Lucene search

GoogleOSV:SUSE-SU-2024:1499-2

HistoryJun 18, 2024 - 11:05 a.m.

Security update for java-17-openjdk

2024-06-1811:05:03

Google

osv.dev

java

security fixes

http/2 client

integer overflow

c2 compilation

rsa key

denial of service

httpurlconnection

sigsegv

improper reverse dns lookup

upstream tag

chinese characters

jcombobox popup

macos

timeout

inetaddress

network interface

nullpointerexception

asynchronoussocketchannel

remove unused code

screen magnifier

aarch64

datatypeexception

signed and unsigned types

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

7.7

Confidence

High

JSON

This update for java-17-openjdk fixes the following issues:

CVE-2024-21011: Fixed denial of service due to long Exception message logging (JDK-8319851,bsc#1222979)
CVE-2024-21012: Fixed unauthorized data modification due HTTP/2 client improper reverse DNS lookup (JDK-8315708,bsc#1222987)
CVE-2024-21068: Fixed integer overflow in C1 compiler address generation (JDK-8322122,bsc#1222983)
CVE-2024-21094: Fixed unauthorized data modification due to C2 compilation failure with ‘Exceeded _node_regs array’ (JDK-8317507,JDK-8325348,bsc#1222986)

Other fixes:

Update to upstream tag jdk-17.0.11+9 (April 2024 CPU)
- Security fixes
  - JDK-8318340: Improve RSA key implementations
- Other changes
  - JDK-6928542: Chinese characters in RTF are not decoded
  - JDK-7132796: [macosx] closed/javax/swing/JComboBox/4517214/
    /bug4517214.java fails on MacOS
  - JDK-7148092: [macosx] When Alt+down arrow key is pressed, the
    combobox popup does not appear.
  - JDK-7167356: (javac) investigate failing tests in
    JavacParserTest
  - JDK-8054022: HttpURLConnection timeouts with Expect:
    100-Continue and no chunking
  - JDK-8054572: [macosx] JComboBox paints the border incorrectly
  - JDK-8169475: WheelModifier.java fails by timeout
  - JDK-8205076: [17u] Inet6AddressImpl.c: lookupIfLocalHost
    accesses int InetAddress.preferIPv6Address as a boolean
  - JDK-8209595: MonitorVmStartTerminate.java timed out
  - JDK-8210410: Refactor java.util.Currency:i18n shell tests to
    plain java tests
  - JDK-8261404: Class.getReflectionFactory() is not thread-safe
  - JDK-8261837: SIGSEGV in ciVirtualCallTypeData::translate_from
  - JDK-8263256: Test java/net/Inet6Address/serialize/
    /Inet6AddressSerializationTest.java fails due to dynamic
    reconfigurations of network interface during test
  - JDK-8269258: java/net/httpclient/ManyRequestsLegacy.java
    failed with connection timeout
  - JDK-8271118: C2: StressGCM should have higher priority than
    frequency-based policy
  - JDK-8271616: oddPart in MutableBigInteger::mutableModInverse
    contains info on final result
  - JDK-8272811: Document the effects of building with
    _GNU_SOURCE in os_posix.hpp
  - JDK-8272853: improve JavadocTester.runTests
  - JDK-8273454: C2: Transform (-a)(-b) into ab
  - JDK-8274060: C2: Incorrect computation after JDK-8273454
  - JDK-8274122: java/io/File/createTempFile/SpecialTempFile.java
    fails in Windows 11
  - JDK-8274621: NullPointerException because listenAddress[0] is
    null
  - JDK-8274632: Possible pointer overflow in PretouchTask chunk
    claiming
  - JDK-8274634: Use String.equals instead of String.compareTo in
    java.desktop
  - JDK-8276125: RunThese24H.java SIGSEGV in
    JfrThreadGroup::thread_group_id
  - JDK-8278028: [test-library] Warnings cleanup of the test
    library
  - JDK-8278312: Update SimpleSSLContext keystore to use SANs for
    localhost IP addresses
  - JDK-8278363: Create extented container test groups
  - JDK-8280241: (aio) AsynchronousSocketChannel init fails in
    IPv6 only Windows env
  - JDK-8281377: Remove vmTestbase/nsk/monitoring/ThreadMXBean/
    /ThreadInfo/Deadlock/JavaDeadlock001/TestDescription.java from
    problemlist.
  - JDK-8281543: Remove unused code/headerfile dtraceAttacher.hpp
  - JDK-8281585: Remove unused imports under test/lib and jtreg/gc
