Bug 22929 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK mga6-64-ok mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-21 18:37 CEST by David Walser
Modified: 2018-05-04 19:30 CEST (History)
5 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.161-1.b14.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-04-21 18:37:13 CEST
RedHat has issued an advisory on April 19:
https://access.redhat.com/errata/RHSA-2018:1191

Corresponding Oracle CPU:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

The update is also available in Fedora, so I'll sync it in when I can.
Comment 1 Marja Van Waes 2018-04-21 18:51:27 CEST
(In reply to David Walser from comment #0)
> RedHat has issued an advisory on April 19:
> https://access.redhat.com/errata/RHSA-2018:1191
> 
> Corresponding Oracle CPU:
> http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
> 
> The update is also available in Fedora, so I'll sync it in when I can.

Thanks :-)

You didn't assign to yourself, so assigning to the java stack maintainers and 
CC'ing the registered maintainer

Assignee: bugsquad => java
CC: (none) => mageia, marja11

Comment 2 David Walser 2018-04-21 22:54:04 CEST
I have the changes synced into mga5/mga6/Cauldron SVN, but again I can't update the Source4 as the script gives me a 404.  Asking Nicolas Salguero for help again.

Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => nicolas.salguero

Comment 3 David Walser 2018-04-27 18:55:55 CEST
Fedora has issued an advisory for this today (April 27):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YXDNLAT5DN3VAXFJVYPB64CG2NA7K2VU/
Comment 4 David Walser 2018-04-30 13:04:52 CEST
Thanks Nicolas for the help again with Source4.

Mageia 6 update built, Mageia 5 update building now.

java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6

from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 5 David Walser 2018-05-01 17:58:57 CEST
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5

from java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm

I need to check if there's any needed update to copy-jdk-configs, so advisory to come later.
Comment 6 David Walser 2018-05-02 15:52:54 CEST
Advisory:
========================

Updated java-1.8.0-openjdk packages fix security vulnerabilities:

OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)

OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security,
8189997) (CVE-2018-2794)

OpenJDK: insufficient consistency checks in deserialization of multiple classes
(Security, 8189977) (CVE-2018-2795)

OpenJDK: unbounded memory allocation during deserialization in
PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)

OpenJDK: unbounded memory allocation during deserialization in
TabularDataSupport (JMX, 8189985) (CVE-2018-2797)

OpenJDK: unbounded memory allocation during deserialization in Container (AWT,
8189989) (CVE-2018-2798)

OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl
(JAXP, 8189993) (CVE-2018-2799)

OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)

OpenJDK: unbounded memory allocation during deserialization in StubIORImpl
(Serialization, 8192757) (CVE-2018-2815)

OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
(CVE-2018-2790)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://access.redhat.com/errata/RHSA-2018:1191
========================

Updated packages in core/updates_testing:
========================
copy-jdk-configs-3.3-1.1.mga5
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga5
java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga5
copy-jdk-configs-3.3-1.1.mga6
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-src-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6

from SRPMS:
copy-jdk-configs-3.3-1.1.mga5.src.rpm
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga5.src.rpm
copy-jdk-configs-3.3-1.1.mga6.src.rpm
java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm

Assignee: java => qa-bugs

Comment 7 David Walser 2018-05-03 15:31:01 CEST
https://www.java.com/verify/
https://www.w3.org/People/mimasa/test/object/java/

Works fine on Mageia 5 x86_64.

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 8 Brian Rockwell 2018-05-03 15:46:59 CEST
$ uname -a
Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 22:17:31 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


The following 6 packages are going to be installed:

- copy-jdk-configs-3.3-1.1.mga6.noarch
- java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.x86_64
- java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.x86_64
- java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.x86_64
- java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch
- java-1.8.0-openjfx-1.8.0.171-1.b11.2.mga6.x86_64

$ java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK 64-Bit Server VM (build 25.171-b10, mixed mode)

I ran some programs using the cryptography library  as well as some swing/jfx routines that serialize and deserialize a bunch of class.

Working as designed.
Brian Rockwell 2018-05-03 15:48:37 CEST

CC: (none) => brtians1
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK mga6-64-ok

Comment 9 Brian Rockwell 2018-05-03 18:58:46 CEST
$ uname -a
Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux


The following 8 packages are going to be installed:

- copy-jdk-configs-3.3-1.1.mga6.noarch
- java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.i586
- java-1.8.0-openjdk-accessibility-1.8.0.171-1.b10.1.mga6.i586
- java-1.8.0-openjdk-demo-1.8.0.171-1.b10.1.mga6.i586
- java-1.8.0-openjdk-devel-1.8.0.171-1.b10.1.mga6.i586
- java-1.8.0-openjdk-headless-1.8.0.171-1.b10.1.mga6.i586
- java-1.8.0-openjdk-javadoc-zip-1.8.0.171-1.b10.1.mga6.noarch
- java-atk-wrapper-0.33.2-3.mga6.i586

$ java -version
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-b10)
OpenJDK Server VM (build 25.171-b10, mixed mode)

Installed icedtea-web.

Tried - https://www.java.com/verify/ - worked

Ran another application from command line.
compiled a simple class using javac

working as designed.

Whiteboard: MGA5TOO MGA5-64-OK mga6-64-ok => MGA5TOO MGA5-64-OK mga6-64-ok mga6-32-ok

Comment 10 Lewis Smith 2018-05-04 10:21:59 CEST
@Brian : thanks for doing all the testing.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2018-05-04 19:30:24 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0218.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.