drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in OpenJDK
Name: |
Mehrere Probleme in OpenJDK |
|
ID: |
USN-4257-1 |
|
Distribution: |
Ubuntu |
|
Plattformen: |
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 19.10 |
|
Datum: |
Di, 28. Januar 2020, 22:41 |
|
Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2655
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654 |
|
Applikationen: |
OpenJDK |
|
Originalnachricht |
--===============2253532991795596127== Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-k+c9oMOGfiH7KictuvfQ"
--=-k+c9oMOGfiH7KictuvfQ Content-Type: text/plain; charset="UTF-8 Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-4257-1 January 28, 2020
openjdk-8, openjdk-lts vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description: - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation
Details:
It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583)
It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590)
It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593)
It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601)
It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604)
Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654)
Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655)
It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 19.10: openjdk-11-jdk 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre-headless 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre-zero 11.0.6+10-1ubuntu1~19.10.1 openjdk-8-jdk 8u242-b08-0ubuntu3~19.10 openjdk-8-jre 8u242-b08-0ubuntu3~19.10 openjdk-8-jre-headless 8u242-b08-0ubuntu3~19.10 openjdk-8-jre-zero 8u242-b08-0ubuntu3~19.10
Ubuntu 18.04 LTS: openjdk-11-jdk 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre-headless 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre-zero 11.0.6+10-1ubuntu1~18.04.1 openjdk-8-jdk 8u242-b08-0ubuntu3~18.04 openjdk-8-jre 8u242-b08-0ubuntu3~18.04 openjdk-8-jre-headless 8u242-b08-0ubuntu3~18.04 openjdk-8-jre-zero 8u242-b08-0ubuntu3~18.04
Ubuntu 16.04 LTS: openjdk-8-jdk 8u242-b08-0ubuntu3~16.04 openjdk-8-jre 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-headless 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-jamvm 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-zero 8u242-b08-0ubuntu3~16.04
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.
References: https://usn.ubuntu.com/4257-1 CVE-2020-2583, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2655, CVE-2020-2659
Package Information: https://launchpad.net/ubuntu/+source/openjdk-8/8u242-b08-0ubuntu3~19.10 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.6+10-1ubuntu1~19.10.1 https://launchpad.net/ubuntu/+source/openjdk-8/8u242-b08-0ubuntu3~18.04 https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.6+10-1ubuntu1~18.04.1 https://launchpad.net/ubuntu/+source/openjdk-8/8u242-b08-0ubuntu3~16.04
--=-k+c9oMOGfiH7KictuvfQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEECtyyz6azUy6AZBzSkGeI6zGnN/8FAl4wouIACgkQkGeI6zGn N//Y7RAAmDjpAZX8VuzS8dAVLdW/r4gbNPTiQTvv88ROj9OYyXNMEXmp/yb+gKRU Z4GCAMPBDgx0xMA4lUGOUkslKiU4yN0il6VhWCfqqfj7aTBawINpw7BfYfHQIp8l SjLUe1zCoVUZeGHZwXVoHk+WNIZEeghXG7FckuQzCKBA4fFSK3RWPbqzqZBjvIUv ovzwxtsnM4SrjXV/7Q13/024AW81v4EMIfUQKSfaa3SOEPDbf5i77lt68wF6Qnvr vOW1q5VmUhr9ynaVkia8lKFpWXyvyeZ+2D57Z0UsHJ/CVS4ASuYbjcevYdWGeutM BhcSaJOJkHAUmO4d6kG1rVro8ko/z9X2v6IDS+Mh0C4zYiRmayjXIusiv7FUDEFO 4viQF/Z8QDn7hWbqEQ90wO2GMTKEg7P4Gbs9JgcS5HWHUJZ+ncmAa0dbBk+e4FEi Ehlt4eGibZHL1KgQZ4m5Rq2k+eiQN7mC8QAKNwsS6qZYG/6CMnPYnWoJCowqFkaz hSYD6yK7gCpPO4G9khAYY0aPEi4Z5PACEQqHZDNY8toyBzHZRyzwhTIoBDoCf3Y6 ONFNB4MDjkbgIy6aHLaX6vo5qdrUI6SpU+TeOz2R5p/cltvnOUvHiHSQxzA8J4Ou S0gHOYJJjfbQwcKp/gdsQg7Nh41l7O0lZxnK0m0XEVHrvwQt7eA= =OOmA -----END PGP SIGNATURE-----
--=-k+c9oMOGfiH7KictuvfQ--
--===============2253532991795596127== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5 LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj dXJpdHktYW5ub3VuY2UK
--===============2253532991795596127==--
|
|
|
|