Oracle CPU: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixJAVA
Assignee: bugsquad => nicolas.salgueroWhiteboard: (none) => MGA7TOOSource RPM: (none) => java-1.8.0-openjdk-1.8.0.222-1.b10.1.mga7.src.rpm
RedHat has issued an advisory yesterday (October 16): https://access.redhat.com/errata/RHSA-2019:3128
Suggested advisory: ======================== The updated packages fix several bugs and some security issues: Improper handling of Kerberos proxy credentials (Kerberos, 8220302). (CVE-2019-2949) Unexpected exception thrown during regular expression processing in Nashorn (Scripting, 8223518). (CVE-2019-2975) Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892). (CVE-2019-2978) Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298). (CVE-2019-2989) Missing restrictions on use of custom SocketImpl (Networking, 8218573). (CVE-2019-2945) NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962) Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684). (CVE-2019-2964) Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505). (CVE-2019-2973) Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532). (CVE-2019-2981) Unexpected exception thrown during Font object deserialization (Serialization, 8224915). (CVE-2019-2983) Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286). (CVE-2019-2987) Integer overflow in bounds check in SunGraphics2D (2D, 8225292). (CVE-2019-2988) Excessive memory allocation in CMap when reading TrueType font (2D, 8225597). (CVE-2019-2992) Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765). (CVE-2019-2999) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999 https://access.redhat.com/errata/RHSA-2019:3128 https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixJAVA ======================== Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-headless-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-devel-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-demo-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-src-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-javadoc-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-javadoc-zip-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-accessibility-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-openjfx-1.8.0.232-1.b09.1.mga7 java-1.8.0-openjdk-openjfx-devel-1.8.0.232-1.b09.1.mga7 from SRPMS: java-1.8.0-openjdk-1.8.0.232-1.b09.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 7Assignee: nicolas.salguero => qa-bugs
When I generated the openjdk tarball, I forgot PR3667 (remove some cryptographic algorithms). So there is a new build based upon Fedora tarball. Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-headless-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-devel-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-demo-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-src-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-javadoc-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-javadoc-zip-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-accessibility-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-openjfx-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-openjfx-devel-1.8.0.232-1.b09.2.mga7 from SRPMS: java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7.src.rpm
Installed and tested without issues. Tested using sweethome3d, projectlibre, netbeans, htmlcleaner, yuicompressor. No regressions noticed. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.3.6-desktop-2.mga7 #1 SMP Sun Oct 13 18:22:10 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7 java-1.8.0-openjdk-headless-1.8.0.232-1.b09.2.mga7
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0302.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED