There are several security issues in current Java versions. Please bump to the new ones. Reproducible: Always
I've created PR https://github.com/gentoo/gentoo/pull/32945 , could anybody please take a look.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090204bd40f26ebc4b724dd40d12fd7b489968ab commit 090204bd40f26ebc4b724dd40d12fd7b489968ab Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:18:52 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:32:19 +0000 profiles/arch/powerpc: mask USE=systemtap for openjdk:17 Not sure why it was not failing for me before. It does now. Let's disable it. JVM_FEATURES_CHECK_AVAILABILITY(dtrace, [ AC_MSG_CHECKING([for dtrace tool and platform support]) if test "x$OPENJDK_TARGET_CPU_ARCH" = "xppc"; then AC_MSG_RESULT([no, $OPENJDK_TARGET_CPU_ARCH]) AVAILABLE=false Commit: https://github.com/openjdk/jdk17u-dev/commit/5b29c6ec93372b20016565b84d449860b7233d6c Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> profiles/arch/powerpc/package.use.mask | 6 ++++++ 1 file changed, 6 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7013cd2abf9c91082b7c8262a012dde5c4e8e5b7 commit 7013cd2abf9c91082b7c8262a012dde5c4e8e5b7 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:21:16 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:32:18 +0000 dev-java/openjdk: use modern dtrace configure knob Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/openjdk-17.0.8.1_p1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b7f91541f3ab5b74c2b945f28952fbc980d0e11 commit 6b7f91541f3ab5b74c2b945f28952fbc980d0e11 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:07:23 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:33 +0000 dev-java/openjdk: add 17.0.8.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/Manifest | 1 + dev-java/openjdk/openjdk-17.0.8.1_p1.ebuild | 327 ++++++++++++++++++++++++++++ 2 files changed, 328 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c261c863ad97a86511b89b63da2667a1e10e6e6 commit 3c261c863ad97a86511b89b63da2667a1e10e6e6 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:06:11 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:32 +0000 dev-java/openjdk: add 11.0.20.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/Manifest | 1 + dev-java/openjdk/openjdk-11.0.20.1_p1.ebuild | 312 +++++++++++++++++++++++++++ 2 files changed, 313 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc9e5fa5bc007ede0b8382fe0aa7579c1a2a4d85 commit cc9e5fa5bc007ede0b8382fe0aa7579c1a2a4d85 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:05:06 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:32 +0000 dev-java/openjdk: add 8.382_p05 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk/Manifest | 1 + dev-java/openjdk/openjdk-8.382_p05.ebuild | 239 ++++++++++++++++++++++++++++++ 2 files changed, 240 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdc248c0a6d18530fc541992b77bea793b931ce6 commit bdc248c0a6d18530fc541992b77bea793b931ce6 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:03:53 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:31 +0000 dev-java/openjdk-jre-bin: add 17.0.8.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-17.0.8.1_p1.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=324056d13fde78b8c06bb4fe529005a0fd29df63 commit 324056d13fde78b8c06bb4fe529005a0fd29df63 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:03:01 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:31 +0000 dev-java/openjdk-jre-bin: add 11.0.20.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-11.0.20.1_p1.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ac870c2e1a5a34e4db370b901218bd682bf2ad6 commit 0ac870c2e1a5a34e4db370b901218bd682bf2ad6 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 23:02:17 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:30 +0000 dev-java/openjdk-jre-bin: add 8.382_p05 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-8.382_p05.ebuild | 82 ++++++++++++++++++++++ 2 files changed, 83 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71a39a65c823338178e02f6be72232441addf5f5 commit 71a39a65c823338178e02f6be72232441addf5f5 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 22:59:46 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:30 +0000 dev-java/openjdk-bin: add 17.0.8.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 7 ++ .../openjdk-bin/openjdk-bin-17.0.8.1_p1.ebuild | 136 +++++++++++++++++++++ 2 files changed, 143 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87b35fbb3a38e2f1213896d43a906a7042fae693 commit 87b35fbb3a38e2f1213896d43a906a7042fae693 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 22:56:22 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:29 +0000 dev-java/openjdk-bin: add 11.0.20.1_p1 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 6 + .../openjdk-bin/openjdk-bin-11.0.20.1_p1.ebuild | 135 +++++++++++++++++++++ 2 files changed, 141 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57ebd1e5c999424a7c6a4f46a38240ccab6df55f commit 57ebd1e5c999424a7c6a4f46a38240ccab6df55f Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2023-09-21 22:53:04 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2023-09-21 23:30:29 +0000 dev-java/openjdk-bin: add 8.382_p05 Bug: https://bugs.gentoo.org/912719 Closes: https://github.com/gentoo/gentoo/pull/32945 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 6 + dev-java/openjdk-bin/openjdk-bin-8.382_p05.ebuild | 131 ++++++++++++++++++++++ 2 files changed, 137 insertions(+)
The list of CVEs includes one for harfbuzz. Does openjdk or openjdk-bin vendor a copy or links it statically?
Ping. Can a stable bug be filed for the fixed versions?
Upstream includes a copy of HarfBuzz in-tree, and so we will include CVEs for HarfBuzz in upstream release notes. Whether this is actually used or not in the build depends on this line: --with-harfbuzz="${XPAK_BOOTSTRAP:-system}" I can't see how XPAK_BOOTSTRAP is defined, but if the value is not set to 'system', it will default to the bundled copy in-tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=80e23d86e15243a81505dad719472035de9e59ff commit 80e23d86e15243a81505dad719472035de9e59ff Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-07 10:36:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-07 10:36:10 +0000 [ GLSA 202412-07 ] OpenJDK: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/912719 Bug: https://bugs.gentoo.org/916211 Bug: https://bugs.gentoo.org/925020 Bug: https://bugs.gentoo.org/941689 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-07.xml | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+)