33648 – java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Bug 33648 - java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk new security issues

Summary: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and jav...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-10-17 10:53 CEST by Nicolas Salguero
Modified:	2024-11-13 19:48 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
CVE:	CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-10-17 10:53:59 CEST

RedHat has issued advisories on October 16:
https://access.redhat.com/errata/RHSA-2024:8117 (java-1.8.0-openjdk)
https://access.redhat.com/errata/RHSA-2024:8121 (java-11-openjdk)
https://access.redhat.com/errata/RHSA-2024:8124 (java-17-openjdk)
https://access.redhat.com/errata/RHSA-2024:8127 (java-21-openjdk)

Corresponding Oracle CPU:
https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixJAVA

Nicolas Salguero 2024-10-17 10:56:02 CEST

Source RPM: (none) => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk
CVE: (none) => CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235
Whiteboard: (none) => MGA9TOO

Comment 1 Marja Van Waes 2024-10-17 15:38:25 CEST

Assigning to you, Nicolas (Salguero), I hope you don't mind. You are only the registered maintainer of java-21-openjdk.
The registered maintainer of the rest of all these packages is Nicolas Lécureuil, but he isn't really available at the moment. CC'ing him.

CC: (none) => mageia, marja11
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-11-openjdk, java-latest-openjdk
Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2024-10-23 15:22:50 CEST

New versions of java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk and java-latest-openjdk (for Cauldron) and java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk and java-latest-openjdk (for Mageia 9) are committed into SVN.

Comment 3 Nicolas Salguero 2024-11-05 09:40:55 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function. (CVE-2023-48161)

Array indexing integer overflow. (CVE-2024-21210)

HTTP client improper handling of maxHeaderSize. (CVE-2024-21208)

Unbounded allocation leads to out-of-memory error. (CVE-2024-21217)

Integer conversion error leads to incorrect range check. (CVE-2024-21235)

References:
https://access.redhat.com/errata/RHSA-2024:8117
https://access.redhat.com/errata/RHSA-2024:8121
https://access.redhat.com/errata/RHSA-2024:8124
https://www.oracle.com/security-alerts/cpuoct2024.html#AppendixJAVA
========================

Updated packages in core/updates_testing:
========================
java-17-openjdk-17.0.13.0.11-1.mga9
java-17-openjdk-demo-17.0.13.0.11-1.mga9
java-17-openjdk-demo-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-demo-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-devel-17.0.13.0.11-1.mga9
java-17-openjdk-devel-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-devel-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-headless-17.0.13.0.11-1.mga9
java-17-openjdk-headless-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-headless-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-javadoc-17.0.13.0.11-1.mga9
java-17-openjdk-javadoc-zip-17.0.13.0.11-1.mga9
java-17-openjdk-jmods-17.0.13.0.11-1.mga9
java-17-openjdk-jmods-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-jmods-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-src-17.0.13.0.11-1.mga9
java-17-openjdk-src-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-src-slowdebug-17.0.13.0.11-1.mga9
java-17-openjdk-static-libs-17.0.13.0.11-1.mga9
java-17-openjdk-static-libs-fastdebug-17.0.13.0.11-1.mga9
java-17-openjdk-static-libs-slowdebug-17.0.13.0.11-1.mga9

java-11-openjdk-11.0.25.0.9-1.mga9
java-11-openjdk-demo-11.0.25.0.9-1.mga9
java-11-openjdk-demo-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-demo-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-devel-11.0.25.0.9-1.mga9
java-11-openjdk-devel-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-devel-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-headless-11.0.25.0.9-1.mga9
java-11-openjdk-headless-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-headless-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-javadoc-11.0.25.0.9-1.mga9
java-11-openjdk-javadoc-zip-11.0.25.0.9-1.mga9
java-11-openjdk-jmods-11.0.25.0.9-1.mga9
java-11-openjdk-jmods-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-jmods-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-src-11.0.25.0.9-1.mga9
java-11-openjdk-src-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-src-slowdebug-11.0.25.0.9-1.mga9
java-11-openjdk-static-libs-11.0.25.0.9-1.mga9
java-11-openjdk-static-libs-fastdebug-11.0.25.0.9-1.mga9
java-11-openjdk-static-libs-slowdebug-11.0.25.0.9-1.mga9

