Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 40: FEDORA-2024-129d8ca6fc High: Type Confusion in Java Packages

fedora
Calendar Grey March 7, 2024
Dist Fedora Esm H88
Fedora 40 upgrade shifts default JDK to Java 21, tackling various critical security vulnerabilities.
Change for system JDK from 17 to 21

Summary

In a nutshell, Java Packages Bootstrap (JPB) is a standalone build of all Java

software packages that are required for Java Packages Tools (JPT) to work.

In order to achieve reliable and reproducible builds of Java packages while

meeting Fedora policy that requires everything to be built from source, without

using prebuilt binary artifacts, it is necessary to build the packages in a

well-defined, acyclic order. Dependency cycles between packages are the biggest

obstacle to achieving this goal and JPT is the biggest offender -- it requires

more than a hundred of Java packages, all of which in turn build-require JPT.

JPB comes with a solution to this problem -- it builds everything that JPT needs

to work, without reliance on any Java software other than OpenJDK. JPT can

depend on JPB for everything, without depending on any other Java packages. For

example, JPB contains embedded version of XMvn, removing dependency of JPT on

XMvn, allowing JPT to be used before one builds XMvn package.

Update Information:

Change for system JDK from 17 to 21. upstream security release 122.0.6261.94 High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8 fixed bug with requires Automatic update for lucene-9.9.2-1.fc40. bump java source/target to 1.8, fixes 2266639

Topics%20covered

Topics Covered

security advisory high severity Fedora system update type confusion Java Packages

Change Log

* Sat Mar 2 2024 Jiri Vanek - 1.16.0-3 - Rebuilt for java-21-openjdk as system jdk * Tue Feb 27 2024 Jiri Vanek - 1.16.0-2 - Rebuilt for java-21-openjdk as system jdk * Mon Feb 19 2024 Mikolaj Izdebski - 1.16.0-1 - Update to upstream version 1.16.0 - Switch from Java 17 to Java 21

References


[ 1 ] Bug #2123726 - consoleImageViewer crashes at start https://bugzilla.redhat.com/show_bug.cgi?id=2123726 [ 2 ] Bug #2261062 - directory-maven-plugin: FTBFS in Fedora rawhide/f40 https://bugzilla.redhat.com/show_bug.cgi?id=2261062 [ 3 ] Bug #2266639 - directory-maven-plugin fails to build with java-21-openjdk https://bugzilla.redhat.com/show_bug.cgi?id=2266639 [ 4 ] Bug #2266934 - CVE-2024-1938 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266934 [ 5 ] Bug #2266937 - CVE-2024-1939 chromium: type confusion [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2266937 [ 6 ] Bug #2267486 - Include Java 21 as system Java Change in Fedora 40 Beta https://bugzilla.redhat.com/show_bug.cgi?id=2267486

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-129d8ca6fc' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Name: javapackages-bootstrap
Product: Fedora 40
Version: 1.16.0
Release: 3.fc40
URL: https://github.com/fedora-java/javapackages-bootstrap
Summary: A means of bootstrapping Java Packages Tools

Topics%20covered

Topics Covered

security advisory high severity Fedora system update type confusion Java Packages

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here