Bug 54444 - openjdk-8: Multiple issues (4.4)
openjdk-8: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-8-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-11 12:00 CET by Quality Assurance
Modified: 2022-02-16 12:23 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2022-02-11 12:00:52 CET
New Debian openjdk-8 8u322-b06-1~deb9u1 fixes:
This update addresses the following issues:
* Incomplete deserialization class filtering in ObjectInputStream  (Serialization, 8264934) (CVE-2022-21248)
* Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)  (CVE-2022-21282)
* Unexpected exception thrown in regex Pattern (Libraries, 8268813)  (CVE-2022-21283)
* Incomplete checks of StringBuffer and StringBuilder during deserialization  (Libraries, 8270392) (CVE-2022-21293)
* Incorrect IdentityHashMap size checks during deserialization (Libraries,  8270416) (CVE-2022-21294)
* Incorrect access checks in XMLEntityManager (JAXP, 8270498)  (CVE-2022-21296)
* Infinite loop related to incorrect handling of newlines in XMLEntityScanner  (JAXP, 8270646) (CVE-2022-21299)
* Array indexing issues in LIRGenerator (Hotspot, 8272014) (CVE-2022-21305)
* Excessive resource use when reading JAR manifest attributes (Libraries,  8272026) (CVE-2022-21340)
* Insufficient checks when deserializing exceptions in ObjectInputStream  (Serialization, 8272236) (CVE-2022-21341)
* Unaligned memory access in ContextualGlyphSubstProc2 (2D, 8273748)  (CVE-2022-21349)
* Excessive memory allocation in BMPImageReader (ImageIO, 8273756)  (CVE-2022-21360)
* Integer overflow in BMPImageReader (ImageIO, 8273838) (CVE-2022-21365)
Comment 1 Quality Assurance univentionstaff 2022-02-11 13:04:21 CET
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/openjdk-8_8u312-b07-1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/openjdk-8_8u322-b06-1~deb9u1.dsc
@@ -1,3 +1,38 @@
+8u322-b06-1~deb9u1 [Wed, 09 Feb 2022 11:40:17 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  [ Emilio Pozuelo Monfort ]
+  * New upstream release.
+  * Adapt rules for the move to git and for the new merged repo layout.
+  * Security fixes:
+    - JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
+    - JDK-8268488: More valuable DerValues
+    - JDK-8268494: Better inlining of inlined interfaces
+    - JDK-8268512: More content for ContentInfo
+    - JDK-8268795: Enhance digests of Jar files
+    - JDK-8268801: Improve PKCS attribute handling
+    - JDK-8268813, CVE-2022-21283: Better String matching
+    - JDK-8269151: Better construction of EncryptedPrivateKeyInfo
+    - JDK-8269944: Better HTTP transport redux
+    - JDK-8270392, CVE-2022-21293: Improve String constructions
+    - JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
+    - JDK-8270492, CVE-2022-21282: Better resolution of URIs
+    - JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
+    - JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
+    - JDK-8271962: Better TrueType font loading
+    - JDK-8271968: Better canonical naming
+    - JDK-8271987: Manifest improved manifest entries
+    - JDK-8272014, CVE-2022-21305: Better array indexing
+    - JDK-8272026, CVE-2022-21340: Verify Jar Verification
+    - JDK-8272236, CVE-2022-21341: Improve serial forms for transport
+    - JDK-8272272: Enhance jcmd communication
+    - JDK-8272462: Enhance image handling
+    - JDK-8273290: Enhance sound handling
+    - JDK-8273748, CVE-2022-21349: Improve Solaris font rendering
+    - JDK-8273756, CVE-2022-21360: Enhance BMP image support
+    - JDK-8273838, CVE-2022-21365: Enhanced BMP processing
+  * Other changes, see
+    https://mail.openjdk.java.net/pipermail/jdk8u-dev/2022-January/014522.html
+
 8u312-b07-1~deb9u1 [Sat, 06 Nov 2021 18:41:21 +0100] Thorsten Glaser <tg@mirbsd.de>:
 
   * Disable tests (debian/README.source documents why they fail)

<http://piuparts.knut.univention.de/4.4-8/#5375059639555803433>
Comment 2 Philipp Hahn univentionstaff 2022-02-15 14:43:29 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-8] 3d55e534d8 Bug #54444: openjdk-8 8u322-b06-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 47 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)