Bug 33413 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues
Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 33449
  Show dependency treegraph
 
Reported: 2024-07-18 11:09 CEST by Nicolas Salguero
Modified: 2024-09-27 19:22 CEST (History)
7 users (show)

See Also:
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
CVE: CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147
Status comment:


Attachments

Description Nicolas Salguero 2024-07-18 11:09:21 CEST
For the moment, RedHat has issued only one advisory:
https://access.redhat.com/errata/RHSA-2024:4573 (java-21-openjdk)

I think the other ones will follow in the next days or weeks.

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpujul2024.html#AppendixJAVA
Nicolas Salguero 2024-07-18 11:10:24 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-21131, CVE-2024-2113, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk
Severity: normal => major

Comment 1 Lewis Smith 2024-07-18 21:57:32 CEST
The RH link above does show all these CVEs:
    CVE-2024-21131
    CVE-2024-21138
    CVE-2024-21140
    CVE-2024-21145
    CVE-2024-21147
I wonder whether the list in the 'CVE' field is right: that has CVE-2024-2113 rather than 38.

I could find no sign of corrections.

Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2024-07-25 10:45:12 CEST
https://access.redhat.com/errata/RHSA-2024:4560 (java-1.8.0-openjdk)
Nicolas Salguero 2024-07-25 10:45:59 CEST

CVE: CVE-2024-21131, CVE-2024-2113, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147 => CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147

Comment 3 Nicolas Salguero 2024-09-16 12:02:01 CEST
https://access.redhat.com/errata/RHSA-2024:4567 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2024:4568 (java-17-openjdk)
Nicolas Salguero 2024-09-16 12:02:40 CEST

CVE: CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147 => CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147

Comment 4 Nicolas Salguero 2024-09-18 09:41:47 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Potential UTF8 size overflow. (CVE-2024-21131)

Excessive symbol length can lead to infinite loop. (CVE-2024-21138)

Range Check Elimination (RCE) pre-loop limit overflow. (CVE-2024-21140)

Pack200 increase loading time due to improper header validation. (CVE-2024-21144)

Out-of-bounds access in 2D image handling. (CVE-2024-21145)

RangeCheckElimination array index overflow. (CVE-2024-21147)

References:
https://www.oracle.com/security-alerts/cpujul2024.html#AppendixJAVA
https://access.redhat.com/errata/RHSA-2024:4560
https://access.redhat.com/errata/RHSA-2024:4567
https://access.redhat.com/errata/RHSA-2024:4568
========================

Updated packages in core/updates_testing:
========================
java-1.8.0-openjdk-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-demo-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-devel-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-headless-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-src-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.422.b05-1.mga9

java-11-openjdk-11.0.24.0.8-1.mga9
java-11-openjdk-demo-11.0.24.0.8-1.mga9
java-11-openjdk-demo-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-demo-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-devel-11.0.24.0.8-1.mga9
java-11-openjdk-devel-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-devel-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-headless-11.0.24.0.8-1.mga9
java-11-openjdk-headless-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-headless-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-javadoc-11.0.24.0.8-1.mga9
java-11-openjdk-javadoc-zip-11.0.24.0.8-1.mga9
java-11-openjdk-jmods-11.0.24.0.8-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-src-11.0.24.0.8-1.mga9
java-11-openjdk-src-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-src-slowdebug-11.0.24.0.8-1.mga9
java-11-openjdk-static-libs-11.0.24.0.8-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.24.0.8-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.24.0.8-1.mga9

java-17-openjdk-17.0.12.0.7-1.mga9
java-17-openjdk-demo-17.0.12.0.7-1.mga9
java-17-openjdk-demo-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-demo-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-devel-17.0.12.0.7-1.mga9
java-17-openjdk-devel-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-devel-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-headless-17.0.12.0.7-1.mga9
java-17-openjdk-headless-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-headless-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-javadoc-17.0.12.0.7-1.mga9
java-17-openjdk-javadoc-zip-17.0.12.0.7-1.mga9
java-17-openjdk-jmods-17.0.12.0.7-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-src-17.0.12.0.7-1.mga9
java-17-openjdk-src-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-src-slowdebug-17.0.12.0.7-1.mga9
java-17-openjdk-static-libs-17.0.12.0.7-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.12.0.7-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.12.0.7-1.mga9

