Bug 50875 - openjdk-8: Multiple issues (4.4)
openjdk-8: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-3-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-27 15:35 CET by Quality Assurance
Modified: 2020-03-11 14:42 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-02-27 15:35:16 CET
New Debian openjdk-8 8u242-b08-1~deb9u1 fixes:
This update addresses the following issues:
* Incorrect exception processing during deserialization in BeanContextSupport  (Serialization, 8224909) (CVE-2020-2583)
* Improper checks of SASL message properties in GssKrb5Base (Security,  8226352) (CVE-2020-2590)
* Incorrect isBuiltinStreamHandler check causing URL normalization issues  (Networking, 8228548) (CVE-2020-2593)
* Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)  (CVE-2020-2601)
* Serialization filter changes via jdk.serialFilter property modification  (Serialization, 8231422) (CVE-2020-2604)
* Excessive memory usage in OID processing in X.509 certificate parsing  (Libraries, 8234037) (CVE-2020-2654)
* Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl  (Networking, 8231795) (CVE-2020-2659)
Comment 1 Quality Assurance univentionstaff 2020-02-27 16:01:33 CET
--- mirror/ftp/4.4/unmaintained/4.4-3/source/openjdk-8_8u232-b09-1~deb9u1.dsc
+++ apt/ucs_4.4-0-errata4.4-3/source/openjdk-8_8u242-b08-1~deb9u1.dsc
@@ -1,10 +1,83 @@
-8u232-b09-1~deb9u1 [Sat, 19 Oct 2019 17:00:54 +0200] Moritz Muehlenhoff <jmm@debian.org>:
+8u242-b08-1~deb9u1 [Mon, 10 Feb 2020 12:38:09 +0000] Moritz Muehlenhoff <jmm@debian.org>:
 
   * Rebuild for stretch-security
 
+8u242-b08-1 [Thu, 06 Feb 2020 19:12:24 +0100] Thorsten Glaser <tg@mirbsd.de>:
+
+  * Team upload.
+  * Merge changes from 8u242-b08-0ubuntu3 back into Debian
+  * Fix nocheck profile (no profile support) for wheezy
+  * Version !nocheck default-jre-headless build dependency
+    to ensure at least Java 8 there as well; avoids needing to
+    install two JREs when building in pre-{stretch,xenial}
+  * Update aarch64 to GA jdk8u242-b08, aarch32 to jdk8u242-ga
+  * Bump Policy
+
+8u242-b08-0ubuntu3 [Fri, 17 Jan 2020 17:37:33 +0000] Tiago Stürmer Daitx <tiago.daitx@ubuntu.com>:
+
+  * Sync packages with 8u242-b08:
+  * OpenJDK 8u242-b08 build (release).
+    - S8226352, CVE-2020-2590: Improve Kerberos interop capabilities
+    - S8228548, CVE-2020-2593: Normalize normalization for all
+    - S8224909, CVE-2020-2583: Unlink Set of LinkedHashSets
+    - S8229951, CVE-2020-2601: Better Ticket Granting Services
+    - S8231422, CVE-2020-2604: Better serial filter handling
+    - S8231795, CVE-2020-2659: Enhance datagram socket support
+    - S8234037, CVE-2020-2654: Improve Object Identifier Processing
+    - S8037550: Update RFC references in javadoc to RFC 5280
+    - S8039438: Some tests depend on internal API sun.misc.IOUtils
+    - S8044500: Add kinit options and krb5.conf flags that allow users
+      to obtain renewable tickets and specify ticket lifetimes
+    - S8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic,
+      relies on clockskew grace
+    - S8080835: Add blocking bulk read to sun.misc.IOUtils
+    - S8138978: Examine usages of sun.misc.IOUtils
+    - S8139206: Add InputStream readNBytes(int len)
+    - S8183591: Incorrect behavior when reading DER value with
+      Integer.MAX_VALUE length
+    - S8186576: KerberosTicket does not properly handle renewable
+      tickets at the end of their lifetime
+    - S8186831: Kerberos ignores PA-DATA with a non-null s2kparams
+    - S8186884: Test native KDC, Java krb5 lib, and native krb5 lib in
+      one test
+    - S8193832: Performance of InputStream.readAllBytes() could be improved
+    - S8196956: (ch) More channels cleanup
+    - S8201627: Kerberos sequence number issues
+    - S8215032: Support Kerberos cross-realm referrals (RFC 6806)
+    - S8225261: Better method resolutions
+    - S8225279: Better XRender interpolation
+    - S8226719: Kerberos login to Windows 2000 failed with "Inappropriate
+      type of checksum in message"
+    - S8227061: KDC.java test behaves incorrectly when AS-REQ contains a
+      PAData not PA-ENC-TS-ENC
+    - S8227381: GSS login fails with PREAUTH_FAILED
+    - S8227437: S4U2proxy cannot continue because server's TGT cannot be found
+    - S8227758: More valid PKIX processing
+    - S8227816: More Colorful ICC profiles
+    - S8230279: Improve Pack200 file reading
+    - S8230318: Better trust store usage
+    - S8230967: Improve Registry support of clients
+    - S8231129: More glyph images
+    - S8231139: Improved keystore support
+    - S8232381: add result NULL-checking to freetypeScaler.c
+    - S8232419: Improve Registry registration
+    - S8233944: Make KerberosPrincipal.KRB_NT_ENTERPRISE field package private
+    - S8235909: File.exists throws AccessControlException for invalid
+      paths when a SecurityManager is installed
+    - S8236983: [TESTBUG] Remove pointless catch block in
+      test/jdk/sun/security/util/DerValue/BadValue.java
+    - S8236984: Add compatibility wrapper for IOUtils.readFully
+  * Use the hotspot arch list to select between hotspot and zero as
+    the default VM for autopkgtests. This fixes s390x (zero based)
+    autopkgtest support.
+
+8u242-b04-1 [Mon, 06 Jan 2020 20:59:40 +0100] Matthias Klose <doko@ubuntu.com>:
+
+  * Update to 8u242-b04 (early access build).
+
 8u232-b09-1 [Thu, 17 Oct 2019 22:41:19 +0200] Matthias Klose <doko@ubuntu.com>:
 