  - JDK-8283400: [macos] a11y : Screen magnifier does not reflect
    JRadioButton value change
  - JDK-8283626: AArch64: Set relocInfo::offset_unit to 4
  - JDK-8283994: Make Xerces DatatypeException stackless
  - JDK-8286312: Stop mixing signed and unsigned types in bit
    operations
  - JDK-8286846: test/jdk/javax/swing/plaf/aqua/
    /CustomComboBoxFocusTest.java fails on mac aarch64
  - JDK-8287832: jdk/jfr/event/runtime/TestActiveSettingEvent.java
    failed with ‘Expected two batches of Active Setting events’
  - JDK-8288663: JFR: Disabling the JfrThreadSampler commits only
    a partially disabled state
  - JDK-8288846: misc tests fail ‘assert(ms < 1000) failed:
    Un-interruptable sleep, short time use only’
  - JDK-8289764: gc/lock tests failed with ‘OutOfMemoryError:
    Java heap space: failed reallocation of scalar replaced
    objects’
  - JDK-8290041: ModuleDescriptor.hashCode is inconsistent
  - JDK-8290203: ProblemList vmTestbase/nsk/jvmti/scenarios/
    /capability/CM03/cm03t001/TestDescription.java on linux-all
  - JDK-8290399: [macos] Aqua LAF does not fire an action event
    if combo box menu is displayed
  - JDK-8292458: Atomic operations on scoped enums don’t build
    with clang
  - JDK-8292946: GC lock/jni/jnilock001 test failed
    ‘assert(gch->gc_cause() == GCCause::_scavenge_alot ||
    !gch->incremental_collection_failed()) failed: Twice in a row’
  - JDK-8293117: Add atomic bitset functions
  - JDK-8293547: Add relaxed add_and_fetch for macos aarch64
    atomics
  - JDK-8294158: HTML formatting for PassFailJFrame instructions
  - JDK-8294254: [macOS] javax/swing/plaf/aqua/
    /CustomComboBoxFocusTest.java failure
  - JDK-8294535: Add screen capture functionality to
    PassFailJFrame
  - JDK-8295068: SSLEngine throws NPE parsing CertificateRequests
  - JDK-8295124: Atomic::add to pointer type may return wrong
    value
  - JDK-8295274: HelidonAppTest.java fails
    ‘assert(event->should_commit()) failed: invariant’ from
    compiled frame’
  - JDK-8296631: NSS tests failing on OL9 linux-aarch64 hosts
  - JDK-8297968: Crash in PrintOptoAssembly
  - JDK-8298087: XML Schema Validation reports an required
    attribute twice via ErrorHandler
  - JDK-8299494: Test vmTestbase/nsk/stress/except/except011.java
    failed: ExceptionInInitializerError: target class not found
  - JDK-8300269: The selected item in an editable JComboBox with
    titled border is not visible in Aqua LAF
  - JDK-8301306: java/net/httpclient/* fail with -Xcomp
  - JDK-8301310: The SendRawSysexMessage test may cause a JVM
    crash
  - JDK-8301787: java/net/httpclient/SpecialHeadersTest failing
    after JDK-8301306
  - JDK-8301846: Invalid TargetDataLine after screen lock when
    using JFileChooser or COM library
  - JDK-8302017: Allocate BadPaddingException only if it will be
    thrown
  - JDK-8302149: Speed up compiler/jsr292/methodHandleExceptions/
    /TestAMEnotNPE.java
  - JDK-8303605: Memory leaks in Metaspace gtests
  - JDK-8304074: [JMX] Add an approximation of total bytes
    allocated on the Java heap by the JVM
  - JDK-8304696: Duplicate class names in dynamicArchive tests
    can lead to test failure
  - JDK-8305356: Fix ignored bad CompileCommands in tests
  - JDK-8305900: Use loopback IP addresses in security policy
    files of httpclient tests
  - JDK-8305906: HttpClient may use incorrect key when finding
    pooled HTTP/2 connection for IPv6 address
  - JDK-8305962: update jcstress to 0.16
  - JDK-8305972: Update XML Security for Java to 3.0.2
  - JDK-8306014: Update javax.net.ssl TLS tests to use
    SSLContextTemplate or SSLEngineTemplate
  - JDK-8306408: Fix the format of several tables in building.md
  - JDK-8307185: pkcs11 native libraries make JNI calls into java
    code while holding GC lock
  - JDK-8307926: Support byte-sized atomic bitset operations
  - JDK-8307955: Prefer to PTRACE_GETREGSET instead of
    PTRACE_GETREGS in method ‘ps_proc.c::process_get_lwp_regs’