java-latest-openjdk-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-demo-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-devel-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-headless-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-javadoc-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-javadoc-zip-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-jmods-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-src-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-src-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-src-slowdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-static-libs-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-22.0.2.0.9-1.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-22.0.2.0.9-1.rolling.1.mga9

from SRPMS:
java-1.8.0-openjdk-1.8.0.422.b05-1.mga9.src.rpm
java-11-openjdk-11.0.24.0.8-1.mga9.src.rpm
java-17-openjdk-17.0.12.0.7-1.mga9.src.rpm
java-latest-openjdk-22.0.2.0.9-1.rolling.1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Assignee: java => qa-bugs
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
Status: NEW => ASSIGNED

Comment 5 PC LX 2024-09-18 14:53:35 CEST
Installed and tested without issues.

Installed packages:
  java-1.8.0-openjdk             1.8.0.422.b> 1.mga9        x86_64  
  java-1.8.0-openjdk-headless    1.8.0.422.b> 1.mga9        x86_64  
  java-1.8.0-openjdk-openjfx     1.8.0.422.b> 1.mga9        x86_64  
  java-11-openjdk                11.0.24.0.8  1.mga9        x86_64  
  java-11-openjdk-headless       11.0.24.0.8  1.mga9        x86_64  
  java-17-openjdk                17.0.12.0.7  1.mga9        x86_64  
  java-17-openjdk-headless       17.0.12.0.7  1.mga9        x86_64  

Tested with libreoffice, rachota, ganttproject, netbeans (upstream), edugraphe, yuicompressor, and freecol.
No issues noticed.



System: Mageia 9, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.50-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sun Sep  8 12:38:27 UTC 2024 x86_64 GNU/Linux
$ rpm -qa | grep -P '^java-' | sort
java-11-openjdk-11.0.24.0.8-1.mga9
java-11-openjdk-headless-11.0.24.0.8-1.mga9
java-17-openjdk-17.0.12.0.7-1.mga9
java-17-openjdk-headless-17.0.12.0.7-1.mga9
java-1.8.0-openjdk-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-headless-1.8.0.422.b05-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.422.b05-1.mga9

CC: (none) => mageia

Comment 6 Herman Viaene 2024-09-18 15:20:20 CEST
java-1.8.0-openjdk-openjfx-devel-1.8.0.422.b05-1.mga9.x86_64 requires java-17-openjdk-devel-17.0.11.0.9-1.mga9.x86_64.
Is that correct?

CC: (none) => herman.viaene

Comment 7 Nicolas Salguero 2024-09-18 15:34:50 CEST
I cannot reproduce such a requirement: java-1.8.0-openjdk-openjfx-devel requires itself and openjfx8-devel, which requires java-1.8.0-openjdk-devel and openjfx8.
Comment 8 Herman Viaene 2024-09-18 15:54:01 CEST
Removed all java and installed again. This is what MCC reports:
- java-1.8.0-openjdk-1.8.0.422.b05-1.mga9.x86_64
- java-1.8.0-openjdk-demo-1.8.0.422.b05-1.mga9.x86_64
- java-1.8.0-openjdk-devel-1.8.0.422.b05-1.mga9.x86_64
- java-1.8.0-openjdk-headless-1.8.0.422.b05-1.mga9.x86_64
- java-1.8.0-openjdk-javadoc-1.8.0.422.b05-1.mga9.noarch
- java-1.8.0-openjdk-javadoc-zip-1.8.0.422.b05-1.mga9.noarch
- java-1.8.0-openjdk-openjfx-1.8.0.422.b05-1.mga9.x86_64
- java-1.8.0-openjdk-openjfx-devel-1.8.0.422.b05-1.mga9.x86_64
- java-17-openjdk-devel-17.0.11.0.9-1.mga9.x86_64
- openjfx8-8.0.202-35.b07.3.mga9.x86_64
- openjfx8-devel-8.0.202-35.b07.3.mga9.x86_64