-  * Update to 8u222-b09 (release build).
+  * Update to OpenJDK 8u232-b09 (GA). Updated aarch32 to 8u232-b09.
   * Security fixes:
     - S8167646: Better invalid FilePermission.
     - S8213429, CVE-2019-2933: Windows file handling redux.
@@ -156,7 +229,7 @@
 
   * Update to 8u222-b04.
   * Update ARM32 to jdk8u212-b04-aarch32-190430.
-  * Fix 32bit zero builds. 
+  * Fix 32bit zero builds.
 
 8u212-b03-3 [Tue, 28 May 2019 14:10:32 +0200] Matthias Klose <doko@ubuntu.com>:
 
@@ -301,7 +374,7 @@
     - S8201756: Improve cipher inputs.
     - S8203654: Improve cypher state updates.
     - S8204497: Better formatting of decimals.
-  * debian/patches/jdk-freetypeScaler-crash.diff: removed as this patch causes 
+  * debian/patches/jdk-freetypeScaler-crash.diff: removed as this patch causes
     a memory leak; upstream fixed it in openjdk-7, albeit in a different way.
     Closes: #910672.
 
@@ -1015,7 +1088,7 @@
     LP: #1448548.
   * Define _alpha_ / _sh_ preprocessor macros instead of alpha / sh.
   * Fix jdk gensrc build on x32.
-  * Re-enable the atk bridge for releases with a fixed atk bridge. 
+  * Re-enable the atk bridge for releases with a fixed atk bridge.
   * Really apply the 32bit detection patch. Closes: #787072.
   * Make derivatives builds the same as the parent distro. Closes: #797665.
   * Add m68k support for Zero (Andreas Schwab).
@@ -2015,7 +2088,7 @@
     - debian/patches/gcc-4.7.diff
 
   [ James Page ]
-  * Cherry picked patch from openjdk-6 to fix handling of 
+  * Cherry picked patch from openjdk-6 to fix handling of
     ICC profiles (LP: #888123, #888129) (Closes: #676351).
 
   [ Damien Raude-Morvan ]
@@ -2084,7 +2157,7 @@
 
   [ Matthias Klose ]
   * Use NanumMyeongjo as the preferred korean font. LP: #792471.
-  * Fix crash in java.net.NetworkInterface.getNetworkInterfaces() when 
+  * Fix crash in java.net.NetworkInterface.getNetworkInterfaces() when
     ifr_ifindex exceeds 255. LP: #925218. S7078386.
   * Use IPAfont as the preferred japanesse font. Closes: #646054.
   * Build using gcj on alpha and armel. Closes: #655750.

<http://10.200.17.11/4.4-3/#3039974318415585952>
Comment 2 Philipp Hahn univentionstaff 2020-03-09 13:21:38 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-3] 2ecfd7f77c Bug #50875: openjdk-8 8u242-b08-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

[4.4-3] 33ddef5cf3 Bug #50875: openjdk-8 8u242-b08-1~deb9u1
 doc/errata/staging/openjdk-8.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
Comment 3 Erik Damrose univentionstaff 2020-03-11 14:42:04 CET
<http://errata.software-univention.de/ucs/4.4/464.html>