Mageia 2023-0272: java security update
Summary
The updated packages fix security vulnerabilities and a file conflict :
Improper connection handling during TLS handshake. (CVE-2023-21930)
Incorrect enqueue of references in garbage collector. (CVE-2023-21954)
Certificate validation issue in TLS session negotiation.
(CVE-2023-21967)
Swing HTML parsing issue. (CVE-2023-21939)
Incorrect handling of NULL characters in ProcessBuilder.
(CVE-2023-21938)
Missing string checks for NULL characters. (CVE-2023-21937)
Missing check for slash characters in URI-to-path conversion.
(CVE-2023-21968)
Array indexing integer overflow issue. (CVE-2023-22045)
Improper handling of slash characters in URI-to-path conversion.
(CVE-2023-22049)
O(n^2) growth via consecutive marks. (CVE-2023-25193)
HTTP client insufficient file name validation. (CVE-2023-22006)
ZIP file parsing infinite loop. (CVE-2023-22036)
Modulo operator array indexing issue. (CVE-2023-22044)
Weakness in AES implementation. (CVE-2023-22041)
References
- https://bugs.mageia.org/show_bug.cgi?id=32203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041
- https://access.redhat.com/errata/RHSA-2023:1904
- https://access.redhat.com/errata/RHSA-2023:1880
- https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2023:4178
- https://access.redhat.com/errata/RHBA-2023:4374
- https://access.redhat.com/errata/RHSA-2023:4169
- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041
Resolution
MGASA-2023-0272 - Updated java packages fix security vulnerabilities
SRPMS
- 9/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga9
- 9/core/java-11-openjdk-11.0.20.0.8-1.mga9
- 9/core/java-17-openjdk-17.0.8.0.7-1.mga9
- 9/core/java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9
- 8/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga8
- 8/core/java-11-openjdk-11.0.20.0.8-1.mga8
- 8/core/openjfx-11.0.9.2-4.mga8
