Bug 50398 - openjdk-8: Multiple issues (4.4)
openjdk-8: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-2-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-22 08:14 CEST by Quality Assurance
Modified: 2019-10-23 14:59 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) NVD RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2019-10-22 08:14:45 CEST
New Debian openjdk-8 8u232-b09-1~deb9u1 fixes:
This update addresses the following issues:
* Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE  (component: Security). Supported versions that are affected are Java SE:  7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit  vulnerability allows unauthenticated attacker with network access via  multiple protocols to compromise Java SE, Java SE Embedded. Successful  attacks of this vulnerability can result in unauthorized read access to a  subset of Java SE, Java SE Embedded accessible data. Note: This  vulnerability applies to Java deployments, typically in clients running  sandboxed Java Web Start applications or sandboxed Java applets (in Java SE  8), that load and run untrusted code (e.g., code that comes from the  internet) and rely on the Java sandbox for security. This vulnerability can  also be exploited by using APIs in the specified Component, e.g., through a  web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7  (Confidentiality impacts). CVSS Vector:  (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). (CVE-2019-2894)
* Missing restrictions on use of custom SocketImpl (Networking, 8218573)  (CVE-2019-2945)
* Improper handling of Kerberos proxy credentials (Kerberos, 8220302)  (CVE-2019-2949)
* NULL pointer dereference in DrawGlyphList (2D, 8222690) (CVE-2019-2962)
* Unexpected exception thrown by Pattern processing crafted regular  expression (Concurrency, 8222684) (CVE-2019-2964)
* Unexpected exception thrown by XPathParser processing crafted XPath  expression (JAXP, 8223505) (CVE-2019-2973)
* Unexpected exception thrown during regular expression processing in Nashorn  (Scripting, 8223518) (CVE-2019-2975)
* Incorrect handling of nested jar: URLs in Jar URL handler (Networking,  8223892) (CVE-2019-2978)
* Unexpected exception thrown by XPath processing crafted XPath expression  (JAXP, 8224532) (CVE-2019-2981)
* Unexpected exception thrown during Font object deserialization  (Serialization, 8224915) (CVE-2019-2983)
* Missing glyph bitmap image dimension check in FreetypeFontScaler (2D,  8225286) (CVE-2019-2987)
* Integer overflow in bounds check in SunGraphics2D (2D, 8225292)  (CVE-2019-2988)
* Incorrect handling of HTTP proxy responses in HttpURLConnection  (Networking, 8225298) (CVE-2019-2989)
* Excessive memory allocation in CMap when reading TrueType font (2D,  8225597) (CVE-2019-2992)
* Insufficient filtering of HTML event attributes in Javadoc (Javadoc,  8226765) (CVE-2019-2999)
Comment 1 Quality Assurance univentionstaff 2019-10-22 09:00:17 CEST
--- mirror/ftp/4.4/unmaintained/4.4-2/source/openjdk-8_8u222-b10-1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-2/source/openjdk-8_8u232-b09-1~deb9u1.dsc
@@ -1,6 +1,98 @@
-8u222-b10-1~deb9u1 [Fri, 19 Jul 2019 16:57:48 +0000] Moritz Muehlenhoff <jmm@debian.org>:
-
-  * Rebuild for stretch
+8u232-b09-1~deb9u1 [Sat, 19 Oct 2019 17:00:54 +0200] Moritz Muehlenhoff <jmm@debian.org>:
+
+  * Rebuild for stretch-security
+
+8u232-b09-1 [Thu, 17 Oct 2019 22:41:19 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * Update to 8u222-b09 (release build).
+  * Security fixes:
+    - S8167646: Better invalid FilePermission.
+    - S8213429, CVE-2019-2933: Windows file handling redux.
+    - S8218573, CVE-2019-2945: Better socket support.
+    - S8218877: Help transform transformers.
+    - S8220186: Improve use of font temporary files.
+    - S8220302, CVE-2019-2949: Better Kerberos ccache handling.
+    - S8221497: Optional Panes in Swing.
+    - S8221858, CVE-2019-2958: Build Better Processes.
+    - S8222684, CVE-2019-2964: Better support for patterns.
+    - S8222690, CVE-2019-2962: Better Glyph Images.
+    - S8223163: Better pattern recognition.
+    - S8223505, CVE-2019-2973: Better pattern compilation.
+    - S8223518, CVE-2019-2975: Unexpected exception in jjs.
+    - S8223892, CVE-2019-2978: Improved handling of jar files.