But the issue may be provoked by the fact that installing LO 7.6.xxx did draw in  java-17-openjdk??
Anyway continuing the test with my odb application. As in previous tests, running a report throws the same error. I checked previous updates and the last that worked OK on this 1.8.0 was in bug 32203.
Continuing with other versions ....
Comment 9 Herman Viaene 2024-09-18 16:07:44 CEST
No installation issues with updates for java-11.
Same issue as before with running reports in a LO odb appliacation.
Comment 10 Herman Viaene 2024-09-18 16:29:21 CEST
Java-17 installs OK and all items in the odb application run OK, apart from the longstanding issue with missing page breaks in a report in the Mageia-versions of LO.
So none of the issues above present a regression viz. previous updates.
Comment 11 Herman Viaene 2024-09-18 16:49:03 CEST
Java latest 22 gives same result as Java 17, So OK.
Although my bad temper would rather reject the 1.8.0 and 11.Leaving for others to do their own tests.
katnatek 2024-09-18 18:53:47 CEST

Keywords: (none) => advisory
Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk new security issues

Comment 12 Morgan Leijström 2024-09-19 10:57:51 CEST
mga9-64 mini test OK:

My old java based invoicing & book-keeping application FriBOK that use it still works, incl printing.

CC: (none) => fri

Comment 13 Brian Rockwell 2024-09-19 14:52:37 CEST
MGA9-64, Plasma

The following 2 packages are going to be installed:

- java-17-openjdk-17.0.12.0.7-1.mga9.x86_64
- java-17-openjdk-headless-17.0.12.0.7-1.mga9.x86_64

102KB of additional disk space will be used.


$ java -version
openjdk version "17.0.12" 2024-07-16 LTS
OpenJDK Runtime Environment 21.9 (build 17.0.12+7-LTS)
OpenJDK 64-Bit Server VM 21.9 (build 17.0.12+7-LTS, mixed mode, sharing)

I was able run my very old bookreader application and to my surprise it worked.

CC: (none) => brtians1

katnatek 2024-09-23 19:42:04 CEST

Blocks: (none) => 33449

Comment 14 katnatek 2024-09-24 19:41:37 CEST
RH x86_64

LC_ALL=C urpmi --auto --auto-update 
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing java-17-openjdk-headless-17.0.12.0.7-1.mga9.x86_64.rpm java-17-openjdk-17.0.12.0.7-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: java-17-openjdk-headless
                                 #################################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/conf/security/java.security.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/default.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/default.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmnew
#
      2/2: java-17-openjdk       ##################################################################################################
      1/2: removing java-17-openjdk-1:17.0.11.0.9-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.11.0.9-1.mga9.x86_64
                                 ########################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/lib/security/public_suffix_list.dat saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/lib/security/default.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/lib/security/default.policy.rpmsave
####warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/conf/security/java.security saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.11.0.9-1.mga9.x86_64/conf/security/java.security.rpmsave
######

jdownloader starts, download plugin updates. restart for apply updates, OK for me
Comment 15 katnatek 2024-09-26 23:52:04 CEST
RH i586

rpm -qa|grep java-17
java-17-openjdk-headless-17.0.12.0.7-1.mga9
java-17-openjdk-17.0.12.0.7-1.mga9

tested with jdownloader without issues
Comment 16 Thomas Andrews 2024-09-27 14:13:47 CEST
Lots of tests, no issues. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK

Comment 17 Dan Fandrich 2024-09-27 18:08:24 CEST
FWIW, the advisory does NOT list java-latest-openjdk so that's not being pushed. It's not clear if that's desired or not, but comment #11 says it works.

CC: (none) => dan

Comment 18 katnatek 2024-09-27 18:39:39 CEST
(In reply to Dan Fandrich from comment #17)
> FWIW, the advisory does NOT list java-latest-openjdk so that's not being
> pushed. It's not clear if that's desired or not, but comment #11 says it
> works.

Obviously was a mistake, Fixed
Comment 19 Dan Fandrich 2024-09-27 18:46:25 CEST
Caught it in time—I'm pushing it with the others now.
Comment 20 Mageia Robot 2024-09-27 19:22:36 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0319.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.