Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916211 (CVE-2023-22025, CVE-2023-22067, CVE-2023-22081) - <dev-java/openjdk{,-jre-bin,-bin}-{8.382_p05,11.0.23_p9,17.0.8.11_p1,21.0.3_p9}: multiple vulnerabilities (Oracle CPU Oct 2023)
Summary: <dev-java/openjdk{,-jre-bin,-bin}-{8.382_p05,11.0.23_p9,17.0.8.11_p1,21.0.3_p...
Status: CONFIRMED
Alias: CVE-2023-22025, CVE-2023-22067, CVE-2023-22081
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://openjdk.org/groups/vulnerabil...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 918647 931783
Blocks:
  Show dependency tree
 
Reported: 2023-10-24 08:40 UTC by Mike Limansky
Modified: 2024-06-10 06:28 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Limansky 2023-10-24 08:40:52 UTC
There are several security issues in current Java versions. Please bump to the new ones. This also affect Java 21, which is currently is not in portage yet.

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-28 21:46:33 UTC
Moving the CVEs to the alias field and dropping the versioning from the summary as we don't version the summary until we have a fixed version in tree.

Thank you for reporting!
Comment 2 Mike Limansky 2024-01-03 15:08:34 UTC
Hi, any news on this one? I used simple bump on my box and have been using java 17.0.9 for 2 months.
Comment 3 Volkmar W. Pogatzki 2024-04-12 09:44:28 UTC
What are the affected versions? Presently in the tree are:
8.402_p06-r1
11.0.22_p7
17.0.10_p7
21.0.2_p13
Comment 4 Hans de Graaff gentoo-dev Security 2024-05-12 05:44:13 UTC
The upstream report is not clear about the versions. I've used the current stable versions similar to bug 925020. Older versions are probably also fixed, but let's go with this and publish both GLSA's together.
Comment 5 Larry the Git Cow gentoo-dev 2024-05-17 09:28:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d57754cd3fe53161d876a8043ec720ed7f0f1d3d

commit d57754cd3fe53161d876a8043ec720ed7f0f1d3d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:13:52 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk: drop 11.0.22_p7
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Bug: https://bugs.gentoo.org/898978
    Bug: https://bugs.gentoo.org/833096
    Bug: https://bugs.gentoo.org/907680
    Bug: https://bugs.gentoo.org/677876
    Bug: https://bugs.gentoo.org/927028
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/36690
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk/Manifest                  |   1 -
 dev-java/openjdk/openjdk-11.0.22_p7.ebuild | 312 -----------------------------
 2 files changed, 313 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91131f43943639479e42e0fd5a1ea4fbbaf4f708

commit 91131f43943639479e42e0fd5a1ea4fbbaf4f708
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:07:47 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk-bin: drop 11.0.22_p7
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-bin/Manifest                      |   6 -
 dev-java/openjdk-bin/openjdk-bin-11.0.22_p7.ebuild | 135 ---------------------
 2 files changed, 141 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83181db3d06bdb420ca8cc4bcc7135dbd6286866

commit 83181db3d06bdb420ca8cc4bcc7135dbd6286866
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2024-05-15 21:04:35 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2024-05-17 09:28:04 +0000

    dev-java/openjdk-jre-bin: drop 11.0.20.1_p1, 17.0.8.1_p1
    
    Bug: https://bugs.gentoo.org/925020
    Bug: https://bugs.gentoo.org/916211
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/openjdk-jre-bin/Manifest                  |  2 -
 .../openjdk-jre-bin-11.0.20.1_p1.ebuild            | 83 ----------------------
 .../openjdk-jre-bin-17.0.8.1_p1.ebuild             | 83 ----------------------
 3 files changed, 168 deletions(-)