Mehrere Probleme in OpenJDK
ID: | USN-4607-1 |
Distribution: | Ubuntu |
Plattformen: | Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 20.10 |
Datum: | Mi, 28. Oktober 2020, 06:55 |
Referenzen: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14779
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14797 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14792 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14798 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14803 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14796 |
Applikationen: | OpenJDK |
Originalnachricht |
|
--===============5552126092957856184== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="tdwbjtubh5klg2cc" Content-Disposition: inline --tdwbjtubh5klg2cc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ========================================================================== Ubuntu Security Notice USN-4607-1 October 27, 2020 openjdk-8, openjdk-lts vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenJDK. Software Description: - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: It was discovered that OpenJDK incorrectly handled deserializing Proxy class objects with many interfaces. A remote attacker could possibly use this issue to cause a denial of service (memory consumption) via a specially crafted input. (CVE-2020-14779) Sergey Ostanin discovered that OpenJDK incorrectly restricted authentication mechanisms. A remote attacker could possibly use this issue to obtain sensitive information over an unencrypted connection. (CVE-2020-14781) It was discovered that OpenJDK incorrectly handled untrusted certificates. An attacker could possibly use this issue to read or write sensitive information. (CVE-2020-14782) Zhiqiang Zang discovered that OpenJDK incorrectly checked for integer overflows. An attacker could possibly use this issue to bypass certain Java sandbox restrictions. (CVE-2020-14792) Markus Loewe discovered that OpenJDK incorrectly checked permissions when converting a file system path to an URI. An attacker could possibly use this issue to bypass certain Java sandbox restrictions. (CVE-2020-14796) Markus Loewe discovered that OpenJDK incorrectly checked for invalid characters when converting an URI to a path. An attacker could possibly use this issue to read or write sensitive information. (CVE-2020-14797) Markus Loewe discovered that OpenJDK incorrectly checked the length of input strings. An attacker could possibly use this issue to bypass certain Java sandbox restrictions. (CVE-2020-14798) It was discovered that OpenJDK incorrectly handled boundary checks. An attacker could possibly use this issue to bypass certain Java sandbox restrictions. (CVE-2020-14803) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: openjdk-11-jdk 11.0.9+11-0ubuntu1 openjdk-11-jre 11.0.9+11-0ubuntu1 openjdk-11-jre-headless 11.0.9+11-0ubuntu1 openjdk-11-jre-zero 11.0.9+11-0ubuntu1 openjdk-8-jdk 8u272-b10-0ubuntu1~20.10 openjdk-8-jre 8u272-b10-0ubuntu1~20.10 openjdk-8-jre-headless 8u272-b10-0ubuntu1~20.10 openjdk-8-jre-zero 8u272-b10-0ubuntu1~20.10 Ubuntu 20.04 LTS: openjdk-11-jdk 11.0.9+11-0ubuntu1~20.04 openjdk-11-jre 11.0.9+11-0ubuntu1~20.04 openjdk-11-jre-headless 11.0.9+11-0ubuntu1~20.04 openjdk-11-jre-zero 11.0.9+11-0ubuntu1~20.04 openjdk-8-jdk 8u272-b10-0ubuntu1~20.04 openjdk-8-jre 8u272-b10-0ubuntu1~20.04 openjdk-8-jre-headless 8u272-b10-0ubuntu1~20.04 openjdk-8-jre-zero 8u272-b10-0ubuntu1~20.04 Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.9+11-0ubuntu1~18.04.1 openjdk-11-jre 11.0.9+11-0ubuntu1~18.04.1 openjdk-11-jre-headless 11.0.9+11-0ubuntu1~18.04.1 openjdk-11-jre-zero 11.0.9+11-0ubuntu1~18.04.1 openjdk-8-jdk 8u272-b10-0ubuntu1~18.04 openjdk-8-jre 8u272-b10-0ubuntu1~18.04 openjdk-8-jre-headless 8u272-b10-0ubuntu1~18.04 openjdk-8-jre-zero 8u272-b10-0ubuntu1~18.04 Ubuntu 16.04 LTS: openjdk-8-jdk 8u272-b10-0ubuntu1~16.04 openjdk-8-jre 8u272-b10-0ubuntu1~16.04 openjdk-8-jre-headless 8u272-b10-0ubuntu1~16.04 openjdk-8-jre-zero 8u272-b10-0ubuntu1~16.04 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: https://usn.ubuntu.com/4607-1 CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14803 Package Information: https://launchpad.net/ubuntu/+source/openjdk-8/8u272-b10-0ubuntu1~20.10 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.9+11-0ubuntu1 https://launchpad.net/ubuntu/+source/openjdk-8/8u272-b10-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.9+11-0ubuntu1~20.04 https://launchpad.net/ubuntu/+source/openjdk-8/8u272-b10-0ubuntu1~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.9+11-0ubuntu1~18.04.1 https://launchpad.net/ubuntu/+source/openjdk-8/8u272-b10-0ubuntu1~16.04 --tdwbjtubh5klg2cc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECtyyz6azUy6AZBzSkGeI6zGnN/8FAl+Yy1UACgkQkGeI6zGn N/9AXQ//cHX9sh+KeeCsKaP80LjYVciBMZFH0KE6v69Qcsy72B9Fay3/oNohfY6m MSnzUt8V7Tc+PrIjBGk2gpYbMnMOkjwLQi7BiMMAGWRgSCcU+hhXwECKodJk7sS4 JMrnYcO3DWfbq6ruSwbITLVlcJ+vi7EAIq6suuTMLRZ+B5mZxYRKAnLbHu7sDpvk +/G+swjjg3xw+1A5hbRjzOV4k065DJV5t1Z0p2V58cwSjGQ7zpS2SUKZJNyyFj3E R8ZrU1PqRMWXnAVkZjFDHre6C2+c3/Ls3luWcJCV++7NSC1xHBlc4HgxgaSt4/66 Yh6TIetTcNa80lIEk5c9Hp3yA+90lz16Wr3anv2CW6a2jV685AE/EGSzRwW38B8h z4yQ+BFe1eygCymbQnnJ23ytY4zMxfodaqqnGl0s5HCNLl/yZlKoD8uq+pzua9y4 7QYoo8HUIWqP6NoSz3sjsVpdFOuQe3TIV2eSO3zsQCY0ma2L0cnJXbVLlbfWR1WK +xUd9gWyrDpZPpq5k8LUSlGMPyM+9UKXIsXPnEEgMkshGzaVebWF+Ofgm75lU4To G2amumrcFvcXxBKNH3nj00Eho+gmPRt6O+6B80gJ4e1+TZTbnY23pfZc0uxVKCS8 wwmf6Oq5gxixPaBsO1e1L0bQZw8gbmW8OdRCdEYnbCSsWk8T/+k= =Gci4 -----END PGP SIGNATURE----- --tdwbjtubh5klg2cc-- --===============5552126092957856184== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce |