MGASA-2019-0302 - Updated java-1.8.0-openjdk packages fix security vulnerabilities

Publication date: 23 Oct 2019
URL: https://advisories.mageia.org/MGASA-2019-0302.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-2945,
     CVE-2019-2949,
     CVE-2019-2962,
     CVE-2019-2964,
     CVE-2019-2973,
     CVE-2019-2975,
     CVE-2019-2978,
     CVE-2019-2981,
     CVE-2019-2983,
     CVE-2019-2987,
     CVE-2019-2988,
     CVE-2019-2989,
     CVE-2019-2992,
     CVE-2019-2999

The updated packages fix several bugs and some security issues:

Missing restrictions on use of custom SocketImpl (Networking, 8218573).
(CVE-2019-2945)

Improper handling of Kerberos proxy credentials (Kerberos, 8220302).
(CVE-2019-2949)

NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962)

Unexpected exception thrown by Pattern processing crafted regular
expression (Concurrency, 8222684). (CVE-2019-2964)

Unexpected exception thrown by XPathParser processing crafted XPath
expression (JAXP, 8223505). (CVE-2019-2973)

Unexpected exception thrown during regular expression processing in
Nashorn (Scripting, 8223518). (CVE-2019-2975)

Incorrect handling of nested jar: URLs in Jar URL handler
(Networking, 8223892). (CVE-2019-2978)

Unexpected exception thrown by XPath processing crafted XPath expression
(JAXP, 8224532). (CVE-2019-2981)

Unexpected exception thrown during Font object deserialization
(Serialization, 8224915). (CVE-2019-2983)

Missing glyph bitmap image dimension check in FreetypeFontScaler
(2D, 8225286). (CVE-2019-2987)

Integer overflow in bounds check in SunGraphics2D (2D, 8225292).
(CVE-2019-2988)

Incorrect handling of HTTP proxy responses in HttpURLConnection
(Networking, 8225298). (CVE-2019-2989)

Excessive memory allocation in CMap when reading TrueType font
(2D, 8225597). (CVE-2019-2992)

Insufficient filtering of HTML event attributes in Javadoc
(Javadoc, 8226765). (CVE-2019-2999)

References:
- https://bugs.mageia.org/show_bug.cgi?id=25576
- https://access.redhat.com/errata/RHSA-2019:3128
- https://www.oracle.com/security-alerts/cpuoct2019.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999

SRPMS:
- 7/core/java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7

Mageia 2019-0302: java-1.8.0-openjdk security update

The updated packages fix several bugs and some security issues: Missing restrictions on use of custom SocketImpl (Networking, 8218573)

Summary

The updated packages fix several bugs and some security issues:
Missing restrictions on use of custom SocketImpl (Networking, 8218573). (CVE-2019-2945)
Improper handling of Kerberos proxy credentials (Kerberos, 8220302). (CVE-2019-2949)
NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962)
Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684). (CVE-2019-2964)
Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505). (CVE-2019-2973)
Unexpected exception thrown during regular expression processing in Nashorn (Scripting, 8223518). (CVE-2019-2975)
Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892). (CVE-2019-2978)
Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532). (CVE-2019-2981)
Unexpected exception thrown during Font object deserialization (Serialization, 8224915). (CVE-2019-2983)
Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286). (CVE-2019-2987)
Integer overflow in bounds check in SunGraphics2D (2D, 8225292). (CVE-2019-2988)
Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298). (CVE-2019-2989)
Excessive memory allocation in CMap when reading TrueType font (2D, 8225597). (CVE-2019-2992)
Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765). (CVE-2019-2999)

References

- https://bugs.mageia.org/show_bug.cgi?id=25576

- https://access.redhat.com/errata/RHSA-2019:3128

- https://www.oracle.com/security-alerts/cpuoct2019.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999

Resolution

MGASA-2019-0302 - Updated java-1.8.0-openjdk packages fix security vulnerabilities

SRPMS

- 7/core/java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7

Severity
Publication date: 23 Oct 2019
URL: https://advisories.mageia.org/MGASA-2019-0302.html
Type: security
CVE: CVE-2019-2945, CVE-2019-2949, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved