Bug 25172 - java-1.8.0-openjdk new security issues
Summary: java-1.8.0-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA7-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-07-23 00:00 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
4 users (show)

See Also:
Source RPM: java-1.8.0-openjdk-1.8.0.212-1.b04.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-07-23 00:00:43 CEST
RedHat has issued an advisory today (July 22):
https://access.redhat.com/errata/RHSA-2019:1816

Corresponding Oracle CPU:
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA

It doesn't look like Fedora has started syncing it into their git yet.
David Walser 2019-07-23 00:00:53 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Salguero 2019-08-26 15:58:58 CEST
Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Side-channel attack risks in Elliptic Curve (EC) cryptography. (CVE-2019-2745)

Insufficient checks of suppressed exceptions in deserialization. (CVE-2019-2762)

Unbounded memory allocation during deserialization in Collections. (CVE-2019-2769)

Insufficient restriction of privileges in AccessController. (CVE-2019-2786)

Missing URL format validation. (CVE-2019-2816)

Missing array bounds check in crypto providers. (CVE-2019-2842)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842
https://access.redhat.com/errata/RHSA-2019:1816
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-demo-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-src-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-javadoc-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-accessibility-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga[67]
java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga[67]

from SRPMS:
java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga[67].src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

Comment 2 Brian Rockwell 2019-08-30 17:38:34 CEST
$ uname -a
Linux localhost.localdomain 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

The following 15 packages are going to be installed:

- hawtjni-runtime-1.16-2.mga7.noarch
- icedtea-web-1.8-2.1.mga7.x86_64
- jansi-1.17.1-1.mga7.noarch
- jansi-native-1.7-3.mga7.x86_64
- java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga7.x86_64
- java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga7.x86_64
- java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga7.x86_64
- java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga7.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga7.x86_64
- java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga7.x86_64
- java-1.8.0-openjfx-1.8.0.202-1.b07.3.mga7.x86_64
- jline-2.14.6-2.mga7.noarch
- mozilla-filesystem-1.9-8.mga7.x86_64
- rhino-1.7.7.1-4.mga7.noarch
- tagsoup-1.2.1-14.mga7.noarch

230MB of additional disk space will be used.

115MB of packages will be retrieved.


$ java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b10)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)


I ran some of my programs and it is working as designed.

I'm giving approval for 64-bit

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
CC: (none) => brtians1

Comment 3 Thomas Andrews 2019-09-02 04:13:12 CEST
Brian, icedtea-web is related to this bug, but is part of bug 25228. But since you installed it, could you check it out for that bug? They really should go out together.

CC: (none) => andrewsfarm

Comment 4 Brian Rockwell 2019-09-02 04:36:45 CEST
Sure - no longer works with firefox, so I'll need to use Midori, Konqueror, or SeaMonkey it looks like.  Anyone else want to dive in and try those?
Comment 5 Brian Rockwell 2019-09-02 04:45:37 CEST
$ uname -a
Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux


The following 8 packages are going to be installed:

- java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjdk-demo-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga6.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga6.i586
- java-1.8.0-openjfx-1.8.0.202-1.b07.1.mga6.i586

233MB of additional disk space will be used.

114MB of packages will be retrieved.

$ java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b10)
OpenJDK Server VM (build 25.222-b10, mixed mode)


Tested on of my simple applications - working as designed.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-32-OK

Comment 6 Thomas Andrews 2019-09-05 14:37:42 CEST
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-09-06 17:39:14 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-09-06 23:11:05 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0241.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.