CVE-2024-21235 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). CVE-2024-21208 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21210 Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21217 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=573c108dad7eb226081ff19241c89a77db909ced commit 573c108dad7eb226081ff19241c89a77db909ced Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 16:03:56 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 16:40:28 +0000 dev-java/openjdk: drop 17.0.12_p7 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk/Manifest | 1 - dev-java/openjdk/openjdk-17.0.12_p7.ebuild | 325 ----------------------------- 2 files changed, 326 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c56cbd0d9ce6e2071bf3f8bab9eb5112128ff1c7 commit c56cbd0d9ce6e2071bf3f8bab9eb5112128ff1c7 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 16:03:22 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 16:40:28 +0000 dev-java/openjdk: drop 11.0.24_p8 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk/Manifest | 1 - dev-java/openjdk/openjdk-11.0.24_p8.ebuild | 316 ----------------------------- 2 files changed, 317 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff0144c66454460d46fccee79dd793fea46b8304 commit ff0144c66454460d46fccee79dd793fea46b8304 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 16:02:34 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 16:40:28 +0000 dev-java/openjdk: drop 8.422_p05 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk/Manifest | 1 - dev-java/openjdk/openjdk-8.422_p05.ebuild | 283 ------------------------------ 2 files changed, 284 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b571b1450a9febe6b01213bcd876d16cf5f15a0 commit 6b571b1450a9febe6b01213bcd876d16cf5f15a0 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 16:40:34 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 17:09:35 +0000 dev-java/openjdk-jre-bin: drop 21.0.3_p9 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/39033 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 - .../openjdk-jre-bin-21.0.3_p9.ebuild | 83 ---------------------- 2 files changed, 84 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d453380f7223f10b6c837340acd0c986faa84b53 commit d453380f7223f10b6c837340acd0c986faa84b53 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 16:36:15 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 17:09:34 +0000 dev-java/openjdk-jre-bin: add 8.432_p06 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-8.432_p06.ebuild | 82 ++++++++++++++++++++++ 2 files changed, 83 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c7b37368c34af991209ccb3ea798166bca80539 commit 7c7b37368c34af991209ccb3ea798166bca80539 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 06:37:42 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 17:09:33 +0000 dev-java/openjdk-jre-bin: add 11.0.25_p9 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-11.0.25_p9.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d483dea35c0e332809895f7d1779028974fdcc67 commit d483dea35c0e332809895f7d1779028974fdcc67 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 06:36:54 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 17:09:31 +0000 dev-java/openjdk-jre-bin: add 17.0.13_p11 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-17.0.13_p11.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef4debed06dc72c50b83809cc9f0fc87015a1713 commit ef4debed06dc72c50b83809cc9f0fc87015a1713 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-18 06:35:47 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-18 17:09:31 +0000 dev-java/openjdk-jre-bin: add 21.0.5_p11 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-21.0.5_p11.ebuild | 83 ++++++++++++++++++++++ 2 files changed, 84 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f483b3873006b508843dba69ac5985069fc6f9f commit 2f483b3873006b508843dba69ac5985069fc6f9f Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-19 07:20:32 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-19 10:00:58 +0000 dev-java/openjdk-jre-bin: drop 8.412_p08, 11.0.23_p9, 17.0.11_p9 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 3 - .../openjdk-jre-bin-11.0.23_p9.ebuild | 83 ---------------------- .../openjdk-jre-bin-17.0.11_p9.ebuild | 83 ---------------------- .../openjdk-jre-bin-8.412_p08.ebuild | 82 --------------------- 4 files changed, 251 deletions(-)
The summary does not include a version number for slot 8. Was the fixed version left out there or are there no fixes for slot 8?
Version number 8.422_p05 added.
Several download files for all slots of openjdk-bin are presently still missing.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2aea50a04248fc664e76f12df1ef202bbb7a09a5 commit 2aea50a04248fc664e76f12df1ef202bbb7a09a5 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-23 17:02:44 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2024-10-23 20:54:13 +0000 dev-java/openjdk-bin: drop 21.0.4_p7 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-java/openjdk-bin/Manifest | 6 - dev-java/openjdk-bin/openjdk-bin-21.0.4_p7.ebuild | 135 ---------------------- 2 files changed, 141 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2d72ea291b144bb88c208d1097377fba9866688c commit 2d72ea291b144bb88c208d1097377fba9866688c Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2024-10-25 08:54:48 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2024-10-25 10:14:41 +0000 dev-java/openjdk-bin: drop 8.422_p05, 11.0.24_p8, 17.0.12_p7 Bug: https://bugs.gentoo.org/941689 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/38836/commits/2fd20da546c5dc586f33459bde855033b5405414 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/openjdk-bin/Manifest | 19 --- dev-java/openjdk-bin/openjdk-bin-11.0.24_p8.ebuild | 134 -------------------- dev-java/openjdk-bin/openjdk-bin-17.0.12_p7.ebuild | 135 --------------------- dev-java/openjdk-bin/openjdk-bin-8.422_p05.ebuild | 130 -------------------- 4 files changed, 418 deletions(-)
The tree is now clean. You can proceed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=80e23d86e15243a81505dad719472035de9e59ff commit 80e23d86e15243a81505dad719472035de9e59ff Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-07 10:36:00 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-07 10:36:10 +0000 [ GLSA 202412-07 ] OpenJDK: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/912719 Bug: https://bugs.gentoo.org/916211 Bug: https://bugs.gentoo.org/925020 Bug: https://bugs.gentoo.org/941689 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-07.xml | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 104 insertions(+)