Bug 23071 - java-1.8.0-openjdk Spectre V4 mitigation (CVE-2018-3639)
Summary: java-1.8.0-openjdk Spectre V4 mitigation (CVE-2018-3639)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-22 23:11 CEST by David Walser
Modified: 2018-07-01 19:18 CEST (History)
7 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.171-1.b10.1.mga6.src.rpm
CVE: CVE-2018-3639
Status comment:


Attachments

Description David Walser 2018-05-22 23:11:01 CEST
RedHat has issued an advisory on May 21:
https://access.redhat.com/errata/RHSA-2018:1649

This update is not yet available in Fedora.
Comment 1 Marja Van Waes 2018-05-23 08:41:16 CEST
Assigning to the Java Stack maintainers, CC'ing the registered maintainer.

CC: (none) => mageia, marja11
Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2018-06-14 13:16:53 CEST
Hi,

I tried to synch with fedora (java-1.8.0-openjdk-1.8.0.172-3.b11.fc29) but the build fail:
"""
BuildJaxws.gmk:110: Building /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip [...]
/usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip
+ /usr/bin/touch /home/iurt/rpmbuild/BUILD/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7.x86_64/openjdk/build/jdk8.build-slowdebug/jaxws/dist/lib/src.zip
I: [iurt_root_command] ERROR: chroot
"""

See, for example: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20180614094159.ns80.duvel.16124/log/java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga7/build.0.20180614094207.log.

I do not understand what the problem is.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2018-06-17 02:22:12 CEST
Tips on updating this package:
1) Sync with the oldest still-supported Fedora release (to make sure there aren't any changes that won't work with our older Java stack)
2) Only sync changes that were actually changed since the last sync, i.e.
3) Don't do a full re-sync

Once I re-did the update as such, all I had to do was disable systemtap for now (not clear why that wasn't working as it looked like it should) and it built.  Maybe in Mageia 6 it'll work with systemtap; we'll see.
Comment 4 Nicolas Salguero 2018-06-18 15:43:02 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
========================

Updated package in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6

from SRPMS:
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2018-3639
Assignee: java => qa-bugs

Comment 5 David Walser 2018-06-23 17:21:15 CEST
Changes synced into Mageia 5 SVN.  Not pushing a build for this issue.
Comment 6 David Walser 2018-06-25 23:08:06 CEST
We should include the copy-jdk-configs update with this:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4I24YKXTTHZRA6EVCABUSI7PP5DLAAIL/
Comment 7 Nicolas Salguero 2018-06-26 09:33:44 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
========================

Updated package in core/updates_testing:
========================
copy-jdk-configs-3.7-1.mga6
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-devel-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-demo-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-src-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-accessibility-1.8.0.172-1.b11.1.mga6

from SRPMS:
copy-jdk-configs-3.7-1.mga6.src.rpm
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6.src.rpm
Comment 8 David Walser 2018-06-26 12:55:13 CEST
Thanks.  copy-jdk-configs update checked into Mageia 5 SVN as well.
Comment 9 Herman Viaene 2018-06-29 11:00:02 CEST
MGA6-32 on IBM Thinkpad R50e
No installation issues.
Searching installed jar on the machine, found bsh.jar. Run that one and found an example at http://www.beanshell.org/manual/quickstart.html, works OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 10 PC LX 2018-06-29 13:39:09 CEST
Installed and tested without issues.

Tested using several applications and tools (e.g. netbeans, yuicompressor, htmlcleaner, nvidia-visual-profiler, nvidia-nsight, freecol). No regressions noticed.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 4.14.50-desktop-2.mga6 #1 SMP Mon Jun 18 11:23:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep java-1.8.0
java-1.8.0-openjdk-1.8.0.172-1.b11.1.mga6
java-1.8.0-openjdk-headless-1.8.0.172-1.b11.1.mga6

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => mageia

Comment 11 Dave Hodgins 2018-07-01 04:07:24 CEST
Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 12 Mageia Robot 2018-07-01 19:18:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0298.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.