Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 750833

Summary: <dev-java/openjdk{,-jre-bin,-bin}-8.272_p10: Multiple vulnerabilities (CVE-2020-{14779,14781,14782,14792,14796,14797,14798,14803})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gyakovlev, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://openjdk.java.net/groups/vulnerability/advisories/2020-10-20
Whiteboard: A4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 750830    

Description John Helmert III gentoo-dev Security 2020-10-23 14:16:21 UTC
OpenJDK is announced to be affected by multiple vulnerabilities, the worst of worst could allow an attacker with network access to read a subset of Java SE-accessible data. The advisory lists <=15, <=13.0.4, <=11.0.8, <=8u262, <=7u271 as affected, so it appears we need a bump for -bin and -jre-bin's 8.x branch.
Comment 1 Larry the Git Cow gentoo-dev 2020-10-23 22:25:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8207cdab845fb91d12e7a8c1f95b6d7a087029c

commit d8207cdab845fb91d12e7a8c1f95b6d7a087029c
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-23 22:23:18 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-23 22:24:53 +0000

    dev-java/openjdk-jre-bin: bump to 8.272_p10
    
    Bug: https://bugs.gentoo.org/750833
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-8.272_p10.ebuild               | 80 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d6575b3d08ddc912897372d3511ea2abaf998c9

commit 5d6575b3d08ddc912897372d3511ea2abaf998c9
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-23 22:19:02 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-23 22:19:39 +0000

    dev-java/openjdk-bin: bump to 8.272_p10
    
    arm not available yet, will re-add later.
    
    Bug: https://bugs.gentoo.org/750833
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                     |  3 +
 dev-java/openjdk-bin/openjdk-bin-8.272_p10.ebuild | 91 +++++++++++++++++++++++
 2 files changed, 94 insertions(+)
Comment 2 Georgy Yakovlev gentoo-dev 2020-10-23 22:28:59 UTC
I already bumped source versions of openjdk:8 and openjdk:11 yesterday.

so what's left is openjdk-bin:11 and openjdk-bin:8 on arm, but all of that unstable ~ anyway.

we can proceed with stabilization of 8.272 bin except x86, and source on amd64 arm64 ppc64 x86
Comment 3 Georgy Yakovlev gentoo-dev 2020-10-25 00:26:03 UTC
openjdk-bin:11 and openjdk-jre-bin:11 bumped, but should remain unstable ofc.
old versions will be cleaned up by the end of next week.

only 1 left is openjdk-bin:8 arm, no tarball yet, it's normal for it to arrive later.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-10-25 23:09:19 UTC
x86 stable
Comment 5 Sam James archtester gentoo-dev Security 2020-10-26 12:09:12 UTC
arm64 done
Comment 6 Georgy Yakovlev gentoo-dev 2020-10-28 18:52:57 UTC
ppc64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-10-29 01:21:23 UTC
amd64 done

all arches done
Comment 8 Georgy Yakovlev gentoo-dev 2020-10-29 02:08:28 UTC
cleanup done, vulnerable versions gone.
Comment 9 NATTkA bot gentoo-dev 2020-10-29 15:08:53 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:03:26 UTC
This issue was resolved and addressed in
 GLSA 202101-19 at https://security.gentoo.org/glsa/202101-19
by GLSA coordinator Aaron Bauman (b-man).