Thank you Nicolas for raising this. Assigning to the Java maintainers.

Assignee: bugsquad => java

Hi,

There is a new Oracle CPU:
https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA

Best regards,

Nico.

Corresponding RedHat advisories:
https://access.redhat.com/errata/RHSA-2022:7007 (1.8.0)
https://access.redhat.com/errata/RHSA-2022:7013 (11)
https://access.redhat.com/errata/RHSA-2022:6999 (17)

For Mga8 and Cauldron, java 8 and 11 are built.

For Cauldron, java 17 failed to build and I did not touch java latest.

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-src-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-src-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-demo-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-devel-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-debugsource-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-headless-fastdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8

java-11-openjdk-demo-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-demo-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-demo-11.0.17.0.8-1.1.mga8
java-11-openjdk-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-devel-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-devel-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-devel-11.0.17.0.8-1.1.mga8
java-11-openjdk-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8
java-11-openjdk-src-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-src-11.0.17.0.8-1.1.mga8
java-11-openjdk-src-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-debugsource-11.0.17.0.8-1.1.mga8
java-11-openjdk-jmods-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-1.1.mga8
java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-11.0.17.0.8-1.1.mga8
java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8
java-11-openjdk-static-libs-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-jmods-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-fastdebug-11.0.17.0.8-1.1.mga8
java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-slowdebug-11.0.17.0.8-1.1.mga8

from SRPMS:
java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8.src.rpm
java-11-openjdk-11.0.17.0.8-1.1.mga8.src.rpm

I forgot adding timezone.

Updated packages in core/updates_testing:
========================
timezone-2022e-1.mga8
timezone-java-2022e-1.mga8

from SRPM:
timezone-2022e-1.mga8.src.rpm

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Class compilation issue. (CVE-2022-21540)

Improper restriction of MethodHandle.invokeBasic(). (CVE-2022-21541)

Integer truncation issue in Xalan-J. (CVE-2022-34169)

Improper MultiByte conversion can lead to buffer overflow. (CVE-2022-21618)

Improper handling of long NTLM client hostnames. (CVE-2022-21619)

Insufficient randomization of JNDI DNS port numbers. (CVE-2022-21624)

Excessive memory allocation in X.509 certificate parsing. (CVE-2022-21626)

HttpServer no connection count limit. (CVE-2022-21628)

Missing SNI caching in HTTP/2. (CVE-2022-39399)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21618
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21619
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21624
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21628
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39399
https://access.redhat.com/errata/RHSA-2022:5696
https://access.redhat.com/errata/RHSA-2022:5683
https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2022:7007
https://access.redhat.com/errata/RHSA-2022:7013
https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA

Whiteboard: MGA8TOO => (none)
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk => java-1.8.0-openjdk, java-11-openjdk
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: java => qa-bugs
Summary: java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk new security issues => java-1.8.0-openjdk, java-11-openjdk new security issues

Put the following list in QARepo
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-src-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8

It enabled the local repo OK, but then on selecting the first item for installation in MCC, I get:

Sorry, the following package cannot be selected:

- java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8.x86_64
and no reason or further indication given.
Continuing with java11 ....

CC: (none) => herman.viaene

In QARepo
ava-11-openjdk-demo-11.0.17.0.8-1.1.mga8
java-11-openjdk-devel-11.0.17.0.8-1.1.mga8
java-11-openjdk-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8
java-11-openjdk-src-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-11.0.17.0.8-1.1.mga8
java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8
java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8

and again on selecting for installation:
Sorry, the following package cannot be selected:

- java-11-openjdk-11.0.17.0.8-1.1.mga8.x86_64

Beats me.

Herman, your qarepo is missing the timezone update from Comment 6.

OK, first installed the timezone packages, went OK.
Then took all the 1.8.0 stuff and this draws in
- openjfx8-8.0.202-25.b07.2.mga8.x86_64
- openjfx8-devel-8.0.202-25.b07.2.mga8.x86_64
But on installing
1 installation transactions failed

There was a problem during the installation:

file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-3:11.0.9.2-3.mga8.x86_64

file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-devel-3:11.0.9.2-3.mga8.x86_64
Skipping these packages for now and continuing on java-11

MGA8-64 MATE on Acer Aspire 5253
Installing java11 packages went OK
$ java -version
openjdk version "11.0.17" 2022-10-18 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.17+8-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.17+8-LTS, mixed mode, sharing)
[tester8@mach7 ~]$ javac -version
javac 11.0.17
used example from bug 30401
$ javac Helloworldnojfx.java 
$ java Helloworldnojfx 
Hello World!
and popup message appears OK
BUT
opening my usual odb file goes apparently OK, I checked the settings it uses java11.0.17 but as soon as I select the tables or queries tab (implying a data connection to the database), I get errors
"The connection to the data source "volks" could not be established."
and
"Error code: 1

firebird_sdbc error:
*Expected backup version 1..10.  Found 11
*unknown ISC error 336330835
caused by
'isc_service_query'
 /home/iurt/rpmbuild/BUILD/libreoffice-7.3.6.2/connectivity/source/drivers/firebird/Util.cxx:68"
Needles to say this worked OK with the previous version of java11

A CALC file which used this odb as datasource opens OK, but the same error appears when I refresh the data range.

