MGASA-2020-0418 - Updated timezone and java-1.8.0-openjdk packages fix security vulnerabilities

Publication date: 13 Nov 2020
URL: https://advisories.mageia.org/MGASA-2020-0418.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-14779,
     CVE-2020-14781,
     CVE-2020-14782,
     CVE-2020-14792,
     CVE-2020-14796,
     CVE-2020-14797,
     CVE-2020-14803

High memory usage during deserialization of Proxy class with many interfaces.
(CVE-2020-14779)

Credentials sent over unencrypted LDAP connection. (CVE-2020-14781)

Certificate blacklist bypass via alternate certificate encodings.
(CVE-2020-14782)

Integer overflow leading to out-of-bounds access. (CVE-2020-14792)

Missing permission check in path to URI conversion. (CVE-2020-14796)

Incomplete check for invalid characters in URI to path conversion.
(CVE-2020-14797)

Race condition in NIO Buffer boundary checks. (CVE-2020-14803)

Also, the timezone package has been updated to version 2020d.  

References:
- https://bugs.mageia.org/show_bug.cgi?id=27478
- https://access.redhat.com/errata/RHSA-2020:4347
- https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixJAVA
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD/
- https://mm.icann.org/pipermail/tz-announce/2020-April/000058.html
- https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
- https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html
- https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14779
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14781
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14782
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14792
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14796
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14797
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14803

SRPMS:
- 7/core/timezone-2020d-1.mga7
- 7/core/java-1.8.0-openjdk-1.8.0.272-1.b10.1.mga7