Your message dated Mon, 22 Apr 2024 23:34:17 +0000 with message-id <e1rz3av-006soj...@fasolo.debian.org> and subject line Bug#1069678: fixed in openjdk-8 8u412-ga-1 has caused the Debian Bug report #1069678, regarding openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1069678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069678 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: | 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21068[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: | 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21085[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise | Edition product of Oracle Java SE (component: Concurrency). | Supported versions that are affected are Oracle Java SE: 8u401, | 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and | 21.3.9. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of Oracle Java SE, | Oracle GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21094[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 | and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21011 https://www.cve.org/CVERecord?id=CVE-2024-21011 [1] https://security-tracker.debian.org/tracker/CVE-2024-21068 https://www.cve.org/CVERecord?id=CVE-2024-21068 [2] https://security-tracker.debian.org/tracker/CVE-2024-21085 https://www.cve.org/CVERecord?id=CVE-2024-21085 [3] https://security-tracker.debian.org/tracker/CVE-2024-21094 https://www.cve.org/CVERecord?id=CVE-2024-21094 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openjdk-8 Source-Version: 8u412-ga-1 Done: Thorsten Glaser <t...@mirbsd.de> We believe that the bug you reported is fixed in the latest version of openjdk-8, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1069...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser <t...@mirbsd.de> (supplier of updated openjdk-8 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Format: 1.8 Date: Tue, 23 Apr 2024 01:10:58 +0200 Source: openjdk-8 Architecture: source Version: 8u412-ga-1 Distribution: unstable Urgency: medium Maintainer: Java Maintenance <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Thorsten Glaser <t...@mirbsd.de> Closes: 1069678 Changes: openjdk-8 (8u412-ga-1) unstable; urgency=medium . * New upstream release (Closes: #1069678) * CVEs - CVE-2024-21011 - CVE-2024-21085 - CVE-2024-21068 - CVE-2024-21094 * Security fixes - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array" - JDK-8318340: Improve RSA key implementations - JDK-8319851: Improve exception logging - JDK-8322114: Improve Pack 200 handling - JDK-8322122: Enhance generation of addresses * Other changes see https://mail.openjdk.org/pipermail/jdk8u-dev/2024-April/018329.html * Upload sponsored by QVEST ⮡ dıgıtal * Re-enable running tests by default except on noble/i386 (lacks prereqs) * Switch from pkg-config to pkgconf for bookworm/mantic+ (lintian) Checksums-Sha1: 5c5ed2623241e7d5f4eeb94cfb91cd8bb31e633a 4654 openjdk-8_8u412-ga-1.dsc 9dc20878f0c0472682f19f502b565e551906cfb8 66876897 openjdk-8_8u412-ga.orig.tar.gz 1f2715683cdf7cc7030fe105dfb2d8dde641bb73 168464 openjdk-8_8u412-ga-1.debian.tar.xz Checksums-Sha256: bac6e428ffe74857a49275e859aaa29a0893238b569706b223565e5c6fbe37c2 4654 openjdk-8_8u412-ga-1.dsc 9a78d2af269acc8ed70ecbdbae8cee608470882aa01ef00a49d399e9e539bb72 66876897 openjdk-8_8u412-ga.orig.tar.gz 6038dfec34fc7cdbe1a9f17d24dcaa18385fdddc2898b0c6f69d2cbba995c95e 168464 openjdk-8_8u412-ga-1.debian.tar.xz Files: 5fa3f28a6b159dd9d641359cb47dc6d3 4654 java optional openjdk-8_8u412-ga-1.dsc c43b4e22ae57477cd6a436bbb083c772 66876897 java optional openjdk-8_8u412-ga.orig.tar.gz 5e80728ccee8cb57305d0eb7c4ff45eb 168464 java optional openjdk-8_8u412-ga-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (MirBSD) iQIcBAEBCQAGBQJmJu+bAAoJEHa1NLLpkAfgzIkQAM6nUJm+2l2bGlZnBMYJp2BI aSxfiWziGP4kyqbXdyFl39jI+zZLptNyRaXAi/CpFMY/TRu7AIYr3c5u3ESKvIna cF3qdjYLDeoI+jI1wtDi/05P5x4D1nCG291aZyPM3JvdyW8ioc7tWbmyY+TolMD0 +h85CGugzQFef8hYL0pSVVRDgPklPK/D+nSPGNbZIbHU0b7kkouZ2i71WZjhdwi6 nEgDOT/bdt8noTcJpSEsxl34stL9RnQGMQJ9Cz7aEdL9moAcn69Nc6hH7DBvkCJU l0cz2hApUpR9z77alSQ6nqiq4pHAiHiNwKWxE8p8v9IsffJbdUUV67VqdDSV4Fpy LoFvepOzZGGFKOi1IEysP0oFW77u8tmcFIJOV4/SBEvoYLfDY9BhqEbcEmTKfRRP nnCyfjtEzPaqaL+8INhg5TApbRH48sBiwK2hvnpn+dDINqugz6M294cMTvKYHIQg VC8gcyZD5dJhmp8Y3G5oTv4jTWYwCl7932CiNGEayUblhw/9saRKyE/b4ahpC19J Xj44NKAp87i3X4EfH8d554J5k2QiqFCJjt4rKDPuZQhfa6C1dAigo3icV1RRR1Vh IGZFfEkG44PUJMVOC2lkIncnl3tIjxb1ighELnLYDazhpi2wxT4yoTjsSM+9pNVn sGwJ3nFWO2DHO3O+c2AT =Szl1 -----END PGP SIGNATURE-----pgpFoM18ktSl4.pgp
Description: PGP signature
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.