RedHat has issued an advisory today (October 17): https://access.redhat.com/errata/RHSA-2018:2942 Corresponding Oracle CPU: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html The update hasn't been committed in Fedora git yet.
CC: (none) => marja11Assignee: bugsquad => java
Advisory: ======================== Updated java-1.8.0-openjdk packages fix security vulnerabilities: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169). Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183). Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149). Incorrect handling of unsigned attributes in singed Jar manifests (Security, 8194534) (CVE-2018-3136). Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139). Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180). Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214 https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://access.redhat.com/errata/RHSA-2018:2942 ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-headless-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-devel-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-demo-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-src-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-javadoc-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-accessibility-1.8.0.191-1.b12.1.mga6 from java-1.8.0-openjdk-1.8.0.191-1.b12.1.mga6.src.rpm
Assignee: java => qa-bugsVersion: Cauldron => 6CC: (none) => java, nicolas.salguero
Installed and tested without issues. Tested using netbeans, yuicompressor, projectlibre, htmlcleaner, freecol, aladin. System: Mageia 6, x86_64, Plasma DE, LXQt, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.191-1.b12.1.mga6 java-1.8.0-openjdk-headless-1.8.0.191-1.b12.1.mga6
CC: (none) => mageia
MGGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 23343 and further references in it, at CLI: $ java -version openjdk version "1.8.0_191" OpenJDK Runtime Environment (build 1.8.0_191-b12) OpenJDK Server VM (build 25.191-b12, mixed mode) $ javac helloworld.java $ java helloworld Prism-ES2 Error : GL_VERSION (major.minor) = 1.3 Hello World! Seems OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Created attachment 10446 [details] Java RPM causing update to Cauldron to fail in Virtualbox ? This package seems to be the reason why I failed twice to upgrade from Mga6.1 to Cauldron in Virtualbox. First install was from Mageia-6.1-netinstall-nonfree-x86_64.iso Second install was from Mageia-6.1-LiveDVD-Plasma-x86_64-DVD.iso Both failed with this error message concerning: java-1.8.0-openjdk-1.8.0.191-1.b12.1.mga7.x86_64.rpm and java-1.8.0-openjdk-headless-1.8.0.191-1.b12.1.mga7.x86_64.rpm
CC: (none) => sebsweb
(In reply to Sébastien Morin from comment #5) > Created attachment 10446 [details] > Java RPM causing update to Cauldron to fail in Virtualbox ? There are two errors shown in the attachment: a floating point exception and a segmentation fault. These don't seem like package errors but more like issues with urpmi or something used by it.
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0436.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Due to this update, java-1.8.0-openjfx-1.8.0.181 has been uninstalled on my machine because version 1.8.0.191 doesn't exist for this package.
We're not going to hold up critical openjdk updates for openjfx. If you use that, it's up to you to decide whether to go without jfx for a bit or wait to install the security update.
(In reply to David Walser from comment #9) > We're not going to hold up critical openjdk updates for openjfx. If you use > that, it's up to you to decide whether to go without jfx for a bit or wait > to install the security update. I didn't know that the Mageia policy allowed to break dependencies on a stable branch like Mageia 6... openjfx is not even in testing.
It's not a matter of policy, and the reasoning is what I already said last time. It's not going to magically bite you, it will tell you what will happen and give you a chance to cancel it. The dependency is a limitation of the openjfx package, not openjdk.
OK - I'm a "standard" user so where should I report this to get fixed? Can you point me into a direction where to report it to get fixed? And on top I don't agree with your "not magical biting you"... For me it (lacking of background information about the linking of these packages) it simply looks like a bug: suddenly one of my favorite programs (mediathekview - downloading public tv streams) doesn't work anymore and I have no clue why... So yes, it warned me but nevertheless it "bites me magically"
CC: (none) => marc.lattemann
(In reply to Frédéric Buclin from comment #10) > I didn't know that the Mageia policy allowed to break dependencies on a > stable branch like Mageia 6... openjfx is not even in testing. You can find a version in updates_testing: java-1.8.0-openjfx-1.8.0.191-1.b10.2.mga6. I have not created a bug report (to submit it to QA) for the moment because it currently fails to build for ARM arches (and I have no access to a computer running Mageia for the last 4 days) but I think building with only 2 CPUs for those arches will solve the problem.
Thanks - that works with the mediathekview. As soon as it's submitted to QA I can add the positive test result there :)
Marc, like I said it does not magically bite you, it will ask you before uninstalling and give you a chance to cancel it, so you can choose how it affects you. It doesn't just silently go behind your back and make it disappear. Nicolas, ARM is a secondary arch, it can be fixed later. Please push the update to QA if it build for Intel.
(In reply to David Walser from comment #15) > Nicolas, ARM is a secondary arch, it can be fixed later. Please push the > update to QA if it build for Intel. Done. See bug 23807.