Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Vulnerability in the Java Advanced Management Console component of Oracle Java SE (subcomponent: Server). The supported version that is affected is Java Advanced Management Console: 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java Advanced Management Console. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java Advanced Management Console, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java Advanced Management Console accessible data as well as unauthorized read access to a subset of Java Advanced Management Console accessible data. (CVE-2019-2540)

An issue was discovered in libjpeg 9a. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file. (CVE-2018-11212)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2019-2426)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). The supported version that is affected is Java SE: 8u192. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2449)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2019-2422)

References:
========================
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2422
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html#AppendixJAVA

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6

from SRPMS:
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 6
Assignee: nicolas.salguero => qa-bugs

MGA6-32 MATE on IBM Thinkpad R50e
Not possible to install java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6.
openjfx seems to be at 1.8.0.201-1.b08.3.mga6 and that blocks the installation. And openjfx gets an error because of the presence of openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.i586)

CC: (none) => herman.viaene

Hi,

Did you try to install all the packages or just some of them?

If you want to install java-1.8.0-openjdk-openjfx, you also need to install java-1.8.0-openjdk-openjfx-devel and java-1.8.0-openjfx.

On my machine (x86_64), I got no problem when I installed:
java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6
java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6
java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6

Best regards,

Nico.

@ Nicolas,

I tried to install the packages as indicated in this bug and the update big on jfx. But as usual I leave out (space!!) the develop packages.
But if packages are needed, shouldn't that show up as dependencies???

Yes it should:

rpm -q --requires java-1.8.0-openjfx|grep openj
"""
java-1.8.0-openjdk
java-1.8.0-openjdk-openjfx
java-1.8.0-openjdk-openjfx-devel
"""

rpm -q --requires java-1.8.0-openjdk-openjfx|grep openj
"""
java-1.8.0-openjdk(x86-64) = 1:1.8.0.201-1.b09.2.mga6
openjfx(x86-64)
"""

rpm -q --requires java-1.8.0-openjdk-openjfx-devel|grep openj
"""
java-1.8.0-openjdk-devel(x86-64) = 1:1.8.0.201-1.b09.2.mga6
openjfx-devel(x86-64)
"""

mga6, x86_64

Installed all packages pre-testing.  Several POC available.  Have collected files and shall test later.

CC: (none) => tarazed25

Tracked down 49 POC files and downloaded them from repositories:
https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Segmentation%20fault
https://github.com/ChijinZ/security_advisories/tree/master/libjpeg-v9a/Floating%20point%20exception

jmemm* for floating point exceptions
rdppm* for segmentation faults

Oracle's Java SE Risk Matrix tabulates these vulnerable components:

CVE-2019-2540    Server
CVE-2018-11212   ImageIO (libjpeg)
CVE-2019-2426    Networking
CVE-2019-2449    Deployment
CVE-2019-2422    Libraries

So, it looks like the 49 POC relate entirely to faults in the libjpeg library (they require cjpeg for testing) which seems like an entirely separate issue.
Not a lot of point in running them and as there are no tests for the other CVEs and this tester lacks java knowledge I am going to go for a clean update.

- java-1.8.0-openjdk-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-accessibility-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-demo-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-devel-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-headless-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-javadoc-1.8.0.201-1.b09.2.mga6.noarch
- java-1.8.0-openjdk-javadoc-zip-1.8.0.201-1.b09.2.mga6.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-openjfx-devel-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjdk-src-1.8.0.201-1.b09.2.mga6.x86_64
- java-1.8.0-openjfx-1.8.0.201-1.b08.3.mga6.x86_64

$ java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK 64-Bit Server VM (build 25.201-b09, mixed mode)

Compiled some elementary scripts and ran them.
$ javac -cp ".:/usr/share/java/*" FreshJuiceTest.java
$ java FreshJuiceTest
Size: MEDIUM
$ javac -cp ".:/usr/share/java/*" Hello.java
$ java Hello
Hello World
$ javac -cp ".:/usr/share/java/*" helloworld.java
$ java helloworld
Hello World!

The last line was the response from the "Say 'Hello World'" button in the window which popped up.

Whiteboard: (none) => MGA6-64-OK

This time selected all packages of jdk and jfx in one go, all install OK.
Usual tests OK:
$ java -version
openjdk version "1.8.0_201"
OpenJDK Runtime Environment (build 1.8.0_201-b09)
OpenJDK Server VM (build 25.201-b09, mixed mode)

$ javac helloworld.java 
$ java helloworld 
Prism-ES2 Error : GL_VERSION (major.minor) = 1.3
Gtk-Message: Failed to load module "canberra-gtk-module"
Hello World!

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Herman, that irritating message can be avoided if you
# urpmi libcanberra-gtk0

Validating. Suggested advisory in Comment 1

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Fedora has issued an advisory for this today (February 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FBCSRCXPFXMLIIXKX5OBGHGUOEGGERHS/

Please include that in the advisory References.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0071.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

RedHat has issued an advisory for this today (February 28):
https://access.redhat.com/errata/RHSA-2019:0435