java-1.8.0-openjdk-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-demo-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-demo-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-demo-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-devel-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-devel-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-devel-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-headless-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-headless-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-headless-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-javadoc-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-javadoc-zip-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-devel-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-openjfx-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-slowdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-src-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-src-fastdebug-1.8.0.432.b06-1.mga9
java-1.8.0-openjdk-src-slowdebug-1.8.0.432.b06-1.mga9

java-latest-openjdk-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-demo-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-demo-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-demo-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-devel-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-devel-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-devel-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-headless-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-headless-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-headless-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-javadoc-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-javadoc-zip-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-jmods-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-jmods-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-jmods-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-src-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-src-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-src-slowdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-static-libs-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-static-libs-fastdebug-23.0.1.0.11-2.rolling.1.mga9
java-latest-openjdk-static-libs-slowdebug-23.0.1.0.11-2.rolling.1.mga9

from SRPMS:
java-17-openjdk-17.0.13.0.11-1.mga9.src.rpm
java-11-openjdk-11.0.25.0.9-1.mga9.src.rpm
java-1.8.0-openjdk-1.8.0.432.b06-1.mga9.src.rpm
java-latest-openjdk-23.0.1.0.11-2.rolling.1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9
Source RPM: java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-11-openjdk, java-latest-openjdk => java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk
Status: NEW => ASSIGNED

Comment 4 Morgan Leijström 2024-11-05 10:25:17 CET

mga9 -64 OK partial test

My java based invoice program FriBok still works, incl printing.

Been using for a while:
$ rpm -qa --last|grep java-1 | sort
java-11-openjdk-11.0.25.0.9-1.mga9.x86_64     lör 26 okt 2024 22:55:36
java-11-openjdk-headless-11.0.25.0.9-1.mga9.x86_64 lör 26 okt 2024 22:55:31
java-17-openjdk-17.0.13.0.11-1.mga9.x86_64    tor 24 okt 2024 21:40:49
java-17-openjdk-headless-17.0.13.0.11-1.mga9.x86_64 tor 24 okt 2024 21:39:30
java-1.8.0-openjdk-1.8.0.432.b06-1.mga9.x86_64 tor 24 okt 2024 21:40:49
java-1.8.0-openjdk-headless-1.8.0.432.b06-1.mga9.x86_64 tor 24 okt 2024 21:39:24

CC: (none) => fri

katnatek 2024-11-05 18:18:31 CET

Keywords: (none) => advisory

Comment 5 katnatek 2024-11-05 23:37:21 CET

RH x86_64

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing java-17-openjdk-17.0.13.0.11-1.mga9.x86_64.rpm java-17-openjdk-headless-17.0.13.0.11-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/2: java-17-openjdk-headless
                                 #################################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/net.properties created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/net.properties.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.security created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/conf/security/java.security.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/default.policy created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/default.policy.rpmnew
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/public_suffix_list.dat created as /etc/java/java-17-openjdk/java-17-openjdk-17.0.13.0.11-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmnew
#
      2/2: java-17-openjdk       ##################################################################################################
      1/2: removing java-17-openjdk-1:17.0.12.0.7-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing java-17-openjdk-headless-1:17.0.12.0.7-1.mga9.x86_64
                                 ########################################################################################warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/public_suffix_list.dat.rpmsave
warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/default.policy saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/lib/security/default.policy.rpmsave
#####warning: /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/conf/security/java.security saved as /etc/java/java-17-openjdk/java-17-openjdk-17.0.12.0.7-1.mga9.x86_64/conf/security/java.security.rpmsave
#####

jdownloader start, update plugins, update application OK

PC LX 2024-11-07 00:04:26 CET

CC: (none) => mageia

Comment 6 katnatek 2024-11-07 01:54:25 CET

RH i586

rpm -qa|grep java-17
java-17-openjdk-headless-17.0.13.0.11-1.mga9
java-17-openjdk-17.0.13.0.11-1.mga9


jdownloader start, update plugins, update application OK

Comment 7 Herman Viaene 2024-11-09 17:53:13 CET

MGA9-64 MATE on HP-Pavilllion
No installation issues.
Ref bug 33413 for my testing with my own odb application.
Same reults as then: versions java-1.8.0 and java-provoke crashes, java17 and latest work OK except for the issue with LO Base reports. Thus no regression.

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2024-11-13 14:13:21 CET

Tests on both arches, no new regressions, sending this on.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK

Comment 9 Mageia Robot 2024-11-13 19:48:53 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0364.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.