RedHat has issued an advisory on April 19: https://access.redhat.com/errata/RHSA-2018:1191 Corresponding Oracle CPU: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html The update is also available in Fedora, so I'll sync it in when I can.
(In reply to David Walser from comment #0) > RedHat has issued an advisory on April 19: > https://access.redhat.com/errata/RHSA-2018:1191 > > Corresponding Oracle CPU: > http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html > > The update is also available in Fedora, so I'll sync it in when I can. Thanks :-) You didn't assign to yourself, so assigning to the java stack maintainers and CC'ing the registered maintainer
Assignee: bugsquad => javaCC: (none) => mageia, marja11
I have the changes synced into mga5/mga6/Cauldron SVN, but again I can't update the Source4 as the script gives me a 404. Asking Nicolas Salguero for help again.
Whiteboard: (none) => MGA6TOO, MGA5TOOCC: (none) => nicolas.salguero
Fedora has issued an advisory for this today (April 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YXDNLAT5DN3VAXFJVYPB64CG2NA7K2VU/
Thanks Nicolas for the help again with Source4. Mageia 6 update built, Mageia 5 update building now. java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6 from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5 from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm I need to check if there's any needed update to copy-jdk-configs, so advisory to come later.
Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814) OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794) OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795) OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796) OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797) OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798) OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799) OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800) OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815) OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815 http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html https://access.redhat.com/errata/RHSA-2018:1191 ======================== Updated packages in core/updates_testing: ======================== copy-jdk-configs-3.3-1.1.mga5 java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5 copy-jdk-configs-3.3-1.1.mga6 java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6 from SRPMS: copy-jdk-configs-3.3-1.1.mga5.src.rpm java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm copy-jdk-configs-3.3-1.1.mga6.src.rpm java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm
Assignee: java => qa-bugs
https://www.java.com/verify/ https://www.w3.org/People/mimasa/test/object/java/ Works fine on Mageia 5 x86_64.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
$ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux The following 6 packages are going to be installed: - copy-jdk-configs-3.3-1.1.mga6.noarch - java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.x86_64 - java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch - java-1.8.0-openjfx-1.8.0.171-1.b11.2.mga6.x86_64 $ java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode) I ran some programs using the cryptography library as well as some swing/jfx routines that serialize and deserialize a bunch of class. Working as designed.
CC: (none) => brtians1Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK mga6-64-ok
$ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux The following 8 packages are going to be installed: - copy-jdk-configs-3.3-1.1.mga6.noarch - java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.i586 - java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch - java-atk-wrapper-0.33.2-3.mga6.i586 $ java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-b10) OpenJDK Server VM (build 25.171-b10, mixed mode) Installed icedtea-web. Tried - https://www.java.com/verify/ - worked Ran another application from command line. compiled a simple class using javac working as designed.
Whiteboard: MGA5TOO MGA5-64-OK mga6-64-ok => MGA5TOO MGA5-64-OK mga6-64-ok mga6-32-ok
@Brian : thanks for doing all the testing.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0218.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED