MGASA-2023-0272 - Updated java packages fix security vulnerabilities

Publication date: 30 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0272.html
Type: security
Affected Mageia releases: 8, 9
CVE: CVE-2023-21930,
     CVE-2023-21954,
     CVE-2023-21967,
     CVE-2023-21939,
     CVE-2023-21938,
     CVE-2023-21937,
     CVE-2023-21968,
     CVE-2023-22045,
     CVE-2023-22049,
     CVE-2023-25193,
     CVE-2023-22006,
     CVE-2023-22036,
     CVE-2023-22044,
     CVE-2023-22041

The updated packages fix security vulnerabilities and a file conflict :

Improper connection handling during TLS handshake. (CVE-2023-21930)

Incorrect enqueue of references in garbage collector. (CVE-2023-21954)

Certificate validation issue in TLS session negotiation.
(CVE-2023-21967)

Swing HTML parsing issue. (CVE-2023-21939)

Incorrect handling of NULL characters in ProcessBuilder.
(CVE-2023-21938)

Missing string checks for NULL characters. (CVE-2023-21937)

Missing check for slash characters in URI-to-path conversion.
(CVE-2023-21968)

Array indexing integer overflow issue. (CVE-2023-22045)

Improper handling of slash characters in URI-to-path conversion.
(CVE-2023-22049)

O(n^2) growth via consecutive marks. (CVE-2023-25193)

HTTP client insufficient file name validation. (CVE-2023-22006)

ZIP file parsing infinite loop. (CVE-2023-22036)

Modulo operator array indexing issue. (CVE-2023-22044)

Weakness in AES implementation. (CVE-2023-22041)

References:
- https://bugs.mageia.org/show_bug.cgi?id=32203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041
- https://access.redhat.com/errata/RHSA-2023:1904
- https://access.redhat.com/errata/RHSA-2023:1880
- https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2023:4178
- https://access.redhat.com/errata/RHBA-2023:4374
- https://access.redhat.com/errata/RHSA-2023:4169
- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041

SRPMS:
- 9/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga9
- 9/core/java-11-openjdk-11.0.20.0.8-1.mga9
- 9/core/java-17-openjdk-17.0.8.0.7-1.mga9
- 9/core/java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9
- 8/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga8
- 8/core/java-11-openjdk-11.0.20.0.8-1.mga8
- 8/core/openjfx-11.0.9.2-4.mga8