Bug 54044 – openjdk-8: Multiple issues (4.4)

Bug 54044 - openjdk-8: Multiple issues (4.4)


Summary:	openjdk-8: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-8-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-11-10 08:59 CET by Quality Assurance
Modified:	2021-11-10 17:52 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2021-11-10 08:59:50 CET

New Debian openjdk-8 8u312-b07-1~deb9u1 fixes:
This update addresses the following issues:
* Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)  (CVE-2021-35550)
* Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556)
* Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559)
* Excessive memory allocation in HashMap and HashSet (Utility, 8266097)  (CVE-2021-35561)
* Certificates with end dates too far in the future can corrupt keystore  (Keytool, 8266137) (CVE-2021-35564)
* Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)  (CVE-2021-35565)
* Incorrect principal selection when using Kerberos Constrained Delegation  (Libraries, 8266689) (CVE-2021-35567)
* Unexpected exception raised during TLS handshake (JSSE, 8267729)  (CVE-2021-35578)
* Excessive memory allocation in BMPImageReader (ImageIO, 8267735)  (CVE-2021-35586)
* Incomplete validation of inner class references in ClassFileParser  (Hotspot, 8268071) (CVE-2021-35588)
* Non-constant comparison during TLS handshakes (JSSE, 8269618)  (CVE-2021-35603)

Comment 1 Quality Assurance

2021-11-10 10:00:19 CET

--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/openjdk-8_8u302-b08-1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/openjdk-8_8u312-b07-1~deb9u1.dsc
@@ -1,9 +1,49 @@
-8u302-b08-1~deb9u1 [Fri, 30 Jul 2021 03:00:20 +0200] Thorsten Glaser <tg@mirbsd.de>:
-
-  * Non-maintainer upload by the LTS Team.
-  * Provide builds for wheezy, jessie, stretch, buster, bullseye
+8u312-b07-1~deb9u1 [Sat, 06 Nov 2021 18:41:21 +0100] Thorsten Glaser <tg@mirbsd.de>:
+
   * Disable tests (debian/README.source documents why they fail)
+  * Build for stretch LTS, jessie ELTS
   * Effort sponsored by ⮡ tarent
+
+8u312-b07-1 [Fri, 05 Nov 2021 23:57:58 +0000] Thorsten Glaser <tg@mirbsd.de>:
+
+  * New upstream release (GA)
+  * Security fixes:
+    - JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong
+      Throw ClassFormatError if InnerClasses attribute's
+      inner_class_info_index is 0
+    - JDK-8161016: Strange behavior of URLConnection with proxy
+    - JDK-8163326, CVE-2021-35550: Update the default enabled cipher
+      suites preference
+    - JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on
+      TLS session close
+    - JDK-8263314: Enhance XML Dsig modes
+    - JDK-8265167, CVE-2021-35556: Richer Text Editors
+    - JDK-8265574: Improve handling of sheets
+    - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
+    - JDK-8265776: Improve Stream handling for SSL
+    - JDK-8266097, CVE-2021-35561: Better hashing support
+    - JDK-8266103: Better specified spec values
+    - JDK-8266109: More Resilient Classloading
+    - JDK-8266115: More Manifest Jar Loading
+    - JDK-8266137, CVE-2021-35564: Improve Keystore integrity
+    - JDK-8266689, CVE-2021-35567: More Constrained Delegation
+    - JDK-8267086: ArrayIndexOutOfBoundsException in
+      java.security.KeyFactory.generatePublic
+    - JDK-8267712: Better LDAP reference processing
+    - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
+    - JDK-8267735, CVE-2021-35586: Better BMP support
+    - JDK-8268193: Improve requests of certificates
+    - JDK-8268199: Correct certificate requests
+    - JDK-8268506: More Manifest Digests
+    - JDK-8269618, CVE-2021-35603: Better session identification
+    - JDK-8269624: Enhance method selection support
+    - JDK-8270398: Enhance canonicalization
+    - JDK-8270404: Better canonicalization
+  * Other changes: see
+    https://mail.openjdk.java.net/pipermail/jdk8u-dev/2021-October/014373.html
+  * Policy 4.6.1, no relevant changes
+  * d/copyright: Apply changes since 8u302
+  * Upload sponsored by ⮡ tarent
 
 8u302-b08-1 [Thu, 29 Jul 2021 20:45:23 +0200] Thorsten Glaser <tg@mirbsd.de>:
 

<http://piuparts.knut.univention.de/4.4-8/#3318167015083678665>

Comment 2 Philipp Hahn

2021-11-10 10:21:59 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-8] 03f2eb45b6 Bug #54044: openjdk-8 8u312-b07-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

[4.4-8] d5a78ef7f0 Bug #54044: openjdk-8 8u312-b07-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 41 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

Comment 3 Erik Damrose

2021-11-10 17:52:46 CET

<https://errata.software-univention.de/#/?erratum=4.4x1088>