Bug 784611 (CVE-2021-2161, CVE-2021-2163)

Summary:	<dev-java/openjdk{,-bin,-jre-bin}-{8.292_p10,11.0.11_p9}: multiple vulnerabilities (CVE-2021-{2161,2163})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gentoo, gyakovlev, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://openjdk.java.net/groups/vulnerability/advisories/2021-04-20
Whiteboard:	B3 [glsa+]
Package list:	dev-java/openjdk-8.292_p10 dev-java/openjdk-bin-8.292_p10 amd64 arm64 ppc64 dev-java/openjdk-jre-bin-8.292_p10 amd64	Runtime testing required:	---
Bug Depends on:	776676
Bug Blocks:

Description John Helmert III archtester

2021-04-21 00:33:35 UTC

Seems like no details yet, but fixes are out according to the ML advisory (https://mail.openjdk.java.net/pipermail/vuln-announce/2021-April/000011.html):

These issues have been addressed, as applicable, in the following releases:
  7u301, 8u292, 11.0.11, 13.0.7, 15.0.3, and 16.0.1

Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-04-25 15:13:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f9137bf0ae7602c806a754cc55063c7363f7bd9

commit 5f9137bf0ae7602c806a754cc55063c7363f7bd9
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:51:01 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:52 +0000

    dev-java/openjdk-jre-bin: bump to 11.0.11_p9
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-11.0.11_p9.ebuild              | 97 ++++++++++++++++++++++
 2 files changed, 98 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1dea32724ea7fe8e78877a1e480c4903c600070

commit e1dea32724ea7fe8e78877a1e480c4903c600070
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:50:17 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:47 +0000

    dev-java/openjdk-jre-bin: bump to 8.292_p10
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-8.292_p10.ebuild               | 80 ++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=823327a6fb666c00777d57cd7e2d69ced9e5fd46

commit 823327a6fb666c00777d57cd7e2d69ced9e5fd46
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:49:24 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:41 +0000

    dev-java/openjdk: bump to 11.0.11_p9
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 +
 dev-java/openjdk/openjdk-11.0.11_p9.ebuild | 272 +++++++++++++++++++++++++++++
 2 files changed, 273 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aebb6c522a07a3df9e985ae45d165fa2cc2f777

commit 2aebb6c522a07a3df9e985ae45d165fa2cc2f777
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:45:28 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:36 +0000

    dev-java/openjdk: bump to 8.292_p10
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                 |  16 ++
 dev-java/openjdk/openjdk-8.292_p10.ebuild | 253 ++++++++++++++++++++++++++++++
 2 files changed, 269 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=55468f86b0a3a28746723d73229acd18b0a8dcd2

commit 55468f86b0a3a28746723d73229acd18b0a8dcd2
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:30:39 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:29 +0000

    dev-java/openjdk-bin: bump to 11.0.11_p9
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |   5 +
 dev-java/openjdk-bin/openjdk-bin-11.0.11_p9.ebuild | 132 +++++++++++++++++++++
 2 files changed, 137 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a094b1462b32192cbdbe8e3c1a5d5c440898cc7c

commit a094b1462b32192cbdbe8e3c1a5d5c440898cc7c
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-04-25 14:29:04 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-25 15:06:13 +0000

    dev-java/openjdk-bin: bump to 8.292_p10
    
    arm32 will be added later
    
    Bug: https://bugs.gentoo.org/784611
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                     |   4 +
 dev-java/openjdk-bin/openjdk-bin-8.292_p10.ebuild | 119 ++++++++++++++++++++++
 2 files changed, 123 insertions(+)

Comment 2 Georgy Yakovlev archtester

2021-04-25 15:16:46 UTC

let's give it couple days to settle and I'll add arches to CC for stabilization.

Comment 3 John Helmert III archtester

2021-04-25 23:41:39 UTC

(In reply to Georgy Yakovlev from comment #2)
> let's give it couple days to settle and I'll add arches to CC for
> stabilization.

Thanks!

Comment 4 Georgy Yakovlev archtester

2021-04-27 18:30:05 UTC

cleanup of :11 done

Comment 5 Georgy Yakovlev archtester

2021-04-27 18:32:27 UTC

ppc64 done

Comment 6 Georgy Yakovlev archtester

2021-04-27 20:14:38 UTC

had to revert cleanup of :11 because of https://bugs.gentoo.org/776676

Comment 7 Sam James archtester

2021-04-27 20:44:44 UTC Comment hidden (obsolete)

x86 done

Comment 8 Georgy Yakovlev archtester

2021-04-27 21:56:37 UTC

moar spam: cleanup of :11 done again =)

Comment 9 Agostino Sarubbo gentoo-dev

2021-05-09 09:17:44 UTC

x86 stable

Comment 10 Sam James archtester

2021-05-15 18:00:10 UTC

arm64 done

all arches done

Comment 11 John Helmert III archtester

2021-05-16 02:50:14 UTC

Please cleanup, thanks!

Comment 12 Georgy Yakovlev archtester

2021-05-25 18:56:17 UTC

cleanup done

Comment 13 John Helmert III archtester

2021-05-25 20:10:59 UTC

Thanks!

Comment 14 NATTkA bot gentoo-dev

2021-11-09 12:37:28 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-java/openjdk-bin-8.292_p10

Comment 15 NATTkA bot gentoo-dev

2021-11-18 04:44:54 UTC

Unable to check for sanity:

> no match for package: dev-java/openjdk-8.292_p10

Comment 16 John Helmert III archtester

2022-09-06 22:31:57 UTC

GLSA request filed

Comment 17 Larry the Git Cow gentoo-dev

2022-09-07 03:01:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e1a6765fc7cb3c5afe0b95463f49a9924ef37cab

commit e1a6765fc7cb3c5afe0b95463f49a9924ef37cab
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-07 02:52:52 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-07 02:58:08 +0000

    [ GLSA 202209-05 ] OpenJDK: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/784611
    Bug: https://bugs.gentoo.org/803605
    Bug: https://bugs.gentoo.org/831446
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-05.xml | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 153 insertions(+)

Comment 18 John Helmert III archtester

2022-09-07 03:19:10 UTC

GLSA released, all done!