Sicherheit: Mehrere Probleme in OpenJDK (Aktualisierung)

Lesezeichen hinzufügen

--===============1905215917317727096==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="a+b56+3nqLzpiR9O"
Content-Disposition: inline

--a+b56+3nqLzpiR9O
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-3747-2
September 12, 2018

openjdk-lts regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

USN-3747-1 introduced a regression in OpenJDK 10.

Software Description:
- openjdk-lts: Open Source Java implementation

Details:

USN-3747-1 fixed vulnerabilities in OpenJDK 10 for Ubuntu 18.04 LTS.
Unfortunately, that update introduced a regression around accessability
support that prevented some Java applications from starting.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that OpenJDK did not properly validate types in some
situations. An attacker could use this to construct a Java class that could
possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826)

It was discovered that the PatternSyntaxException class in OpenJDK did not
properly validate arguments passed to it. An attacker could use this to
potentially construct a class that caused a denial of service (excessive
memory consumption). (CVE-2018-2952)

Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode
(GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker
could use this to expose sensitive information. (CVE-2018-2972)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
openjdk-11-jdk 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jdk-headless 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre-zero 10.0.2+13-1ubuntu0.18.04.2

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3747-2
https://usn.ubuntu.com/usn/usn-3747-1
https://launchpad.net/bugs/1788250

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.2

--a+b56+3nqLzpiR9O
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAluZlskACgkQLwmejQBe
gfRt1xAAnCtl51726vQyMg0c2Nrflq2eC/8S3aN+BvG+7vNvJQg3w/+Rn1kygJGS
eYtYCWTD0Sxx8GYkVFtPMZSFCVe6JPX+rHOe0CBV0OXzMMP4cnb8egiEJKoaupHP
yiDDX99XzJ+Sweqlimp4ni5WZ2crpUk1yYq8oLs2aitYSU0BjfqtBiZdl/vUH7Tw
EP4rjgS8/jroM7aChi5ojYpG+sxmAtlDs3ivfv8BAj4xSl2E4TO0SGexfGXS0/3r
e2XbEwV9eT5JGy0wTcZI283e3buHBWjhkwB/ozL4FLBI3geyTu8JS7q+nJK4koMu
VtChzODt53YQLOwjnTPoWmCcPyfVcoV/rZ3oT+AONzUMQrtwBD6y9Z5y8i/tbwoS
hWNWiRk34Sttrv3BZv0hU0WwKIZAh4qOmojxYs1VBrVO4Ac8Oo+IIFFpocQIB+G5
sxAyoMtnKNO+Db511X4xr2ehnfToN9CItrd22cFQjZWNL6mDukkvQ9NGABvHfc/l
/zcozSmqXjUqnkF3v48SpJdUeVYlYOzTRnZozla3N6blUydeDj9BdbdvrOE1Hd/a
h/nnhxgDfRk3fPhAnaG+Bh27dv061mLLVHDLNPIXjHwAN/Pp+1nxEvN9j3Pm1DHR
z2KxtWV0GJUibSAZKz8ymM8EF7rCkXYSCBc3GGs3KqkJnIFfa0o=
=YusV
-----END PGP SIGNATURE-----

--a+b56+3nqLzpiR9O--

--===============1905215917317727096==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce