| Summary: | java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk | CVE: | CVE-2024-21011, CVE-2024-21012, CVE-2024-21085, CVE-2024-21068, CVE-2024-21094 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-04-22 09:42:59 CEST
Nicolas Salguero
2024-04-22 09:45:08 CEST
CVE:
(none) =>
CVE-2024-21011, CVE-2024-21012, CVE-2024-21085, CVE-2024-21068, CVE-2024-21094 java-latest-openjdk needs to switch from java 21 to 22 (Cauldron and Mageia 9). For Cauldron, the default java needs to switch from java 17 to 21. To summarise the java versions for M9: java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.402.b06-1.mga9.src.rpm java-11-openjdk java-11-openjdk-11.0.22.0.7-1.mga9.src.rpm java-17-openjdk java-17-openjdk-17.0.10.0.7-1.mga9.src.rpm java-latest-openjdk java-latest-openjdk-21.0.2.0.13-1.rolling.1.mga9.src.rpm Following the links, many of the CVEs seem to be fixed by the following Java varsions; OpenJDK 11.0.23 OpenJDK 17.0.11 OpenJDK 21.0.3 but there are many references to less obvious RedHat fixes. Assignee:
bugsquad =>
java Suggested advisory: ======================== The updated packages fix security vulnerabilities: Long Exception message leading to crash. (CVE-2024-21011) HTTP/2 client improper reverse DNS lookup. (CVE-2024-21012) Integer overflow in C1 compiler address generation. (CVE-2024-21068) Pack200 excessive memory allocation. (CVE-2024-21085) C2 compilation fails with "Exceeded _node_regs array". (CVE-2024-21094) References: https://access.redhat.com/errata/RHSA-2024:1817 https://access.redhat.com/errata/RHSA-2024:1819 https://access.redhat.com/errata/RHSA-2024:1823 https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixJAVA ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-demo-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-demo-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-demo-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-devel-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-devel-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-devel-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-headless-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-headless-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-headless-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-javadoc-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-javadoc-zip-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-devel-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-slowdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-src-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-src-fastdebug-1.8.0.412.b08-1.mga9 java-1.8.0-openjdk-src-slowdebug-1.8.0.412.b08-1.mga9 java-11-openjdk-11.0.23.0.9-1.mga9 java-11-openjdk-demo-11.0.23.0.9-1.mga9 java-11-openjdk-demo-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-demo-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-devel-11.0.23.0.9-1.mga9 java-11-openjdk-devel-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-devel-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-headless-11.0.23.0.9-1.mga9 java-11-openjdk-headless-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-headless-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-javadoc-11.0.23.0.9-1.mga9 java-11-openjdk-javadoc-zip-11.0.23.0.9-1.mga9 java-11-openjdk-jmods-11.0.23.0.9-1.mga9 java-11-openjdk-jmods-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-jmods-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-src-11.0.23.0.9-1.mga9 java-11-openjdk-src-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-src-slowdebug-11.0.23.0.9-1.mga9 java-11-openjdk-static-libs-11.0.23.0.9-1.mga9 java-11-openjdk-static-libs-fastdebug-11.0.23.0.9-1.mga9 java-11-openjdk-static-libs-slowdebug-11.0.23.0.9-1.mga9 java-17-openjdk-17.0.11.0.9-1.mga9 java-17-openjdk-demo-17.0.11.0.9-1.mga9 java-17-openjdk-demo-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-demo-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-devel-17.0.11.0.9-1.mga9 java-17-openjdk-devel-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-devel-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-headless-17.0.11.0.9-1.mga9 java-17-openjdk-headless-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-headless-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-javadoc-17.0.11.0.9-1.mga9 java-17-openjdk-javadoc-zip-17.0.11.0.9-1.mga9 java-17-openjdk-jmods-17.0.11.0.9-1.mga9 java-17-openjdk-jmods-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-jmods-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-src-17.0.11.0.9-1.mga9 java-17-openjdk-src-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-src-slowdebug-17.0.11.0.9-1.mga9 java-17-openjdk-static-libs-17.0.11.0.9-1.mga9 java-17-openjdk-static-libs-fastdebug-17.0.11.0.9-1.mga9 java-17-openjdk-static-libs-slowdebug-17.0.11.0.9-1.mga9 java-latest-openjdk-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-demo-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-demo-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-devel-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-devel-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-headless-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-headless-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-javadoc-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-javadoc-zip-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-jmods-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-jmods-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-src-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-src-slowdebug-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-static-libs-22.0.1.0.8-1.rolling.1.mga9 java-latest-openjdk-static-libs-slowdebug-22.0.1.0.8-1.rolling.1.mga9 from SRPMS: java-1.8.0-openjdk-1.8.0.412.b08-1.mga9.src.rpm java-11-openjdk-11.0.23.0.9-1.mga9.src.rpm java-17-openjdk-17.0.11.0.9-1.mga9.src.rpm java-latest-openjdk-22.0.1.0.8-1.rolling.1.mga9.src.rpm Source RPM:
java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk =>
java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
katnatek
2024-05-14 19:36:19 CEST
Keywords:
(none) =>
advisory MGA9-64 Plasma Wayland on HP-Pavillion No installation issues. Configured LO to run java1.8.0 , and run my LO Base application: forms run OK but on a report I get error: BASIC runtime error. An exception occurred Type: com.sun.star.uno.RuntimeException Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/report/JFreeReportBoot has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0 CC:
(none) =>
herman.viaene Java 11, similar error. BASIC runtime error. An exception occurred Type: com.sun.star.uno.RuntimeException Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/layouting/LibLayoutInfo has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0 Java 17, application runs OK, report shows up with the old Mageia-related LO bug on the layout of the report. Java latest 22, same result as above. All in all, the errors foe versions java1.8.0 and java 11 are of the same order as the previous update 32724, so no regression. Though I wonder why we get into this situation. For me in view of all that, good to go. Whiteboard:
(none) =>
MGA9-64-OK I keep wondering if the report error comes because we are supporting both arches, where the LO folks only issue 64-bit versions. But then, I am no developer. Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0179.html Resolution:
(none) =>
FIXED |