Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 732624

Summary: <dev-java/openjdk{,-bin}-{8.262_p01, 11.0.8_p10}: Multiple vulnerabilities (2020-07-14 advisory)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gyakovlev, java
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://openjdk.java.net/groups/vulnerability/advisories/2020-07-14
Whiteboard: A2 [glsa+ cve]
Package list:
dev-java/openjdk-8.265_p01 amd64 ppc64 x86 dev-java/openjdk-bin-8.265_p01 amd64 arm64 ppc64
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 732622    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 20:45:21 UTC
From https://mail.openjdk.java.net/pipermail/vuln-announce/2020-July/000007.html:
"OpenJDK Vulnerability Advisory: 2020/7/14
vuln-report@openjdk.java.net
https://openjdk.java.net/groups/vulnerability/advisories

Releases affected: 7, 8, 11, 13, and 14

OpenJDK CVEs:
    CVE-2020-14583 CVE-2020-14593 CVE-2020-14562 CVE-2020-14621
    CVE-2020-14556 CVE-2020-14573 CVE-2020-14578 CVE-2020-14579
    CVE-2020-14581 CVE-2020-14577

OpenJFX CVEs:
    CVE-2020-14664


These issues have been addressed, as applicable, in the following releases:
  7u271, 8u262, 11.0.8, 13.0.4, and 14.0.2

We recommend that you upgrade to these new releases as soon as possible.

For more detail about this advisory, please see:
  https://openjdk.java.net/groups/vulnerability/advisories/2020-07-14"
Comment 1 Larry the Git Cow gentoo-dev 2020-07-14 22:00:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6244e4be97f2e7ce3ab0cc3348c0e8410e75a0eb

commit 6244e4be97f2e7ce3ab0cc3348c0e8410e75a0eb
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 21:44:51 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 21:58:45 +0000

    dev-java/openjdk: bump to 8.262_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                 |   8 ++
 dev-java/openjdk/openjdk-8.262_p10.ebuild | 226 ++++++++++++++++++++++++++++++
 2 files changed, 234 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2020-07-14 22:02:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50e3d8b2b8e866a63bfccedb321c52cda469d1af

commit 50e3d8b2b8e866a63bfccedb321c52cda469d1af
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 22:02:23 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 22:02:23 +0000

    dev-java/openjdk: bump to 11.0.8_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 +
 dev-java/openjdk/openjdk-11.0.8_p10.ebuild | 276 +++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-07-14 22:13:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65246fa0096d75694e23f00f584b1f116c9fcf1e

commit 65246fa0096d75694e23f00f584b1f116c9fcf1e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 22:12:15 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 22:12:31 +0000

    dev-java/openjfx: bump to 11.0.8_p2
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjfx/Manifest                 |   1 +
 dev-java/openjfx/openjfx-11.0.8_p2.ebuild | 222 ++++++++++++++++++++++++++++++
 2 files changed, 223 insertions(+)
Comment 4 Georgy Yakovlev archtester gentoo-dev 2020-07-15 17:40:03 UTC
openjdk-jre-bin:11 and openjdk-bin:11 bumped as well. since :11 slot does not have stable keywords, I'll do cleanup just in a bit.

still waiting for adoptopenjdk to provide openjdk-bin:8 tarballs.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-16 18:38:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec8929d96d22493420580adf66d5cbde2d409c2

commit 7ec8929d96d22493420580adf66d5cbde2d409c2
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-16 18:36:12 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-16 18:37:08 +0000

    dev-java/openjdk-jre-bin: bump to 8.262_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-8.262_p10.ebuild               | 84 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b705fd7294d75585554cd8104606337b0407d838

commit b705fd7294d75585554cd8104606337b0407d838
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-16 18:33:51 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-16 18:36:59 +0000

    dev-java/openjdk-bin: bump to 8.262_p10
    
    no arm64 build available yet.
    will add keyword later.
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                     |  3 +
 dev-java/openjdk-bin/openjdk-bin-8.262_p10.ebuild | 92 +++++++++++++++++++++++
 2 files changed, 95 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:43:03 UTC
Ready to stable?
Comment 7 Georgy Yakovlev archtester gentoo-dev 2020-07-26 20:12:28 UTC
yep. no new bugs.
re-added arm64 tarball to -bin.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 02:39:28 UTC
(In reply to Georgy Yakovlev from comment #7)
> yep. no new bugs.
> re-added arm64 tarball to -bin.

Cool, thanks!
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 03:16:15 UTC
arm64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 13:56:02 UTC
amd64 stable
Comment 11 Georgy Yakovlev archtester gentoo-dev 2020-08-03 20:40:07 UTC
8.265_p01 is out, and needs to get stable asap.
Comment 12 NATTkA bot gentoo-dev 2020-08-03 20:40:41 UTC
Sanity check failed:

> dev-java/openjdk-bin-8.262_p10
>   depend arm stable profile default/linux/arm/17.0 (1 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>   depend arm dev profile default/linux/arm/17.0/armv4 (31 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>   rdepend arm stable profile default/linux/arm/17.0 (1 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>     >=sys-apps/baselayout-java-0.1.0-r1
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (31 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>     >=sys-apps/baselayout-java-0.1.0-r1
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 00:32:19 UTC
arm64 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 00:35:33 UTC
amd64 stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 02:44:36 UTC
x86 stable
Comment 16 Larry the Git Cow gentoo-dev 2020-08-04 21:58:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f77738cc9c9f2c68d76eb9235ee4dd777adccd4

commit 3f77738cc9c9f2c68d76eb9235ee4dd777adccd4
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-08-04 21:56:07 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-08-04 21:58:24 +0000

    dev-java/openjdk-bin: drop old
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |  12 ---
 .../openjdk-bin/openjdk-bin-11.0.7_p10-r1.ebuild   | 115 ---------------------
 dev-java/openjdk-bin/openjdk-bin-8.252_p09.ebuild  |  93 -----------------
 dev-java/openjdk-bin/openjdk-bin-8.262_p10.ebuild  |  93 -----------------
 4 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2e262024d4c564b29a7da88732e2c422234549e

commit b2e262024d4c564b29a7da88732e2c422234549e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-08-04 21:44:55 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-08-04 21:58:23 +0000

    dev-java/openjdk: drop old
    
    Bug: https://bugs.gentoo.org/732624
    Closes: https://bugs.gentoo.org/734320
    Closes: https://bugs.gentoo.org/706012
    Closes: https://bugs.gentoo.org/713180
    Closes: https://bugs.gentoo.org/706638
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                          |  17 --
 .../openjdk/files/openjdk-11.0.7_p10-sigsegv.patch |  55 ----
 .../openjdk/files/openjdk-8-detect-gcc10.patch     |  49 ----
 dev-java/openjdk/openjdk-11.0.7_p10.ebuild         | 280 ---------------------
 dev-java/openjdk/openjdk-8.252_p09.ebuild          | 231 -----------------
 dev-java/openjdk/openjdk-8.262_p10.ebuild          | 226 -----------------
 6 files changed, 858 deletions(-)
Comment 17 Georgy Yakovlev archtester gentoo-dev 2020-08-04 21:59:30 UTC
ppc64 stable. last arch.

also cleanup done.
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 17:41:43 UTC
(In reply to Georgy Yakovlev from comment #17)
> ppc64 stable. last arch.
> 
> also cleanup done.

Thank yoU!
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-08-30 21:14:52 UTC
This issue was resolved and addressed in
 GLSA 202008-24 at https://security.gentoo.org/glsa/202008-24
by GLSA coordinator Sam James (sam_c).