Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732624 - <dev-java/openjdk{,-bin}-{8.262_p01, 11.0.8_p10}: Multiple vulnerabilities (2020-07-14 advisory)
Summary: <dev-java/openjdk{,-bin}-{8.262_p01, 11.0.8_p10}: Multiple vulnerabilities (2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://openjdk.java.net/groups/vulne...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2020-14556, CVE-2020-14562, CVE-2020-14573, CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621, CVE-2020-14664
  Show dependency tree
 
Reported: 2020-07-14 20:45 UTC by Sam James
Modified: 2020-08-30 21:14 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/openjdk-8.265_p01 amd64 ppc64 x86 dev-java/openjdk-bin-8.265_p01 amd64 arm64 ppc64
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 20:45:21 UTC 
From https://mail.openjdk.java.net/pipermail/vuln-announce/2020-July/000007.html:
"OpenJDK Vulnerability Advisory: 2020/7/14
vuln-report@openjdk.java.net
https://openjdk.java.net/groups/vulnerability/advisories

Releases affected: 7, 8, 11, 13, and 14

OpenJDK CVEs:
    CVE-2020-14583 CVE-2020-14593 CVE-2020-14562 CVE-2020-14621
    CVE-2020-14556 CVE-2020-14573 CVE-2020-14578 CVE-2020-14579
    CVE-2020-14581 CVE-2020-14577

OpenJFX CVEs:
    CVE-2020-14664


These issues have been addressed, as applicable, in the following releases:
  7u271, 8u262, 11.0.8, 13.0.4, and 14.0.2

We recommend that you upgrade to these new releases as soon as possible.

For more detail about this advisory, please see:
  https://openjdk.java.net/groups/vulnerability/advisories/2020-07-14"
Comment 1 Larry the Git Cow gentoo-dev 2020-07-14 22:00:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6244e4be97f2e7ce3ab0cc3348c0e8410e75a0eb

commit 6244e4be97f2e7ce3ab0cc3348c0e8410e75a0eb
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 21:44:51 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 21:58:45 +0000

    dev-java/openjdk: bump to 8.262_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                 |   8 ++
 dev-java/openjdk/openjdk-8.262_p10.ebuild | 226 ++++++++++++++++++++++++++++++
 2 files changed, 234 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2020-07-14 22:02:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50e3d8b2b8e866a63bfccedb321c52cda469d1af

commit 50e3d8b2b8e866a63bfccedb321c52cda469d1af
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 22:02:23 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 22:02:23 +0000

    dev-java/openjdk: bump to 11.0.8_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 +
 dev-java/openjdk/openjdk-11.0.8_p10.ebuild | 276 +++++++++++++++++++++++++++++
 2 files changed, 277 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2020-07-14 22:13:12 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=65246fa0096d75694e23f00f584b1f116c9fcf1e

commit 65246fa0096d75694e23f00f584b1f116c9fcf1e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-14 22:12:15 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-14 22:12:31 +0000

    dev-java/openjfx: bump to 11.0.8_p2
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.99, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjfx/Manifest                 |   1 +
 dev-java/openjfx/openjfx-11.0.8_p2.ebuild | 222 ++++++++++++++++++++++++++++++
 2 files changed, 223 insertions(+)
Comment 4 Georgy Yakovlev archtester gentoo-dev 2020-07-15 17:40:03 UTC 
openjdk-jre-bin:11 and openjdk-bin:11 bumped as well. since :11 slot does not have stable keywords, I'll do cleanup just in a bit.

still waiting for adoptopenjdk to provide openjdk-bin:8 tarballs.
Comment 5 Larry the Git Cow gentoo-dev 2020-07-16 18:38:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec8929d96d22493420580adf66d5cbde2d409c2

commit 7ec8929d96d22493420580adf66d5cbde2d409c2
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-16 18:36:12 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-16 18:37:08 +0000

    dev-java/openjdk-jre-bin: bump to 8.262_p10
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  1 +
 .../openjdk-jre-bin-8.262_p10.ebuild               | 84 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b705fd7294d75585554cd8104606337b0407d838

commit b705fd7294d75585554cd8104606337b0407d838
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-07-16 18:33:51 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-07-16 18:36:59 +0000

    dev-java/openjdk-bin: bump to 8.262_p10
    
    no arm64 build available yet.
    will add keyword later.
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                     |  3 +
 dev-java/openjdk-bin/openjdk-bin-8.262_p10.ebuild | 92 +++++++++++++++++++++++
 2 files changed, 95 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:43:03 UTC 
Ready to stable?
Comment 7 Georgy Yakovlev archtester gentoo-dev 2020-07-26 20:12:28 UTC 
yep. no new bugs.
re-added arm64 tarball to -bin.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 02:39:28 UTC 
(In reply to Georgy Yakovlev from comment #7)
> yep. no new bugs.
> re-added arm64 tarball to -bin.

Cool, thanks!
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 03:16:15 UTC 
arm64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 13:56:02 UTC 
amd64 stable
Comment 11 Georgy Yakovlev archtester gentoo-dev 2020-08-03 20:40:07 UTC 
8.265_p01 is out, and needs to get stable asap.
Comment 12 NATTkA bot gentoo-dev 2020-08-03 20:40:41 UTC 
Sanity check failed:

> dev-java/openjdk-bin-8.262_p10
>   depend arm stable profile default/linux/arm/17.0 (1 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>   depend arm dev profile default/linux/arm/17.0/armv4 (31 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>   rdepend arm stable profile default/linux/arm/17.0 (1 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>     >=sys-apps/baselayout-java-0.1.0-r1
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (31 total)
>     >=app-eselect/eselect-java-0.4.0
>     >=dev-java/java-config-2.2.0-r3
>     >=sys-apps/baselayout-java-0.1.0-r1
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 00:32:19 UTC 
arm64 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 00:35:33 UTC 
amd64 stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-04 02:44:36 UTC 
x86 stable
Comment 16 Larry the Git Cow gentoo-dev 2020-08-04 21:58:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f77738cc9c9f2c68d76eb9235ee4dd777adccd4

commit 3f77738cc9c9f2c68d76eb9235ee4dd777adccd4
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-08-04 21:56:07 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-08-04 21:58:24 +0000

    dev-java/openjdk-bin: drop old
    
    Bug: https://bugs.gentoo.org/732624
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |  12 ---
 .../openjdk-bin/openjdk-bin-11.0.7_p10-r1.ebuild   | 115 ---------------------
 dev-java/openjdk-bin/openjdk-bin-8.252_p09.ebuild  |  93 -----------------
 dev-java/openjdk-bin/openjdk-bin-8.262_p10.ebuild  |  93 -----------------
 4 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2e262024d4c564b29a7da88732e2c422234549e

commit b2e262024d4c564b29a7da88732e2c422234549e
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-08-04 21:44:55 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-08-04 21:58:23 +0000

    dev-java/openjdk: drop old
    
    Bug: https://bugs.gentoo.org/732624
    Closes: https://bugs.gentoo.org/734320
    Closes: https://bugs.gentoo.org/706012
    Closes: https://bugs.gentoo.org/713180
    Closes: https://bugs.gentoo.org/706638
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-java/openjdk/Manifest                          |  17 --
 .../openjdk/files/openjdk-11.0.7_p10-sigsegv.patch |  55 ----
 .../openjdk/files/openjdk-8-detect-gcc10.patch     |  49 ----
 dev-java/openjdk/openjdk-11.0.7_p10.ebuild         | 280 ---------------------
 dev-java/openjdk/openjdk-8.252_p09.ebuild          | 231 -----------------
 dev-java/openjdk/openjdk-8.262_p10.ebuild          | 226 -----------------
 6 files changed, 858 deletions(-)
Comment 17 Georgy Yakovlev archtester gentoo-dev 2020-08-04 21:59:30 UTC 
ppc64 stable. last arch.

also cleanup done.
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-07 17:41:43 UTC 
(In reply to Georgy Yakovlev from comment #17)
> ppc64 stable. last arch.
> 
> also cleanup done.

Thank yoU!
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2020-08-30 21:14:52 UTC 
This issue was resolved and addressed in
 GLSA 202008-24 at https://security.gentoo.org/glsa/202008-24
by GLSA coordinator Sam James (sam_c).