Synopsis:          Important: java-1.8.0-openjdk security and bug fix update
Advisory ID:       SLSA-2021:3889-1
Issue Date:        2021-10-20
CVE Numbers:       CVE-2021-35565
                   CVE-2021-35556
                   CVE-2021-35559
                   CVE-2021-35561
                   CVE-2021-35564
                   CVE-2021-35586
                   CVE-2021-35603
                   CVE-2021-35550
                   CVE-2021-35578
                   CVE-2021-35567
                   CVE-2021-35588
--

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE,
8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained
Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE,
8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
(CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
(CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt
keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE,
8267729)  (CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO,
8267735)  (CVE-2021-35586)

* OpenJDK: Incomplete validation of inner class references in
ClassFileParser (Hotspot, 8268071) (CVE-2021-35588)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
(CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE

Bug Fix(es):

* A defensive security change in an earlier OpenJDK update led to a
performance degradation when using the Scanner class. This was due to the
change being applied to many common cases that did not need this
protection. With this update, we provide the original behaviour for these
cases. (RHBZ#1862929)


---
SL7

x86_64
java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.312.b07-1.el7_9.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.312.b07-1.el7_9.i686.rpm
java-1.8.0-openjdk-src-1.8.0.312.b07-1.el7_9.x86_64.rpm

noarch
java-1.8.0-openjdk-javadoc-1.8.0.312.b07-1.el7_9.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.312.b07-1.el7_9.noarch.rpm
--

- Scientific Linux Development Team

Scientific Linux: Important Security Advisory for java-1.8.0-openjdk

OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565) * OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation...

Summary

Important: java-1.8.0-openjdk security and bug fix update



Security Fixes

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967) (CVE-2021-35565)
* OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689) (CVE-2021-35567)
* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210) (CVE-2021-35550)
* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167) (CVE-2021-35556)
* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580) (CVE-2021-35559)
* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097) (CVE-2021-35561)
* OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137) (CVE-2021-35564)
* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729) (CVE-2021-35578)
* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735) (CVE-2021-35586)
* OpenJDK: Incomplete validation of inner class references in ClassFileParser (Hotspot, 8268071) (CVE-2021-35588)
* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618) (CVE-2021-35603)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE

Severity
Advisory ID: SLSA-2021:3889-1
Issued Date: : 2021-10-20
CVE Numbers: CVE-2021-35565
CVE-2021-35556
CVE-2021-35559

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved