.8.0-openjdk and -headless My old java based invoicing & book-keeping application FriBOK that use it still works, incl printing. |