RedHat has issued several advisories: https://access.redhat.com/errata/RHSA-2022:5696 (java-1.8.0-openjdk) https://access.redhat.com/errata/RHSA-2022:5683 (java-11-openjdk) https://access.redhat.com/errata/RHSA-2022:5726 (java-17-openjdk) Corresponding Oracle CPU: https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA
Whiteboard: (none) => MGA8TOOSource RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk
CC: (none) => nicolas.salguero
Thank you Nicolas for raising this. Assigning to the Java maintainers.
Assignee: bugsquad => java
Hi, There is a new Oracle CPU: https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA Best regards, Nico.
Corresponding RedHat advisories: https://access.redhat.com/errata/RHSA-2022:7007 (1.8.0) https://access.redhat.com/errata/RHSA-2022:7013 (11) https://access.redhat.com/errata/RHSA-2022:6999 (17)
For Mga8 and Cauldron, java 8 and 11 are built. For Cauldron, java 17 failed to build and I did not touch java latest.
Updated packages in core/updates_testing: ======================== java-1.8.0-openjdk-src-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-src-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-src-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-demo-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-demo-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-devel-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-devel-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-devel-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-debugsource-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-headless-fastdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-headless-slowdebug-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8 java-11-openjdk-demo-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-demo-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-demo-11.0.17.0.8-1.1.mga8 java-11-openjdk-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-devel-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-devel-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-devel-11.0.17.0.8-1.1.mga8 java-11-openjdk-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8 java-11-openjdk-src-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-src-11.0.17.0.8-1.1.mga8 java-11-openjdk-src-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-debugsource-11.0.17.0.8-1.1.mga8 java-11-openjdk-jmods-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-slowdebug-debuginfo-11.0.17.0.8-1.1.mga8 java-11-openjdk-static-libs-slowdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-11.0.17.0.8-1.1.mga8 java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8 java-11-openjdk-static-libs-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-jmods-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-fastdebug-11.0.17.0.8-1.1.mga8 java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-slowdebug-11.0.17.0.8-1.1.mga8 from SRPMS: java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8.src.rpm java-11-openjdk-11.0.17.0.8-1.1.mga8.src.rpm
I forgot adding timezone. Updated packages in core/updates_testing: ======================== timezone-2022e-1.mga8 timezone-java-2022e-1.mga8 from SRPM: timezone-2022e-1.mga8.src.rpm
Blocks: (none) => 31090
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Class compilation issue. (CVE-2022-21540) Improper restriction of MethodHandle.invokeBasic(). (CVE-2022-21541) Integer truncation issue in Xalan-J. (CVE-2022-34169) Improper MultiByte conversion can lead to buffer overflow. (CVE-2022-21618) Improper handling of long NTLM client hostnames. (CVE-2022-21619) Insufficient randomization of JNDI DNS port numbers. (CVE-2022-21624) Excessive memory allocation in X.509 certificate parsing. (CVE-2022-21626) HttpServer no connection count limit. (CVE-2022-21628) Missing SNI caching in HTTP/2. (CVE-2022-39399) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21624 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39399 https://access.redhat.com/errata/RHSA-2022:5696 https://access.redhat.com/errata/RHSA-2022:5683 https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA https://access.redhat.com/errata/RHSA-2022:7007 https://access.redhat.com/errata/RHSA-2022:7013 https://www.oracle.com/security-alerts/cpuoct2022.html#AppendixJAVA
Whiteboard: MGA8TOO => (none)Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk => java-1.8.0-openjdk, java-11-openjdkVersion: Cauldron => 8Status: NEW => ASSIGNEDAssignee: java => qa-bugsSummary: java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk new security issues => java-1.8.0-openjdk, java-11-openjdk new security issues
Put the following list in QARepo java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-src-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-openjfx-devel-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8 It enabled the local repo OK, but then on selecting the first item for installation in MCC, I get: Sorry, the following package cannot be selected: - java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8.x86_64 and no reason or further indication given. Continuing with java11 ....
CC: (none) => herman.viaene
In QARepo ava-11-openjdk-demo-11.0.17.0.8-1.1.mga8 java-11-openjdk-devel-11.0.17.0.8-1.1.mga8 java-11-openjdk-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8 java-11-openjdk-src-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-11.0.17.0.8-1.1.mga8 java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8 java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8 and again on selecting for installation: Sorry, the following package cannot be selected: - java-11-openjdk-11.0.17.0.8-1.1.mga8.x86_64 Beats me.
Herman, your qarepo is missing the timezone update from Comment 6.
OK, first installed the timezone packages, went OK. Then took all the 1.8.0 stuff and this draws in - openjfx8-8.0.202-25.b07.2.mga8.x86_64 - openjfx8-devel-8.0.202-25.b07.2.mga8.x86_64 But on installing 1 installation transactions failed There was a problem during the installation: file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-3:11.0.9.2-3.mga8.x86_64 file /usr/lib/.build-id/6f/8d77d8bcb9b1be4f75b6027195ac0fbec73dd1 from install of openjfx8-8.0.202-25.b07.2.mga8.x86_64 conflicts with file from package openjfx-devel-3:11.0.9.2-3.mga8.x86_64 Skipping these packages for now and continuing on java-11
MGA8-64 MATE on Acer Aspire 5253 Installing java11 packages went OK $ java -version openjdk version "11.0.17" 2022-10-18 LTS OpenJDK Runtime Environment 18.9 (build 11.0.17+8-LTS) OpenJDK 64-Bit Server VM 18.9 (build 11.0.17+8-LTS, mixed mode, sharing) [tester8@mach7 ~]$ javac -version javac 11.0.17 used example from bug 30401 $ javac Helloworldnojfx.java $ java Helloworldnojfx Hello World! and popup message appears OK BUT opening my usual odb file goes apparently OK, I checked the settings it uses java11.0.17 but as soon as I select the tables or queries tab (implying a data connection to the database), I get errors "The connection to the data source "volks" could not be established." and "Error code: 1 firebird_sdbc error: *Expected backup version 1..10. Found 11 *unknown ISC error 336330835 caused by 'isc_service_query' /home/iurt/rpmbuild/BUILD/libreoffice-7.3.6.2/connectivity/source/drivers/firebird/Util.cxx:68" Needles to say this worked OK with the previous version of java11 A CALC file which used this odb as datasource opens OK, but the same error appears when I refresh the data range.
