RedHat has issued an advisory today (July 22): https://access.redhat.com/errata/RHSA-2019:1816 Corresponding Oracle CPU: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA It doesn't look like Fedora has started syncing it into their git yet.
Whiteboard: (none) => MGA6TOO
Suggested advisory: ======================== The updated packages fix several bugs and some security issues: Side-channel attack risks in Elliptic Curve (EC) cryptography. (CVE-2019-2745) Insufficient checks of suppressed exceptions in deserialization. (CVE-2019-2762) Unbounded memory allocation during deserialization in Collections. (CVE-2019-2769) Insufficient restriction of privileges in AccessController. (CVE-2019-2786) Missing URL format validation. (CVE-2019-2816) Missing array bounds check in crypto providers. (CVE-2019-2842) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842 https://access.redhat.com/errata/RHSA-2019:1816 https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-demo-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-src-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-javadoc-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-accessibility-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga[67] java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga[67] from SRPMS: java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga[67].src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
$ uname -a Linux localhost.localdomain 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux The following 15 packages are going to be installed: - hawtjni-runtime-1.16-2.mga7.noarch - icedtea-web-1.8-2.1.mga7.x86_64 - jansi-1.17.1-1.mga7.noarch - jansi-native-1.7-3.mga7.x86_64 - java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga7.noarch - java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga7.x86_64 - java-1.8.0-openjfx-1.8.0.202-1.b07.3.mga7.x86_64 - jline-2.14.6-2.mga7.noarch - mozilla-filesystem-1.9-8.mga7.x86_64 - rhino-1.7.7.1-4.mga7.noarch - tagsoup-1.2.1-14.mga7.noarch 230MB of additional disk space will be used. 115MB of packages will be retrieved. $ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) I ran some of my programs and it is working as designed. I'm giving approval for 64-bit
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OKCC: (none) => brtians1
Brian, icedtea-web is related to this bug, but is part of bug 25228. But since you installed it, could you check it out for that bug? They really should go out together.
CC: (none) => andrewsfarm
Sure - no longer works with firefox, so I'll need to use Midori, Konqueror, or SeaMonkey it looks like. Anyone else want to dive in and try those?
$ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 15:08:19 UTC 2019 i686 i686 i686 GNU/Linux The following 8 packages are going to be installed: - java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjdk-demo-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjdk-devel-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjdk-headless-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjdk-javadoc-zip-1.8.0.222-1.b10.1.mga6.noarch - java-1.8.0-openjdk-openjfx-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjdk-openjfx-devel-1.8.0.222-1.b10.1.mga6.i586 - java-1.8.0-openjfx-1.8.0.202-1.b07.1.mga6.i586 233MB of additional disk space will be used. 114MB of packages will be retrieved. $ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK Server VM (build 25.222-b10, mixed mode) Tested on of my simple applications - working as designed.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-32-OK
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0241.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED