32724 – java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues

Bug 32724 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:	32545
Blocks:
	Show dependency tree / graph

Reported:	2024-01-17 10:12 CET by Nicolas Salguero
Modified:	2024-05-16 23:47 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk
CVE:	CVE-2024-20918, CVE-2024-20952, CVE-2024-20926, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945
Status comment:

Attachments
Log of install & uninstall packages java-1.8.0-openjdk (21.43 KB, text/plain) 2024-03-14 18:50 CET, katnatek	Details
Log of install & uninstall packages java-11-openjdk (10.96 KB, text/plain) 2024-03-14 19:17 CET, katnatek	Details
Log of install & uninstall packages java-latest-openjdk (16.09 KB, text/plain) 2024-03-14 19:32 CET, katnatek	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-01-17 10:12:35 CET

RedHat has issued several advisories:
https://access.redhat.com/errata/RHSA-2024:0225 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2024:0234 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2024:0241 (java-17-openjdk)
https://access.redhat.com/errata/RHSA-2024:0249 (java-21-openjdk)

Corresponding Oracle CPUs:
https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA

Nicolas Salguero 2024-01-17 10:12:43 CET

Whiteboard: (none) => MGA9TOO
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk

Nicolas Salguero 2024-01-17 10:26:16 CET

Blocks: (none) => 32545

Comment 1 Lewis Smith 2024-01-17 19:45:50 CET

java-1.8.0-openjdk ns80
java-17-openjdk ns80
java-latest-openjdk ns80
It looks as if you are the current maintainer for all this, Nicolas, so assigning it to you.

Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2024-01-18 08:53:49 CET

Assignee: nicolas.salguero => java

Nicolas Salguero 2024-03-06 10:40:03 CET

Depends on: (none) => 32545
Blocks: 32545 => (none)

Comment 2 Nicolas Salguero 2024-03-06 10:47:14 CET

java-17-openjdk is handled in bug 32545.

For java-11-openjdk, here is the list of packages:
java-11-openjdk-11.0.22.0.7-1.mga9
java-11-openjdk-demo-11.0.22.0.7-1.mga9
java-11-openjdk-demo-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-demo-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-devel-11.0.22.0.7-1.mga9
java-11-openjdk-devel-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-devel-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-headless-11.0.22.0.7-1.mga9
java-11-openjdk-headless-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-headless-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-javadoc-11.0.22.0.7-1.mga9
java-11-openjdk-javadoc-zip-11.0.22.0.7-1.mga9
java-11-openjdk-jmods-11.0.22.0.7-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-src-11.0.22.0.7-1.mga9
java-11-openjdk-src-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-src-slowdebug-11.0.22.0.7-1.mga9
java-11-openjdk-static-libs-11.0.22.0.7-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.22.0.7-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.22.0.7-1.mga9

from SRPM:
java-11-openjdk-11.0.22.0.7-1.mga9.src.rpm

Comment 3 Nicolas Salguero 2024-03-06 12:54:05 CET

For java-1.8.0-openjdk, here is the list of packages:
java-1.8.0-openjdk-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-demo-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-devel-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-headless-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.402.b06-1.mga9.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.402.b06-1.mga9.noarch.rpm
java-1.8.0-openjdk-openjfx-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-src-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.402.b06-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.402.b06-1.mga9

from SRPM:
java-1.8.0-openjdk-1.8.0.402.b06-1.mga9.src.rpm

Comment 4 katnatek 2024-03-07 03:09:35 CET

Nicolas is normal that i586 have fewer packages than x86_64?

Comment 5 Nicolas Salguero 2024-03-07 09:16:06 CET

(In reply to katnatek from comment #4)
> Nicolas is normal that i586 have fewer packages than x86_64?

Yes, it is. i586 does not have fastdebug and openjfx is limited to 64bits arches.

Comment 6 Nicolas Salguero 2024-03-07 09:18:26 CET

For java-latest-openjdk, here is the list of packages:
java-latest-openjdk-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-demo-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-devel-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-headless-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-javadoc-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-javadoc-zip-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-jmods-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-src-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-src-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-src-slowdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-static-libs-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-21.0.2.0.13-1.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-21.0.2.0.13-1.rolling.1.mga9

from SRPM:
java-latest-openjdk-21.0.2.0.13-1.rolling.1.mga9.src.rpm

Comment 7 Nicolas Salguero 2024-03-07 09:24:16 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Array out-of-bounds access due to missing range check in C1 compiler. (CVE-2024-20918)

RSA padding issue and timing side-channel attack against TLS. (CVE-2024-20952)

Arbitrary Java code execution in Nashorn. (CVE-2024-20926)

JVM class file verifier flaw allows unverified bytecode execution. (CVE-2024-20919)

Range check loop optimization issue. (CVE-2024-20921)

Logging of digital signature private keys. (CVE-2024-20945)

References:
https://access.redhat.com/errata/RHSA-2024:0225
https://access.redhat.com/errata/RHSA-2024:0234
https://access.redhat.com/errata/RHSA-2024:0249
https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA

Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk
Assignee: java => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
CVE: (none) => CVE-2024-20918, CVE-2024-20952, CVE-2024-20926, CVE-2024-20919, CVE-2024-20921, CVE-2024-20945

PC LX 2024-03-07 11:50:06 CET

CC: (none) => mageia

Comment 8 Morgan Leijström 2024-03-07 17:22:03 CET

mga9-64 mini test OK:

Updated java-1.8.0-openjdk and -headless

My old java based invoicing & book-keeping application FriBOK that use it still works, incl printing.

CC: (none) => fri

katnatek 2024-03-07 19:38:12 CET

Keywords: (none) => advisory

Comment 9 Herman Viaene 2024-03-12 11:35:41 CET

MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Configured LO to run java11, and run my LO  Base application: forms run OK but on a report I get error:
An exception occurred 
Type: com.sun.star.uno.RuntimeException
Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/layouting/LibLayoutInfo has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0

CC: (none) => herman.viaene

Comment 10 Herman Viaene 2024-03-12 12:00:52 CET

Same tests with 1.8.0 and similar error:
BASIC runtime error.
An exception occurred 
Type: com.sun.star.uno.RuntimeException
Message: [jni_uno bridge error] UNO calling Java method execute: non-UNO exception occurred: java.lang.UnsupportedClassVersionError: org/jfree/report/JFreeReportBoot has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

Comment 11 Herman Viaene 2024-03-12 12:03:40 CET

Confirm that switching LO back to latest 17 version gets rid of the reported error above.

Comment 12 katnatek 2024-03-14 18:50:56 CET

Created attachment 14457 [details]
Log of install & uninstall packages java-1.8.0-openjdk

RH mageia 9 x86_64

Not issues detected on install or uninstall packages of java-1.8.0-openjdk

Comment 13 katnatek 2024-03-14 19:10:23 CET

(In reply to katnatek from comment #12)
> Created attachment 14457 [details]
> Log of install & uninstall packages java-1.8.0-openjdk
> 
> RH mageia 9 x86_64
Sorry is VM
> 
> Not issues detected on install or uninstall packages of java-1.8.0-openjdk
BTW I not include the src packgaes

Comment 14 katnatek 2024-03-14 19:17:45 CET

Created attachment 14458 [details]
Log of install & uninstall packages java-11-openjdk

VM mageia 9 x86_64

Install/uninstall java-11-openjdk packages except src packages

Not issues detected

Comment 15 katnatek 2024-03-14 19:32:37 CET

Created attachment 14459 [details]
Log of install & uninstall packages java-latest-openjdk

VM mageia 9 x86_64

Exclude src packages
Not issues detected

katnatek 2024-03-14 19:38:51 CET

CC: (none) => andrewsfarm

katnatek 2024-03-14 19:39:03 CET

Whiteboard: (none) => MGA9-64-OK

Comment 16 Thomas Andrews 2024-03-14 22:14:00 CET

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 17 Mageia Robot 2024-03-15 03:50:06 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0061.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 18 Morgan Leijström 2024-05-16 23:47:03 CEST

mga9-64 mini test OK:

Updated java-1.8.0-openjdk and -headless

My old java based invoicing & book-keeping application FriBOK that use it still works, incl printing.

Note You need to log in before you can comment on or make changes to this bug.