1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202401-25 ] OpenJDK: Multiple Vulnerabilities

    From glsamaker@gentoo.org@21:1/5 to All on Wed Jan 17 14:50:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202401-25
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: OpenJDK: Multiple Vulnerabilities
    Date: January 17, 2024
    Bugs: #859376, #859400, #877597, #891323, #908243
    ID: 202401-25

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Multiple vulnerabilities have been discovered in OpenJDK, the worst of
    which can lead to remote code execution.

    Background
    ==========

    OpenJDK is an open source implementation of the Java programming
    language.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------------------ --------------- ----------------
    dev-java/openjdk < 11.0.19_p7:11 >= 11.0.19_p7:11
    < 17.0.7_p7:17 >= 17.0.7_p7:17
    < 8.372_p07:8 >= 8.372_p07:8
    dev-java/openjdk-bin < 11.0.19_p7:11 >= 11.0.19_p7:11
    < 17.0.7_p7:17 >= 17.0.7_p7:17
    < 8.372_p07:8 >= 8.372_p07:8 dev-java/openjdk-jre-bin < 11.0.19_p7:11 >= 11.0.19_p7:11
    < 17.0.7_p7:17 >= 17.0.7_p7:17
    < 8.372_p07:8 >= 8.372_p07:8

    Description
    ===========

    Multiple vulnerabilities have been discovered in OpenJDK. Please review
    the CVE identifiers referenced below for details.

    Impact
    ======

    Please review the referenced CVE identifiers for details.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All OpenJDK users should upgrade to the latest versions:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-8.372_p07"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-11.0.19_p7"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-17.0.7_p7"

    All OpenJDK JRE binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-8.372_p07"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-11.0.19_p7"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-jre-bin-17.0.7_p7"

    All OpenJDK binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-8.372_p07"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-11.0.19_p7"
    # emerge --ask --oneshot --verbose ">=dev-java/openjdk-bin-17.0.7_p7"

    References
    ==========

    [ 1 ] CVE-2022-21540
    https://nvd.nist.gov/vuln/detail/CVE-2022-21540
    [ 2 ] CVE-2022-21541
    https://nvd.nist.gov/vuln/detail/CVE-2022-21541
    [ 3 ] CVE-2022-21549
    https://nvd.nist.gov/vuln/detail/CVE-2022-21549
    [ 4 ] CVE-2022-21618
    https://nvd.nist.gov/vuln/detail/CVE-2022-21618
    [ 5 ] CVE-2022-21619
    https://nvd.nist.gov/vuln/detail/CVE-2022-21619
    [ 6 ] CVE-2022-21624
    https://nvd.nist.gov/vuln/detail/CVE-2022-21624
    [ 7 ] CVE-2022-21626
    https://nvd.nist.gov/vuln/detail/CVE-2022-21626
    [ 8 ] CVE-2022-21628
    https://nvd.nist.gov/vuln/detail/CVE-2022-21628
    [ 9 ] CVE-2022-34169
    https://nvd.nist.gov/vuln/detail/CVE-2022-34169
    [ 10 ] CVE-2022-39399
    https://nvd.nist.gov/vuln/detail/CVE-2022-39399
    [ 11 ] CVE-2022-42920
    https://nvd.nist.gov/vuln/detail/CVE-2022-42920
    [ 12 ] CVE-2023-21830
    https://nvd.nist.gov/vuln/detail/CVE-2023-21830
    [ 13 ] CVE-2023-21835
    https://nvd.nist.gov/vuln/detail/CVE-2023-21835
    [ 14 ] CVE-2023-21843
    https://nvd.nist.gov/vuln/detail/CVE-2023-21843

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202401-25

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWn2h4ACgkQFMQkOaVy +9l5Zw/7BkhLDB0aCexIiSDUj8/aSHqd2b3WZU60j4ortf90uUXVAkNryezKGNxn aziCcqH7IK+RHxKXqq4VPnjN3Y3rNF1e7jpTg6uBU9YlhBpFf3+7M0QsG/GXOlgI OHhXB1EA0sJWWM2DwIW9VGsZYklZ4uzB94tI1iRj8afvNdBiPBRCd1DwQdefLuLu NvqXc7dATCOwxaLo6kqXWVnt2IcMqPoLQ+Zj9Q5IBX3Ipx01gURwtqGUj1JBdN4Q jPfPzYCiP+AVr7v6T8iCjH9Kw+Ow2JG+fmmuf7wO49/q87BrI5uI9qkdXHQY56/h s3o3dhGhnUqzIenJP3mOoTCdaEFV1PVy+HdCUWsn73dyuceO5WQhRPoFtPx+nXT4 PYt0/U8qvSZMgIjRJTraKZKW6jtVlPEmMRGIVb9FQ84mDr0nXr44nss6V8FPqTsv bU8SOk2VCzPMaBbRnEoDkd4/tl/xS3dkxnz6mRba+61Bp7/wtFpJzcdlaxWHMMCj jWKw+cgcvdC7DSXD6zIAyiDAHObTx0s8KdNyY8X3B12rCx4qbCxKT6FebYYu+tIj Wc2/lAHbJn8nYx+Bb/GsBLCBIHS6mQfYJ6ots5A6BKRXNyzUGq89Rbvv0AOYrJeh J+1ndeXNtG9+rQVStkHYSqjUuxg24Py+/4yJlnWdfmK9OozBxfA=
    =tovr
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)