What Are You Looking For?

Sign Up
MGASA-2023-0272 - Updated java packages fix security vulnerabilities

Publication date: 30 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0272.html
Type: security
Affected Mageia releases: 8, 9
CVE: CVE-2023-21930,
     CVE-2023-21954,
     CVE-2023-21967,
     CVE-2023-21939,
     CVE-2023-21938,
     CVE-2023-21937,
     CVE-2023-21968,
     CVE-2023-22045,
     CVE-2023-22049,
     CVE-2023-25193,
     CVE-2023-22006,
     CVE-2023-22036,
     CVE-2023-22044,
     CVE-2023-22041

The updated packages fix security vulnerabilities and a file conflict :

Improper connection handling during TLS handshake. (CVE-2023-21930)

Incorrect enqueue of references in garbage collector. (CVE-2023-21954)

Certificate validation issue in TLS session negotiation.
(CVE-2023-21967)

Swing HTML parsing issue. (CVE-2023-21939)

Incorrect handling of NULL characters in ProcessBuilder.
(CVE-2023-21938)

Missing string checks for NULL characters. (CVE-2023-21937)

Missing check for slash characters in URI-to-path conversion.
(CVE-2023-21968)

Array indexing integer overflow issue. (CVE-2023-22045)

Improper handling of slash characters in URI-to-path conversion.
(CVE-2023-22049)

O(n^2) growth via consecutive marks. (CVE-2023-25193)

HTTP client insufficient file name validation. (CVE-2023-22006)

ZIP file parsing infinite loop. (CVE-2023-22036)

Modulo operator array indexing issue. (CVE-2023-22044)

Weakness in AES implementation. (CVE-2023-22041)

References:
- https://bugs.mageia.org/show_bug.cgi?id=32203
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041
- https://access.redhat.com/errata/RHSA-2023:1904
- https://access.redhat.com/errata/RHSA-2023:1880
- https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2023:4178
- https://access.redhat.com/errata/RHBA-2023:4374
- https://access.redhat.com/errata/RHSA-2023:4169
- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041

SRPMS:
- 9/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga9
- 9/core/java-11-openjdk-11.0.20.0.8-1.mga9
- 9/core/java-17-openjdk-17.0.8.0.7-1.mga9
- 9/core/java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9
- 8/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga8
- 8/core/java-11-openjdk-11.0.20.0.8-1.mga8
- 8/core/openjfx-11.0.9.2-4.mga8

Mageia 2023-0272: java security update

The updated packages fix security vulnerabilities and a file conflict : Improper connection handling during TLS handshake

Summary

The updated packages fix security vulnerabilities and a file conflict :
Improper connection handling during TLS handshake. (CVE-2023-21930)
Incorrect enqueue of references in garbage collector. (CVE-2023-21954)
Certificate validation issue in TLS session negotiation. (CVE-2023-21967)
Swing HTML parsing issue. (CVE-2023-21939)
Incorrect handling of NULL characters in ProcessBuilder. (CVE-2023-21938)
Missing string checks for NULL characters. (CVE-2023-21937)
Missing check for slash characters in URI-to-path conversion. (CVE-2023-21968)
Array indexing integer overflow issue. (CVE-2023-22045)
Improper handling of slash characters in URI-to-path conversion. (CVE-2023-22049)
O(n^2) growth via consecutive marks. (CVE-2023-25193)
HTTP client insufficient file name validation. (CVE-2023-22006)
ZIP file parsing infinite loop. (CVE-2023-22036)
Modulo operator array indexing issue. (CVE-2023-22044)
Weakness in AES implementation. (CVE-2023-22041)

References

- https://bugs.mageia.org/show_bug.cgi?id=32203

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041

- https://access.redhat.com/errata/RHSA-2023:1904

- https://access.redhat.com/errata/RHSA-2023:1880

- https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixJAVA

- https://access.redhat.com/errata/RHSA-2023:4178

- https://access.redhat.com/errata/RHBA-2023:4374

- https://access.redhat.com/errata/RHSA-2023:4169

- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25193

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22006

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22036

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22044

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22041

Resolution

MGASA-2023-0272 - Updated java packages fix security vulnerabilities

SRPMS

- 9/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga9

- 9/core/java-11-openjdk-11.0.20.0.8-1.mga9

- 9/core/java-17-openjdk-17.0.8.0.7-1.mga9

- 9/core/java-latest-openjdk-20.0.2.0.9-1.rolling.2.mga9

- 8/core/java-1.8.0-openjdk-1.8.0.382.b05-1.mga8

- 8/core/java-11-openjdk-11.0.20.0.8-1.mga8

- 8/core/openjfx-11.0.9.2-4.mga8

Severity
Publication date: 30 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0272.html
Type: security
CVE: CVE-2023-21930, CVE-2023-21954, CVE-2023-21967, CVE-2023-21939, CVE-2023-21938, CVE-2023-21937, CVE-2023-21968, CVE-2023-22045, CVE-2023-22049, CVE-2023-25193, CVE-2023-22006, CVE-2023-22036, CVE-2023-22044, CVE-2023-22041

Related News

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

Security Highlights from KubeCon + CloudNativeCon 2023

Nov 18, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024

About Us

Powered By

Footer Logo