ELSA-2023-4177 Moderate: Oracle Linux 9 java-17-openjdk security and bug fix update
Oracle Linux Security Advisory ELSA-2023-4177
http://linux.oracle.com/errata/ELSA-2023-4177.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:
x86_64:
java-17-openjdk-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-demo-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-devel-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-headless-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-javadoc-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-javadoc-zip-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-jmods-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-src-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-static-libs-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-demo-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-demo-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-devel-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-devel-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-headless-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-headless-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-jmods-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-jmods-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-src-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-src-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-static-libs-fastdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
java-17-openjdk-static-libs-slowdebug-17.0.8.0.7-2.0.1.el9.x86_64.rpm
aarch64:
java-17-openjdk-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-demo-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-devel-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-headless-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-javadoc-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-javadoc-zip-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-jmods-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-src-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-static-libs-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-demo-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-demo-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-devel-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-devel-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-headless-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-headless-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-jmods-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-jmods-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-src-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-src-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-static-libs-fastdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
java-17-openjdk-static-libs-slowdebug-17.0.8.0.7-2.0.1.el9.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//java-17-openjdk-17.0.8.0.7-2.0.1.el9.src.rpm
Related CVEs:
CVE-2023-22006
CVE-2023-22036
CVE-2023-22041
CVE-2023-22044
CVE-2023-22045
CVE-2023-22049
CVE-2023-25193
Description of changes:
[1:17.0.8.0.7-2.0.1]
- OpenJDK: ZIP file parsing infinite loop (8302483) (CVE-2023-22036)
- OpenJDK: weakness in AES implementation (8308682) (CVE-2023-22041)
- OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312) (CVE-2023-22049)
- harfbuzz: OpenJDK: O(n^2) growth via consecutive marks (CVE-2023-25193)
- OpenJDK: HTTP client insufficient file name validation (8302475) (CVE-2023-22006)
- OpenJDK: modulo operator array indexing issue (8304460) (CVE-2023-22044)
- OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)
- Add Oracle vendor bug URL [Orabug: 34340155]
[1:17.0.8.0.6-0.1.ea]
- Update to jdk-17.0.8+6 (EA)
- Sync the copy of the portable specfile with the latest update
- Resolves: rhbz#2217716
[1:17.0.8.0.1-0.1.ea]
- Update to jdk-17.0.8+1 (EA)
- Update release notes to 17.0.8+1
- Switch to EA mode
- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1
- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1.
- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1
- Use tapsets from the misc tarball
- Introduce 'prelease' for the portable release versioning, to handle EA builds
- Make sure root installation directory is created first
- Use in-place substitution for all but the first of the tapset changes
- Related: rhbz#2217716
[1:17.0.7.0.7-4]
- Introduce vm_variant global for consistency with future JDK builds
- Related: rhbz#2203412
[1:17.0.7.0.7-4]
- Exclude classes_nocoops.jsa on i686 and arm32
- Related: rhbz#2203412
[1:17.0.7.0.7-4]
- Following JDK-8005165, class data sharing can be enabled on all JIT architectures
- Related: rhbz#2203412
[1:17.0.7.0.7-4]
- Fix packaging of CDS archives
- Resolves: rhbz#2203412
A java-17-openjdk security and bug fix update has been released for Oracle Linux 9.