+    - S8224025: Fix for JDK-8220302 is not complete.
+    - S8224532, CVE-2019-2981: Better Path supports.
+    - S8224915, CVE-2019-2983: Better serial attributes.
+    - S8225286, CVE-2019-2987: Better rendering of native glyphs.
+    - S8225292, CVE-2019-2988: Better Graphics2D drawing.
+    - S8225298, CVE-2019-2989: Improve TLS connection support.
+    - S8225597, CVE-2019-2992: Enhance font glyph mapping.
+    - S8226765, CVE-2019-2999: Commentary on Javadoc comments.
+    - S8227129: Better ligature for subtables.
+    - S8227601: Better collection of references.
+    - S8228825, CVE-2019-2894: Enhance ECDSA operations.
+
+8u232-b07-2 [Tue, 01 Oct 2019 13:49:35 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * Update to 8u232-b07 (early access build).
+
+  [ Matthias Klose ]
+  * Refresh patches.
+  * openjdk-8-jdk-headless: Add Breaks/Replaces for moved clhsdb binary.
+    LP: #1845873.
+  * debian/tests/control: Depend on g++ instead of build-essential or libc6-dev.
+  * Bump standards vesion.
+
+  [ Tiago Stürmer Daitx ]
+  * Improve and fix build tests and autopkgtests:
+    - Update debian/tests/hotspot,jdk,langtools to ignore
+      jtreg-autopkgtest.sh return code.
+    - Create debian/tests/jtdiff-autopkgtest.in as it depends
+      on debian/rules variables.
+    - debian/control.in, debian/control: add default-jre-headless
+      to Build-Depends with a nocheck clause as jtreg requires
+      a JRE in /usr/lib/jvm/default-java.
+    - debian/tests/control:
+      + Add zip and unzip test dependencies required by jdk's
+        test/sun/security/tools/jarsigner/diffend.sh and
+        test/sun/security/tools/jarsigner/emptymanifest.sh.
+      + Depend on default-jre-headless so jtreg will use the
+        JRE from /usr/lib/jvm/default-java.
+    - debian/tests/jtdiff-autopkgtest.sh:
+      + Fail only if an actual regression is detected.
+      + Add the super-diff comparison from jtdiff.
+      + Save failed jtr files for all runs.
+    - debian/tests/jtreg-autopkgtest.sh:
+      + Enable retry of failed tests to trim out flaky tests.
+      + Fix unbound variable.
+      + Keep .jtr files from failed tests only.
+    - debian/patches/jdk-problem-list.diff: ignore failing tests
+      that require more investigation.
+    - debian/rules:
+      + Preserve all JTreport directories in the test output
+        directory.
+      + Use JDK_DIR instead of JDK_TO_TEST for autopkgtest
+        generation.
+      + Package all .jtr files from JTwork as jtreg-autopkgtest.sh
+        makes sure it contains only failed tests.
+  * debian/tests/jdk: add our custom debian/tests/jdk-problem-list.txt to the
+    exclusion list.
+  * debian/tests/jdk-problem-list.txt: custom exclusion rules for jdk tests
+    that fail to run during a build or autopkgtest run.
+  * debian/rules: remove debian/patches/jdk-problem-list.diff.
+  * debian/patches/jdk-problem-list.diff: jtreg allows for extra exclusion
+    files thus there's no need to patch upstream's exclusion list.
+  * debian/tests/control: mark all autopkgtests as flaky.
+  * debian/tests/hotspot-archs: generated by debian/rules, contains a list of
+    archs that supports a hotspot vm.
+  * debian/tests/jdk: run only when the host arch is a hotspot vm - allow
+    override through an environment variable.
+  * debian/rules: update gen-autopkgtests to echo supported hotspot archs.
+
+8u232-b04-1 [Fri, 06 Sep 2019 18:03:11 +0200] Matthias Klose <doko@ubuntu.com>:
+
+  * Update to 8u232-b04 (early access build).
+  * Refresh patches.
 
 8u222-b10-1 [Thu, 18 Jul 2019 18:57:23 +0200] Matthias Klose <doko@ubuntu.com>:
 

<http://10.200.17.11/4.4-2/#6521605547572003112>
Comment 2 Philipp Hahn univentionstaff 2019-10-22 13:30:52 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-2] 90860f8541 Bug #50398: openjdk-8 8u232-b09-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 55 ++++++++++++++++-----------------------
 1 file changed, 22 insertions(+), 33 deletions(-)

[4.4-2] e6f440c19d Bug #50398: openjdk-8 8u232-b09-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 67 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
Comment 3 Erik Damrose univentionstaff 2019-10-23 14:59:04 CEST
<http://errata.software-univention.de/ucs/4.4/321.html>