33413 – java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Bug 33413 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and jav...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Java Stack Maintainers
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:

Reported:	2024-07-18 11:09 CEST by Nicolas Salguero
Modified:	2024-07-25 10:45 CEST (History)
CC List:	0 users

See Also:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk
CVE:	CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-07-18 11:09:21 CEST

For the moment, RedHat has issued only one advisory:
https://access.redhat.com/errata/RHSA-2024:4573 (java-21-openjdk)

I think the other ones will follow in the next days or weeks.

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpujul2024.html#AppendixJAVA

Nicolas Salguero 2024-07-18 11:10:24 CEST

Severity: normal => major
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk
CVE: (none) => CVE-2024-21131, CVE-2024-2113, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147

Comment 1 Lewis Smith 2024-07-18 21:57:32 CEST

The RH link above does show all these CVEs:
    CVE-2024-21131
    CVE-2024-21138
    CVE-2024-21140
    CVE-2024-21145
    CVE-2024-21147
I wonder whether the list in the 'CVE' field is right: that has CVE-2024-2113 rather than 38.

I could find no sign of corrections.

Assignee: bugsquad => java

Comment 2 Nicolas Salguero 2024-07-25 10:45:12 CEST

https://access.redhat.com/errata/RHSA-2024:4560 (java-1.8.0-openjdk)

Nicolas Salguero 2024-07-25 10:45:59 CEST

CVE: CVE-2024-21131, CVE-2024-2113, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147 => CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21145, CVE-2024-21147

Note You need to log in before you can comment on or make changes to this bug.