Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in OpenJDK
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in OpenJDK
ID: USN-6929-1
Distribution: Ubuntu
Plattformen: Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
Datum: Mi, 31. Juli 2024, 23:18
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21147
Applikationen: OpenJDK

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3942641580041153370==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------AAfmOIwiW6OFbCHPbRGQH3zb"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------AAfmOIwiW6OFbCHPbRGQH3zb
Content-Type: multipart/mixed;
boundary="------------03S7LD3g5dAnOuAsC4UsJcMU";
protected-headers="v1"
From: Evan Caville <evan.caville@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <25fa40b5-80ea-4065-902f-f420e3541d5b@canonical.com>
Subject: [USN-6929-1] OpenJDK 8 vulnerabilities

--------------03S7LD3g5dAnOuAsC4UsJcMU
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-6929-1
July 31, 2024

openjdk-8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:
- openjdk-8: Open Source Java implementation

Details:

It was discovered that the Hotspot component of OpenJDK 8 was not properly
performing bounds when handling certain UTF-8 strings, which could lead to
a buffer overflow. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-21131)

It was discovered that the Hotspot component of OpenJDK 8 could be made to
run into an infinite loop. If an automated system were tricked into
processing excessively large symbols, an attacker could possibly use this
issue to cause a denial of service. (CVE-2024-21138)

It was discovered that the Hotspot component of OpenJDK 8 did not properly
perform range check elimination. An attacker could possibly use this issue
to cause a denial of service, execute arbitrary code or bypass Java
sandbox restrictions. (CVE-2024-21140)

Yakov Shafranovich discovered that the Concurrency component of OpenJDK 8
incorrectly performed header validation in the Pack200 archive format. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21144)

Sergey Bylokhov discovered that OpenJDK 8 did not properly manage memory
when handling 2D images. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2024-21145)

It was discovered that the Hotspot component of OpenJDK 8 incorrectly
handled memory when performing range check elimination under certain
circumstances. An attacker could possibly use this issue to cause a
denial of service, execute arbitrary code or bypass Java sandbox
restrictions. (CVE-2024-21147)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
openjdk-8-jdk 8u422-b05-1~24.04
openjdk-8-jdk-headless 8u422-b05-1~24.04
openjdk-8-jre 8u422-b05-1~24.04
openjdk-8-jre-headless 8u422-b05-1~24.04
openjdk-8-jre-zero 8u422-b05-1~24.04

Ubuntu 22.04 LTS
openjdk-8-jdk 8u422-b05-1~22.04
openjdk-8-jdk-headless 8u422-b05-1~22.04
openjdk-8-jre 8u422-b05-1~22.04
openjdk-8-jre-headless 8u422-b05-1~22.04
openjdk-8-jre-zero 8u422-b05-1~22.04

Ubuntu 20.04 LTS
openjdk-8-jdk 8u422-b05-1~20.04
openjdk-8-jdk-headless 8u422-b05-1~20.04
openjdk-8-jre 8u422-b05-1~20.04
openjdk-8-jre-headless 8u422-b05-1~20.04
openjdk-8-jre-zero 8u422-b05-1~20.04

Ubuntu 18.04 LTS
openjdk-8-jdk 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jdk-headless 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre-headless 8u422-b05-1~18.04
Available with Ubuntu Pro
openjdk-8-jre-zero 8u422-b05-1~18.04
Available with Ubuntu Pro

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6929-1
CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144,
CVE-2024-21145, CVE-2024-21147

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~24.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~22.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u422-b05-1~20.04

--------------03S7LD3g5dAnOuAsC4UsJcMU--

--------------AAfmOIwiW6OFbCHPbRGQH3zb
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEAPYWTpwtIbr7xH4OWNrRIKaTkWcFAmapygUFAwAAAAAACgkQWNrRIKaTkWd5
LQ//eVd3abLi3XG6L7dHu6f5Zodq7h+z+cPdlEm7223/4yGkEokBvUiX5tOTX5JVSAYOk0hg36Zk
CZQN16jxkgUrKtMdKYPL3MS8nTSENgdhrFO/mCnoIblSGh5B+t8vdJ+8waADvJ4pfwGLTyXW6Wzr
0vlVgSYpvmkhXhcyFZ6zC2vbfGiraRmA5hgV7pm7LRTrSP7pwEHN/f0Stqk+M8p9QrQre5FPG1da
LuoQ+MmmLViPlrnyhB2WcFbgYWuygwdlZ58oUwyhkc4Jmp2HEdTD77KnaRWGaDoSBs86nasWmnHy
skvdMV490N1lhQwaTzU9aVlhjraGacChHKfRgBWV+D/vKAxBon4+P2vyB0BkflNVv4kvJuQPnZhA
oFEnBgvwUEMrWOsqOCWCQBxzRxAcfHVR0zUXuNtPh+hbzjnU8GJUh1EFDSnP/A8ONUhG2zSGHgOV
r4QrINdKjqpqpTSwCpZFk+WuYDXLfSXId43KP2IXjllwN+wQtanra2Dz0cExMSx7WBOrOaT96SHl
BEb2SP5BPfB0OUbW/wfsJrXjowXOkpoUFieR3qU6Wkfqx8wqE75NYNw+MrwKyH3cuLioqBAu6SIF
0zUtFnjC/iarv2o0ouddPUuk/2kv1LLgjGLUXlSPbGtJkAKHG0vmOIY0uokXBFk4+HKFaSaBKSwC
hhU=
=eRxp
-----END PGP SIGNATURE-----

--------------AAfmOIwiW6OFbCHPbRGQH3zb--


--===============3942641580041153370==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============3942641580041153370==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung