RedHat has issued an advisory on October 26: https://access.redhat.com/errata/RHSA-2020:4347 Corresponding Oracle CPU: https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixJAVA
Fedora has issued an advisory for this on October 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD/ The update is to 1.8.0.272.b10.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Credentials sent over unencrypted LDAP connection. (CVE-2020-14781) Certificate blacklist bypass via alternate certificate encodings. (CVE-2020-14782) Integer overflow leading to out-of-bounds access. (CVE-2020-14792) Incomplete check for invalid characters in URI to path conversion. (CVE-2020-14797) Race condition in NIO Buffer boundary checks. (CVE-2020-14803) High memory usage during deserialization of Proxy class with many interfaces. (CVE-2020-14779) Missing permission check in path to URI conversion. (CVE-2020-14796) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14803 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14779 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14796 https://access.redhat.com/errata/RHSA-2020:4347 https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixJAVA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD/ ======================== Updated packages in core/updates_testing: ======================== timezone-2020d-1.mga7 timezone-java-2020d-1.mga7 java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-headless-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-devel-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-demo-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-src-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-javadoc-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-javadoc-zip-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-accessibility-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-openjfx-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-openjfx-devel-1.8.0.272-1.b10.1.mga7 from SRPMS: timezone-2020d-1.mga7.src.rpm java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugsStatus: NEW => ASSIGNED
Addendum to the advisory: ------------------------ Also, the timezone package has been updated to version 2020d. References: http://mm.icann.org/pipermail/tz-announce/2020-April/000058.html http://mm.icann.org/pipermail/tz-announce/2020-October/000059.html http://mm.icann.org/pipermail/tz-announce/2020-October/000060.html http://mm.icann.org/pipermail/tz-announce/2020-October/000062.html ------------------------ (Note that this update has been reported to cause an issue with Evolution, at least in Cauldron, see Bug 27473. So, it may need to be patched to cope with this update.)
Installed and tested without issues. 50 packages installed in this workstation depend on java or java-headless packages. Tested explicitly with netbeans 12.0 (upstream), projectlibre, sweethome3d, htmlcleaner and yuicompressor. No issues found. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver. $ uname -a Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7 java-1.8.0-openjdk-headless-1.8.0.272-1.b10.1.mga7 $ rpm -q --whatrequires java java-headless | sort apache-commons-io-2.6-3.mga7 apache-commons-logging-1.2-9.mga7 batik-1.10-1.mga7 batik-css-1.10-1.mga7 bouncycastle-1.61-1.mga7 bouncycastle-mail-1.61-1.mga7 bouncycastle-pkix-1.61-1.mga7 flute-1.3.0-9.mga7 freecol-0.11.6-3.mga7 hawtjni-runtime-1.16-2.mga7 htmlcleaner-2.2.1-9.mga7 htmlcleaner-2.2.1-9.mga7 icedtea-web-1.8-2.1.mga7 itext-core-2.1.7-37.mga7 jai-imageio-core-1.2-0.21.20100217cvs.2.mga7 janino-2.7.8-9.mga7 jansi-1.17.1-1.mga7 jansi-native-1.7-3.mga7 jargs-1.0-10.mga7 java3d-1.5.2-15.mga7 jaxen-1.1.6-12.mga7 jdom-1.1.3-12.mga7 jline-2.14.6-2.mga7 libbase-1.1.6-8.mga7 libfonts-1.1.6-10.mga7 libformula-1.1.6-9.mga7 liblayout-0.2.10-11.mga7 libloader-1.1.6-9.mga7 libreoffice-core-6.4.6.2-1.mga7 librepository-1.1.6-11.mga7 libserializer-1.1.6-11.mga7 ongres-scram-1.0.0~beta.2-1.mga7 ongres-scram-client-1.0.0~beta.2-1.mga7 pentaho-libxml-1.1.6-10.mga7 pentaho-reporting-flow-engine-0.9.4-13.mga7 postgresql-jdbc-42.2.5-1.1.mga7 projectlibre-1.9.0-5.mga7 rhino-1.7.7.1-4.mga7 sac-1.3-28.mga7 sunflow-sweethome3d-0.07.3i-1.mga7 sweethome3d-6.1-1.1.mga7 tagsoup-1.2.1-14.mga7 vecmath-1.6.0-0.1.20130710git41fddda.7.mga7 vecmath-1.6.0-0.1.20130710git41fddda.7.mga7 xalan-j2-2.7.1-35.mga7 xerces-j2-2.11.0-29.mga7 xml-commons-apis-1.4.01-23.mga7 xml-commons-resolver-1.2-22.mga7 xmlgraphics-commons-2.2-2.mga7 yuicompressor-2.4.8-2.mga7
CC: (none) => mageia
Installed and tested without issues. MGA7 64 Plasma and 32 Xfce. timezone java is also OK. Not tested: Evolution and this update.
CC: (none) => ouaurelien
$ uname -a Linux linux.local 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux The following 12 packages are going to be installed: - java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-accessibility-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-demo-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-devel-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-headless-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-javadoc-zip-1.8.0.272-1.b10.1.mga7.noarch - java-1.8.0-openjdk-openjfx-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjdk-openjfx-devel-1.8.0.272-1.b10.1.mga7.x86_64 - java-1.8.0-openjfx-1.8.0.202-1.b07.3.mga7.x86_64 - java-atk-wrapper-0.33.2-5.1.mga7.x86_64 - timezone-2020d-1.mga7.x86_64 - timezone-java-2020d-1.mga7.noarch --- after install I tried a couple of my old programs. Using, compiling them at command line. They seemed to work as designed.
CC: (none) => brtians1
Validating update Advisory pushed to SVN. Added this note under Advisory. (In reply to David Walser from comment #3) > (Note that this update has been reported to cause an issue with Evolution, > at least in Cauldron, see Bug 27473. So, it may need to be patched to cope > with this update.)
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
A note about a possible regression should not be part of the advisory. We need to rest and make sure the issue doesn't affect Mageia 7, or fix it before issuing this update if it does.
Keywords: advisory, validated_update => (none)
s/rest/test/
Removed Note about Comment 3 in Advisory.
Note that, under M7 Gnome with Evolution in CET timezone Europe/Paris (Same as Europe/Madrid), creating appointment is OK with this java and timezone updates. No crashes.
Keywords: (none) => advisory, validated_update
Note that this update triggers this on a M7 Plasma system I updated: attention : /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/blacklisted.certs créé en tant que /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/blacklisted.certs.rpmnew attention : /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/java.security créé en tant que /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/java.security.rpmnew # restored /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/java.security.rpmnew to /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/java.security restored /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/blacklisted.certs.rpmnew to /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7.x86_64/jre/lib/security/blacklisted.certs Does not seem harmful as new files are really installed but why does package manager do make .rpmnew and there after rename files?
Just ignore that.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0418.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
GNOME bug caused by this timezone update is being fixed in Bug 27609. I took the "timezone" mention out of the SVN advisory for this bug as it didn't fix any security issues itself.