The January Oracle CPU for 2019 is out: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA It looks like Fedora is preparing the update in the master branch now, so we should resync with it.
Whiteboard: (none) => MGA6TOO
Suggested advisory: ======================== The updated packages fix several bugs and some security issues: Vulnerability in the Java Advanced Management Console component of Oracle Java SE (subcomponent: Server). The supported version that is affected is Java Advanced Management Console: 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java Advanced Management Console. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java Advanced Management Console, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java Advanced Management Console accessible data as well as unauthorized read access to a subset of Java Advanced Management Console accessible data. (CVE-2019-2540) An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2426) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). The supported version that is affected is Java SE: 8u192. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2449) Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2422) References: ======================== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2449 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2422 https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6 from SRPMS: java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 6Assignee: nicolas.salguero => qa-bugs
Source RPM: java-1.8.0-openjdk => java-1.8.0-openjdk-1.8.0.191-1.b12.2.mga6.src.rpmCC: (none) => nicolas.salguero
MGA6-32 MATE on IBM Thinkpad R50e Not possible to install java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6. openjfx seems to be at 1.8.0.201-1.b08.3.mga6 and that blocks the installation. And openjfx gets an error because of the presence of openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.i586)
CC: (none) => herman.viaene
Hi, Did you try to install all the packages or just some of them? If you want to install java-1.8.0-openjdk-openjfx, you also need to install java-1.8.0-openjdk-openjfx-devel and java-1.8.0-openjfx. On my machine (x86_64), I got no problem when I installed: java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6 java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6 java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6 Best regards, Nico.
@ Nicolas, I tried to install the packages as indicated in this bug and the update big on jfx. But as usual I leave out (space!!) the develop packages. But if packages are needed, shouldn't that show up as dependencies???
Yes it should: rpm -q --requires java-1.8.0-openjfx|grep openj """ java-1.8.0-openjdk java-1.8.0-openjdk-openjfx java-1.8.0-openjdk-openjfx-devel """ rpm -q --requires java-1.8.0-openjdk-openjfx|grep openj """ java-1.8.0-openjdk(x86-64) = 1:1.8.0.201-1.b09.2.mga6 openjfx(x86-64) """ rpm -q --requires java-1.8.0-openjdk-openjfx-devel|grep openj """ java-1.8.0-openjdk-devel(x86-64) = 1:1.8.0.201-1.b09.2.mga6 openjfx-devel(x86-64) """
mga6, x86_64 Installed all packages pre-testing. Several POC available. Have collected files and shall test later.
CC: (none) => tarazed25
Tracked down 49 POC files and downloaded them from repositories: https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Segmentation%20fault https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Floating%20point%20exception jmemm* for floating point exceptions rdppm* for segmentation faults Oracle's Java SE Risk Matrix tabulates these vulnerable components: CVE-2019-2540 Server CVE-2018-11212 ImageIO (libjpeg) CVE-2019-2426 Networking CVE-2019-2449 Deployment CVE-2019-2422 Libraries So, it looks like the 49 POC relate entirely to faults in the libjpeg library (they require cjpeg for testing) which seems like an entirely separate issue. Not a lot of point in running them and as there are no tests for the other CVEs and this tester lacks java knowledge I am going to go for a clean update. - java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6.noarch - java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6.noarch - java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6.x86_64 - java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6.x86_64 $ java -version openjdk version "1.8.0_201" OpenJDK Runtime Environment (build 1.8.0_201-b09) OpenJDK 64-Bit Server VM (build 25.201-b09, mixed mode) Compiled some elementary scripts and ran them. $ javac -cp ".:/usr/share/java/*" FreshJuiceTest.java $ java FreshJuiceTest Size: MEDIUM $ javac -cp ".:/usr/share/java/*" Hello.java $ java Hello Hello World $ javac -cp ".:/usr/share/java/*" helloworld.java $ java helloworld Hello World! The last line was the response from the "Say 'Hello World'" button in the window which popped up.
Whiteboard: (none) => MGA6-64-OK
This time selected all packages of jdk and jfx in one go, all install OK. Usual tests OK: $ java -version openjdk version "1.8.0_201" OpenJDK Runtime Environment (build 1.8.0_201-b09) OpenJDK Server VM (build 25.201-b09, mixed mode) $ javac helloworld.java $ java helloworld Prism-ES2 Error : GL_VERSION (major.minor) = 1.3 Gtk-Message: Failed to load module "canberra-gtk-module" Hello World!
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Herman, that irritating message can be avoided if you # urpmi libcanberra-gtk0
Validating. Suggested advisory in Comment 1
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Fedora has issued an advisory for this today (February 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBCSRCXPFXMLIIXKX5OBGHGUOEGGERHS/ Please include that in the advisory References.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0071.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
RedHat has issued an advisory for this today (February 28): https://access.redhat.com/errata/RHSA-2019:0435