java security update

CentOS Errata and Security Advisory CESA-2023:5761

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

• OpenJDK: IOR deserialization issue in CORBA (8303384) (CVE-2023-22067)

• OpenJDK: certificate path validation issue during client authentication (8309966) (CVE-2023-22081)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• A maximum signature file size property, jdk.jar.maxSignatureFileSize, was introduced in the 11.0.20 release of OpenJDK by JDK-8300596, with a default of 8 MB. This default proved to be too small for some JAR files. This release, 11.0.20.1, increases it to 16 MB. (RHEL-13576)

• The /usr/bin/jfr alternative is now owned by the java-1.8.0-openjdk package (RHEL-11319)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2024-January/099188.html

Affected packages:
java-1.8.0-openjdk
java-1.8.0-openjdk-accessibility
java-1.8.0-openjdk-demo
java-1.8.0-openjdk-devel
java-1.8.0-openjdk-headless
java-1.8.0-openjdk-javadoc
java-1.8.0-openjdk-javadoc-zip
java-1.8.0-openjdk-src

Upstream details at:
https://access.redhat.com/errata/RHSA-2023:5761