(In reply to Herman Viaene from comment #12)
> opening my usual odb file goes apparently OK, I checked the settings it uses
> java11.0.17 but as soon as I select the tables or queries tab (implying a
> data connection to the database), I get errors
> "The connection to the data source "volks" could not be established."
> and
> "Error code: 1
> 
> firebird_sdbc error:
> *Expected backup version 1..10.  Found 11
> *unknown ISC error 336330835
> caused by
> 'isc_service_query'
>  /home/iurt/rpmbuild/BUILD/libreoffice-7.3.6.2/connectivity/source/drivers/
> firebird/Util.cxx:68"
> Needles to say this worked OK with the previous version of java11
> 
> A CALC file which used this odb as datasource opens OK, but the same error
> appears when I refresh the data range.

Does libreoffice-7.4.2.3-1.mga8 (from core/updates_testing, built with java-11-openjdk-11.0.17.0.8-1.1.mga8) solve that issue?

No, same error shows up.

Hi,

Are you sure you were using java 11 for libreoffice base before the update?

Can you try using java 8 (in the options of libreoffice, advanced) and see if that solves your issue?

Best regards,

I forgot to say that you need to restart libreoffice after changing the version of java.

On Comment 15: yes, using java 11, and no using 1.8 does not solve the issue
On Comment 16: LO obliges me to restart it when changing java version.

And does reverting back to previous java 11 solves the issue?

Hi,

Sorry for being a bit annoying but I have some additional questions because, the more I try to understand your problem, the more I feel totally lost:
1) If I correctly understand the official libreoffice documentation (https://wiki.documentfoundation.org/Development/Base/FirebirdSQL), java is not used to access an ODB which uses firebird internally.  You can use java for external databases (https://books.libreoffice.org/en/BG73/BG7302-CreatingADatabase.html).
2) I cannot find on the web the same error message as yours but that kind of message seems to occur when trying to open an old firebird backup on a newer (and incompatible) firebird server.

So:
1) Is the ODB you talk about in that bug report the same as the one provided in bug 31021?
2) If so, did you opened it with Cauldron version of libreoffice or with upstream version of libreoffice before testing the java updates from that bug report?
3) If you access an external database with java, which JDBC driver, and which version, are you using?

Best regards,

Nico.

Trying to get you a consistent answer to your questions, it's not simple apparently.
1) Yes, the odb from bug 31021 is the one you can use. In my test above I used a bigger application, but that doesn't matter.
2) There are no external databases involved, it's all embedded firebird.
3) I got the error on my "QA-Update-Testing-laptop", and the data files I use there have been "tortured" since beginning of M8.
So, I tried to get back to the state before this test: re-installed the previous java versions, and copied the odb's back from my main desktop, where "the real work" is done.
Tested this and the odb opens OK and I can open the tables and forms without problems (the outstanding problem with LO-Base reports still there of course).
Now I will install the updates for java , test the odb's and get back here.

And forgot to mention: tested with current M9 iso, fully updated and all well onboard.

LO was not open while installing the update.
Installed following:
java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8
java-11-openjdk-demo-11.0.17.0.8-1.1.mga8
java-11-openjdk-devel-11.0.17.0.8-1.1.mga8
java-11-openjdk-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8
java-11-openjdk-headless-11.0.17.0.8-1.1.mga8
java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8
java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8
java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8
timezone-2022e-1.mga8
timezone-java-2022e-1.mga8
Opening the emp.odb, check both versions were listed in the Options section, and 11.0.17 was selected.
Tested both my odb's and both behaved well.
I will do a further test with 1.8.0.352.b08

@ Nicolas
Opened emp.odb, selected now 1.8.0. as javaa environment, restarted LO as asked by LO, this odb works OK.
Opened my LO application, checked on java, OK, run the odb and its tables and forms. Works well.
So I have to conclude that the LO application must have gone corrupted on this testing laptop.
Since no one else has jumped in to do other tests, I'l give it the OK, unless you have another view. Sorry for the trouble and the delay.

Whiteboard: (none) => MGA8-64-OK

(In reply to Herman Viaene from comment #23)
> Sorry for the trouble and the delay.

No problem! I am more than happy to see that you did a good job to ensure QA tests were done seriously.

I daily use those java version and saw no issue so I am OK with your validation.

Since both of you are in agreement, I see no reason to dispute it. Validating. Advisory in Comment 7.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0435.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED