Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 18.04 & 17.10: USN-4501-1 Critical OpenJDK 11 Flaw

ubuntu
Calendar Grey July 31, 2017
Dist Ubuntu Esm H88
An update concerning security for OpenJDK 8 in Ubuntu rectifies a regression issue that led certain legitimate JAR files to not pass validation.
USN 3366-1 introduced a regression in OpenJDK 8.

Summary

USN 3366-1 introduced a regression in OpenJDK 8.

Software Description:

- openjdk-8: Open Source Java implementation

Details:

USN-3366-1 fixed vulnerabilities in OpenJDK 8. Unfortunately, that

update introduced a regression that caused some valid JAR files to

fail validation. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that the JPEGImageReader class in OpenJDK would

incorrectly read unused image data. An attacker could use this to

specially construct a jpeg image file that when opened by a Java

application would cause a denial of service. (CVE-2017-10053)

It was discovered that the JAR verifier in OpenJDK did not properly

handle archives containing files missing digests. An attacker could

use this to modify the signed contents of a JAR file. (CVE-2017-10067)

It was discovered that integer overflows existed in the Hotspot

component of OpenJDK when generating range check loop predicates. An

attacker ...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  openjdk-8-jre                   8u131-b11-2ubuntu1.17.04.3
  openjdk-8-jre-headless          8u131-b11-2ubuntu1.17.04.3
  openjdk-8-jre-zero              8u131-b11-2ubuntu1.17.04.3

Ubuntu 16.04 LTS:
  openjdk-8-jre                   8u131-b11-2ubuntu1.16.04.3
  openjdk-8-jre-headless          8u131-b11-2ubuntu1.16.04.3
  openjdk-8-jre-jamvm             8u131-b11-2ubuntu1.16.04.3
  openjdk-8-jre-zero              8u131-b11-2ubuntu1.16.04.3

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3366-2

https://ubuntu.com/security/notices/USN-3366-1

https://bugs.launchpad.net/ubuntu/+source/openjdk-8/+bug/1707082

Severity
critical
Lowest
Low
Medium
High
Critical

July 31, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here