Bug 30401 - java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk new security issues
Summary: java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-05-09 15:24 CEST by Nicolas Salguero
Modified: 2022-07-16 21:59 CEST (History)
7 users (show)

See Also:
Source RPM: java-1.8.0-openjdk, java-11-openjdk
CVE:
Status comment:


Attachments
Hello World - pop-up instead of jfx (425 bytes, text/x-csrc)
2022-06-20 17:08 CEST, Brian Rockwell
Details

Description Nicolas Salguero 2022-05-09 15:24:06 CEST
RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2022:1491 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2022:1442 (java-11-openjdk)

Moreover, for Cauldron (java-latest-openjdk):
https://access.redhat.com/errata/RHSA-2022:1445

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuapr2022.html#AppendixJAVA
Nicolas Salguero 2022-05-09 15:24:28 CEST

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk

Comment 1 Lewis Smith 2022-05-09 21:40:32 CEST
Both these SRPMs look good for NicolasL, so assigning to you.

Assignee: bugsquad => mageia

Comment 2 Nicolas Lécureuil 2022-05-30 08:24:48 CEST
working on it now

Status: NEW => ASSIGNED

Comment 3 Nicolas Lécureuil 2022-06-08 15:54:32 CEST
java-1.8.0-openjdk is now up to date on mga 8/9
Comment 4 Nicolas Lécureuil 2022-06-14 21:51:28 CEST
ok on cauldron.

java 1.8.0 java 11 java 17 and latest

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 5 Nicolas Lécureuil 2022-06-15 10:51:43 CEST
Fixed in mga8 for java 8 and 11 ( 17 is on backport )

src:
  - java-11-openjdk-11.0.15.0.10-1.mga8
  - java-1.8.0-openjdk-1.8.0.332.b09-1.1.mga8

Assignee: mageia => qa-bugs

Comment 6 David Walser 2022-06-15 16:46:01 CEST
madb has the package list:
http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30401/application/0
Comment 7 David Walser 2022-06-16 22:32:39 CEST
(In reply to David Walser from comment #6)
> madb has the package list:
> http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/30401/application/0

Addendum, the timezone update is part of this bug too.

timezone-2022a-1.mga8
timezone-java-2022a-1.mga8

from timezone-2022a-1.mga8.src.rpm
Comment 8 Herman Viaene 2022-06-17 09:48:42 CEST
Trying to load in QARepo gets me:
The following errors occured:
ava-1.8.0-openjdk-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-demo-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-devel-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-headless-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-1.8.0-openjdk-src-1.8.0.332.b09-1.1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-demo-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-devel-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-headless-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-javadoc-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-javadoc-zip-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-jmods-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-src-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository
java-11-openjdk-static-libs-11.0.15.0.10-1.mga8.aarch64.rpm not found in the remote repository

CC: (none) => herman.viaene

Comment 9 Herman Viaene 2022-06-17 10:02:03 CEST
Sorry, selected the wrong RPM list
Comment 10 Herman Viaene 2022-06-17 10:49:52 CEST
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10-LTS, mixed mode, sharing)
$ javac -version
javac 11.0.15

But trying to compile the helloworld.java from bug 20220 runs into

helloworld.java:2: error: package javafx.application does not exist
import javafx.application.Application;

Tried to overcome this by installing openjfx 11.0.9.2 to no avail.
LO tested by running odb with forms and reports, all work OK
I wish someone could provide a simple helloworld.java......
Comment 11 Brian Rockwell 2022-06-20 17:08:28 CEST
Created attachment 13307 [details]
Hello World - pop-up instead of jfx

Ditching jfx since it is deprecated.  This uses a single swing component.

Compiled and tested, found online (see attached)

The following 4 packages are going to be installed:

- java-11-openjdk-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-devel-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.15.0.10-1.mga8.x86_64
- timezone-java-2022a-1.mga8.noarch

javac -cp . Helloworldnojfx.java
java -cp . Helloworldnojfx
Hello World!

CC: (none) => brtians1

Comment 12 Ulrich Beckmann 2022-06-22 20:51:02 CEST
I installed the package list without any error.

However, on reboot the KDE Plasma painel was crippled, systemtray missing. Is there any connection?

Ulrich

CC: (none) => bequimao.de

Comment 13 David Walser 2022-06-22 22:35:21 CEST
No, Plasma doesn't use Java.
Comment 14 Ulrich Beckmann 2022-06-23 17:01:40 CEST
@ David: thanks for clarification.
I could reconfigure the painel now. The issue is not reproducible.

I accessed various banking sites using java or javascript. No regression seen.

KDE Plasma amd64.

Ulrich
Comment 15 David Walser 2022-06-23 18:49:20 CEST
Java and Javascript are not related, and web browsers don't support the Java plug-in anymore, for some time now.  Java would have to be tested directly, by running Java applications.
Comment 16 Herman Viaene 2022-06-24 16:35:11 CEST
Tested own home-made LO-Base application (requires java) and it works OK.
Comment 17 Brian Rockwell 2022-06-29 16:01:23 CEST
Installing the following

- java-11-openjdk-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-devel-11.0.15.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.15.0.10-1.mga8.x86_64
- timezone-java-2022a-1.mga8.noarch


verified 11.0.15 was installed

$ java -version
openjdk version "11.0.15" 2022-04-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.15+10-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.15+10-LTS, mixed mode, sharing)

Ran Eclipse

It is reflecting java 11.0.15 as well.  Java 11 is validated
Comment 18 Thomas Andrews 2022-07-14 15:23:41 CEST
Not sure why no one gave this an OK, so I did my own small test. 

Downloaded all the many 64-bit rpms with qarepo, then ran drakrpm-update. It presented me with the timezone packages, java-11-openjdk and java-11-openjdk-headless. Packages installed without issue. 

I was given an option to use an rpmnew file with each package, but was advised that if I wasn't sure, do nothing. Not being very sure of anything these days, that's what I did - nothing.

I ran Libreoffice Calc and Writer on old documents, made some modifications, then closed without saving them. All went well.

OKing this based on my test and all the others, and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-07-15 23:32:42 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 19 Mageia Robot 2022-07-16 21:59:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0261.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.