Bug 31452 - java-1.8.0-openjdk, java-11-openjdk new security issues
Summary: java-1.8.0-openjdk, java-11-openjdk new security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-01-24 11:05 CET by Nicolas Salguero
Modified: 2023-02-07 01:08 CET (History)
6 users (show)

See Also:
Source RPM: java-1.8.0-openjdk, java-11-openjdk, timezone
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2023-01-24 11:05:54 CET
RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2023:0203 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2023:0200 (java-11-openjdk)

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA
Nicolas Salguero 2023-01-24 11:06:30 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk

Comment 1 Nicolas Salguero 2023-01-27 11:16:14 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Improper restrictions in CORBA deserialization. (CVE-2023-21830)

Handshake DoS attack against DTLS connections. (CVE-2023-21835)

Soundbank URL remote loading. (CVE-2023-21843)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21830
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21843
https://access.redhat.com/errata/RHSA-2023:0203
https://access.redhat.com/errata/RHSA-2023:0200
https://www.oracle.com/security-alerts/cpujan2023.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-src-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-demo-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-devel-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-devel-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-headless-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-1.mga8
java-1.8.0-openjdk-javadoc-1.8.0.362.b09-1.mga8

java-11-openjdk-demo-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-demo-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-demo-11.0.18.0.10-1.mga8
java-11-openjdk-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-devel-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-devel-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-devel-11.0.18.0.10-1.mga8
java-11-openjdk-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-11.0.18.0.10-1.mga8
java-11-openjdk-javadoc-zip-11.0.18.0.10-1.mga8
java-11-openjdk-src-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-src-11.0.18.0.10-1.mga8
java-11-openjdk-src-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-debugsource-11.0.18.0.10-1.mga8
java-11-openjdk-jmods-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-headless-slowdebug-debuginfo-11.0.18.0.10-1.mga8
java-11-openjdk-static-libs-slowdebug-11.0.18.0.10-1.mga8
java-11-openjdk-headless-11.0.18.0.10-1.mga8
java-11-openjdk-static-libs-11.0.18.0.10-1.mga8
java-11-openjdk-static-libs-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-jmods-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-headless-fastdebug-11.0.18.0.10-1.mga8
java-11-openjdk-jmods-11.0.18.0.10-1.mga8
java-11-openjdk-javadoc-11.0.18.0.10-1.mga8
java-11-openjdk-headless-slowdebug-11.0.18.0.10-1.mga8

timezone-2022g-1.mga8
timezone-java-2022g-1.mga8

from SRPMS:
java-1.8.0-openjdk-1.8.0.362.b09-1.mga8.src.rpm
java-11-openjdk-11.0.18.0.10-1.mga8.src.rpm
timezone-2022g-1.mga8.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Source RPM: java-1.8.0-openjdk, java-11-openjdk => java-1.8.0-openjdk, java-11-openjdk, timezone
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs

Comment 2 Morgan Leijström 2023-01-27 13:03:15 CET
mga8-64 mini test

Updated what is installed:
- java-1.8.0-openjdk-1.8.0.362.b09-1.mga8.x86_64
- java-1.8.0-openjdk-headless-1.8.0.362.b09-1.mga8.x86_64
- java-11-openjdk-11.0.18.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.18.0.10-1.mga8.x86_64
- timezone-2022g-1.mga8.x86_64
- timezone-java-2022g-1.mga8.noarch

Tested OK java-1.8 by using java program FriBok (Swedish invoice and accounting), incl printing.

CC: (none) => fri

Comment 3 Morgan Leijström 2023-01-27 21:16:08 CET
mga8-64 minitest java-11 OK;

Using the java based mind map program freeplane;
Start script selects to use "java_version = 11.0.18"
And the program works OK.
Comment 4 PC LX 2023-01-28 13:54:30 CET
Installed and tested without issues.

Tested using netbeans (upstream), edugraphe, ganttproject, libreoffice, yuicompressor, and freecol. That is all programs that I have installed and depends on java. No regressions noticed.



System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep java-11
java-11-openjdk-headless-11.0.18.0.10-1.mga8
java-11-openjdk-11.0.18.0.10-1.mga8
$ rpm -qa | grep timezone
timezone-2022e-1.mga8
timezone-java-2022g-1.mga8

CC: (none) => mageia

Comment 5 Thomas Andrews 2023-01-29 20:06:30 CET
Tested on a Probook 6550b mga8-64 Plasma system.

Qarepo couldn't find the two "debugsource" rpms or the "debuginfo" one, but I don't believe they belonged on the list, anyway. It did find the rest, and I updated the packages already installed:

The following 4 packages are going to be installed:

- java-11-openjdk-11.0.18.0.10-1.mga8.x86_64
- java-11-openjdk-headless-11.0.18.0.10-1.mga8.x86_64
- timezone-2022g-1.mga8.x86_64
- timezone-java-2022g-1.mga8.noarch

No installation issues. When asked about using rpmnew config files or doing nothing, I chose the new files.

Tested with Libreoffice, which I believe is the only application I have installed that uses them. I loaded and manipulated some old spreadsheets with Calc, then loaded an old odt document with Writer. Because the old Windows 98SE font used with the odt document had not been installed, Writer substituted a plain sans serif font, as it is supposed to do. After installing the Windows fonts, I again loaded the odt document, which displayed correctly in the original font.

Because of this and the other successful tests, I'm giving this an OK, and validating. Advisory in comment 1.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-06 22:41:58 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-02-07 01:08:53 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0037.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.