Bug 52268 - openjdk-8: Multiple issues (4.4)
openjdk-8: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-6-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks: 52533
  Show dependency treegraph
 
Reported: 2020-10-27 12:19 CET by Quality Assurance
Modified: 2020-12-22 12:16 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-10-27 12:19:30 CET
New Debian openjdk-8 8u272-b10-0+deb9u1 fixes:
This update addresses the following issues:
* High memory usage during deserialization of Proxy class with many  interfaces (Serialization, 8236862) (CVE-2020-14779)
* Credentials sent over unencrypted LDAP connection (JNDI, 8237990)  (CVE-2020-14781)
* Certificate blacklist bypass via alternate certificate encodings  (Libraries, 8237995) (CVE-2020-14782)
* Integer overflow leading to out-of-bounds access (Hotspot, 8241114)  (CVE-2020-14792)
* Missing permission check in path to URI conversion (Libraries, 8242680)  (CVE-2020-14796)
* Incomplete check for invalid characters in URI to path conversion  (Libraries, 8242685) (CVE-2020-14797)
* Missing maximum length check in WindowsNativeDispatcher.asNativeBuffer()  (Libraries, 8242695) (CVE-2020-14798)
* Race condition in NIO Buffer boundary checks (Libraries, 8244136)  (CVE-2020-14803)
Comment 1 Quality Assurance univentionstaff 2020-10-27 13:00:52 CET
--- mirror/ftp/4.4/unmaintained/4.4-6/source/openjdk-8_8u265-b01-0+deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-6/source/openjdk-8_8u272-b10-0+deb9u1.dsc
@@ -1,3 +1,28 @@
+8u272-b10-0+deb9u1 [Wed, 21 Oct 2020 23:52:22 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Update to 8u272-b10 (GA).
+  * Security fixes:
+    - JDK-8233624: Enhance JNI linkage
+    - JDK-8236196: Improve string pooling
+    - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+    - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+    - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+    - JDK-8240124: Better VM Interning
+    - JDK-8241114, CVE-2020-14792: Better range handling
+    - JDK-8242680, CVE-2020-14796: Improved URI Support
+    - JDK-8242685, CVE-2020-14797: Better Path Validation
+    - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+    - JDK-8243302: Advanced class supports
+    - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+    - JDK-8244479: Further constrain certificates
+    - JDK-8244955: Additional Fix for JDK-8240124
+    - JDK-8245407: Enhance zoning of times
+    - JDK-8245412: Better class definitions
+    - JDK-8245417: Improve certificate chain handling
+    - JDK-8248574: Improve jpeg processing
+    - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+    - JDK-8253019: Enhanced JPEG decoding
+
 8u265-b01-0+deb9u1 [Wed, 12 Aug 2020 10:17:29 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
 
   * Non-maintainer upload by the LTS Team.

<http://10.200.17.11/4.4-6/#4858172219651191012>
Comment 2 Philipp Hahn univentionstaff 2020-10-27 18:00:41 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-6] d58a5f8ce2 Bug #52268: openjdk-8 8u272-b10-0+deb9u1
 doc/errata/staging/openjdk-8.yaml | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

[4.4-6] bdc1b45140 Bug #52268: openjdk-8 8u272-b10-0+deb9u1
 doc/errata/staging/openjdk-8.yaml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)