(In reply to Herman Viaene from comment #12) > opening my usual odb file goes apparently OK, I checked the settings it uses > java11.0.17 but as soon as I select the tables or queries tab (implying a > data connection to the database), I get errors > "The connection to the data source "volks" could not be established." > and > "Error code: 1 > > firebird_sdbc error: > *Expected backup version 1..10. Found 11 > *unknown ISC error 336330835 > caused by > 'isc_service_query' > /home/iurt/rpmbuild/BUILD/libreoffice-7.3.6.2/connectivity/source/drivers/ > firebird/Util.cxx:68" > Needles to say this worked OK with the previous version of java11 > > A CALC file which used this odb as datasource opens OK, but the same error > appears when I refresh the data range. Does libreoffice-7.4.2.3-1.mga8 (from core/updates_testing, built with java-11-openjdk-11.0.17.0.8-1.1.mga8) solve that issue?
No, same error shows up.
Hi, Are you sure you were using java 11 for libreoffice base before the update? Can you try using java 8 (in the options of libreoffice, advanced) and see if that solves your issue? Best regards,
I forgot to say that you need to restart libreoffice after changing the version of java.
On Comment 15: yes, using java 11, and no using 1.8 does not solve the issue On Comment 16: LO obliges me to restart it when changing java version.
And does reverting back to previous java 11 solves the issue?
Hi, Sorry for being a bit annoying but I have some additional questions because, the more I try to understand your problem, the more I feel totally lost: 1) If I correctly understand the official libreoffice documentation (https://wiki.documentfoundation.org/Development/Base/FirebirdSQL), java is not used to access an ODB which uses firebird internally. You can use java for external databases (https://books.libreoffice.org/en/BG73/BG7302-CreatingADatabase.html). 2) I cannot find on the web the same error message as yours but that kind of message seems to occur when trying to open an old firebird backup on a newer (and incompatible) firebird server. So: 1) Is the ODB you talk about in that bug report the same as the one provided in bug 31021? 2) If so, did you opened it with Cauldron version of libreoffice or with upstream version of libreoffice before testing the java updates from that bug report? 3) If you access an external database with java, which JDBC driver, and which version, are you using? Best regards, Nico.
Trying to get you a consistent answer to your questions, it's not simple apparently. 1) Yes, the odb from bug 31021 is the one you can use. In my test above I used a bigger application, but that doesn't matter. 2) There are no external databases involved, it's all embedded firebird. 3) I got the error on my "QA-Update-Testing-laptop", and the data files I use there have been "tortured" since beginning of M8. So, I tried to get back to the state before this test: re-installed the previous java versions, and copied the odb's back from my main desktop, where "the real work" is done. Tested this and the odb opens OK and I can open the tables and forms without problems (the outstanding problem with LO-Base reports still there of course). Now I will install the updates for java , test the odb's and get back here.
And forgot to mention: tested with current M9 iso, fully updated and all well onboard.
LO was not open while installing the update. Installed following: java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-demo-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-devel-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-headless-1.8.0.352.b08-1.1.mga8 java-1.8.0-openjdk-javadoc-1.8.0.352.b08-1.1.mga8 java-11-openjdk-demo-11.0.17.0.8-1.1.mga8 java-11-openjdk-devel-11.0.17.0.8-1.1.mga8 java-11-openjdk-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-zip-11.0.17.0.8-1.1.mga8 java-11-openjdk-headless-11.0.17.0.8-1.1.mga8 java-11-openjdk-static-libs-11.0.17.0.8-1.1.mga8 java-11-openjdk-jmods-11.0.17.0.8-1.1.mga8 java-11-openjdk-javadoc-11.0.17.0.8-1.1.mga8 timezone-2022e-1.mga8 timezone-java-2022e-1.mga8 Opening the emp.odb, check both versions were listed in the Options section, and 11.0.17 was selected. Tested both my odb's and both behaved well. I will do a further test with 1.8.0.352.b08
@ Nicolas Opened emp.odb, selected now 1.8.0. as javaa environment, restarted LO as asked by LO, this odb works OK. Opened my LO application, checked on java, OK, run the odb and its tables and forms. Works well. So I have to conclude that the LO application must have gone corrupted on this testing laptop. Since no one else has jumped in to do other tests, I'l give it the OK, unless you have another view. Sorry for the trouble and the delay.
Whiteboard: (none) => MGA8-64-OK
(In reply to Herman Viaene from comment #23) > Sorry for the trouble and the delay. No problem! I am more than happy to see that you did a good job to ensure QA tests were done seriously. I daily use those java version and saw no issue so I am OK with your validation.
Since both of you are in agreement, I see no reason to dispute it. Validating. Advisory in Comment 7.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0435.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED