Lucene search

K
oraclelinuxOracleLinuxELSA-2022-5736
HistoryJul 28, 2022 - 12:00 a.m.

java-17-openjdk security, bug fix, and enhancement update

2022-07-2800:00:00
linux.oracle.com
23

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

[1:17.0.4.0.8-0.2.ea]

  • Revert the following changes until copy-java-configs has adapted to relative symlinks:
    • Move cacerts replacement to install section and retain original of this and tzdb.dat
    • Run tests on the installed image, rather than the build image
    • Introduce variables to refer to the static library installation directories
    • Use relative symlinks so they work within the image
    • Run debug symbols check during build stage, before the install strips them
  • The move of turning on system security properties is retained so we don’t ship with them off
  • Related: rhbz#2084779
    [1:17.0.4.0.8-1]
  • Update to jdk-17.0.4.0+8
  • Update release notes to 17.0.4.0+8
  • Need to include the ‘.S’ suffix in debuginfo checks after JDK-8284661
  • Print release file during build, which should now include a correct SOURCE value from .src-rev
  • Update tarball script with IcedTea GitHub URL and .src-rev generation
  • Include script to generate bug list for release notes
  • Update tzdata requirement to 2022a to match JDK-8283350
  • Move EA designator check to prep so failures can be caught earlier
  • Make EA designator check non-fatal while upstream is not maintaining it
  • Explicitly require crypto-policies during build and runtime for system security properties
  • Make use of the vendor version string to store our version & release rather than an upstream release date
  • Include a test in the RPM to check the build has the correct vendor information.
  • Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
    • RH2094027: SunEC runtime permission for FIPS
    • RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
    • RH2090378: Revert to disabling system security properties and FIPS mode support together
  • Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
  • Enable system security properties in the RPM (now disabled by default in the FIPS repo)
  • Improve security properties test to check both enabled and disabled behaviour
  • Run security properties test with property debugging on
  • Turn on system security properties as part of the build’s install section
  • Move cacerts replacement to install section and retain original of this and tzdb.dat
  • Run tests on the installed image, rather than the build image
  • Introduce variables to refer to the static library installation directories
  • Use relative symlinks so they work within the image
  • Run debug symbols check during build stage, before the install strips them
  • Resolves: rhbz#2084779
  • Resolves: rhbz#2099919
  • Resolves: rhbz#2107943
  • Resolves: rhbz#2107941
  • Resolves: rhbz#2106523
    [1:17.0.4.0.1-0.2.ea]
  • Fix issue where CheckVendor.java test erroneously passes when it should fail.
  • Add proper quoting so ‘&’ is not treated as a special character by the shell.
  • Related: rhbz#2084779
    [1:17.0.3.0.7-2]
  • RH2007331: SecretKey generate/import operations don’t add the CKA_SIGN attribute in FIPS mode
  • Resolves: rhbz#2105395

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N