  - JDK-8307990: jspawnhelper must close its writing side of a
    pipe before reading from it
  - JDK-8308043: Deadlock in TestCSLocker.java due to blocking GC
    while allocating
  - JDK-8308245: Add -proc:full to describe current default
    annotation processing policy
  - JDK-8308336: Test java/net/HttpURLConnection/
    /HttpURLConnectionExpectContinueTest.java failed:
    java.net.BindException: Address already in use
  - JDK-8309302: java/net/Socket/Timeouts.java fails with
    AssertionError on test temporal post condition
  - JDK-8309305: sun/security/ssl/SSLSocketImpl/
    /BlockedAsyncClose.java fails with jtreg test timeout
  - JDK-8309462: [AIX] vmTestbase/nsk/jvmti/RunAgentThread/
    /agentthr001/TestDescription.java crashing due to empty while
    loop
  - JDK-8309733: [macOS, Accessibility] VoiceOver: Incorrect
    announcements of JRadioButton
  - JDK-8309870: Using -proc:full should be considered requesting
    explicit annotation processing
  - JDK-8310106: sun.security.ssl.SSLHandshake
    .getHandshakeProducer() incorrectly checks handshakeConsumers
  - JDK-8310238: [test bug] javax/swing/JTableHeader/6889007/
    /bug6889007.java fails
  - JDK-8310380: Handle problems in core-related tests on macOS
    when codesign tool does not work
  - JDK-8310631: test/jdk/sun/nio/cs/TestCharsetMapping.java is
    spuriously passing
  - JDK-8310807: java/nio/channels/DatagramChannel/Connect.java
    timed out
  - JDK-8310838: Correct range notations in MethodTypeDesc
    specification
  - JDK-8310844: [AArch64] C1 compilation fails because monitor
    offset in OSR buffer is too large for immediate
  - JDK-8310923: Refactor Currency tests to use JUnit
  - JDK-8311081: KeytoolReaderP12Test.java fail on localized
    Windows platform
  - JDK-8311160: [macOS, Accessibility] VoiceOver: No
    announcements on JRadioButtonMenuItem and JCheckBoxMenuItem
  - JDK-8311581: Remove obsolete code and comments in TestLVT.java
  - JDK-8311645: Memory leak in jspawnhelper spawnChild after
    JDK-8307990
  - JDK-8311986: Disable runtime/os/TestTracePageSizes.java for
    ShenandoahGC
  - JDK-8312428: PKCS11 tests fail with NSS 3.91
  - JDK-8312434: SPECjvm2008/xml.transform with CDS fails with
    ‘can’t seal package nu.xom’
  - JDK-8313081: MonitoringSupport_lock should be unconditionally
    initialized after 8304074
  - JDK-8313082: Enable CreateCoredumpOnCrash for testing in
    makefiles
  - JDK-8313206: PKCS11 tests silently skip execution
  - JDK-8313575: Refactor PKCS11Test tests
  - JDK-8313621: test/jdk/jdk/internal/math/FloatingDecimal/
    /TestFloatingDecimal should use RandomFactory
  - JDK-8313643: Update HarfBuzz to 8.2.2
  - JDK-8313816: Accessing jmethodID might lead to spurious
    crashes
  - JDK-8314164: java/net/HttpURLConnection/
    /HttpURLConnectionExpectContinueTest.java fails intermittently
    in timeout
  - JDK-8314220: Configurable InlineCacheBuffer size
  - JDK-8314830: runtime/ErrorHandling/ tests ignore external VM
    flags
  - JDK-8315034: File.mkdirs() occasionally fails to create
    folders on Windows shared folder
  - JDK-8315042: NPE in PKCS7.parseOldSignedData
  - JDK-8315594: Open source few headless Swing misc tests
  - JDK-8315600: Open source few more headless Swing misc tests
  - JDK-8315602: Open source swing security manager test
  - JDK-8315611: Open source swing text/html and tree test
  - JDK-8315680: java/lang/ref/ReachabilityFenceTest.java should
    run with -Xbatch
  - JDK-8315731: Open source several Swing Text related tests
  - JDK-8315761: Open source few swing JList and JMenuBar tests
  - JDK-8315920: C2: ‘control input must dominate current
    control’ assert failure
  - JDK-8315986: [macos14] javax/swing/JMenuItem/4654927/
    /bug4654927.java: component must be showing on the screen to
    determine its location
  - JDK-8316001: GC: Make TestArrayAllocatorMallocLimit use
    createTestJvm
  - JDK-8316028: Update FreeType to 2.13.2
  - JDK-8316030: Update Libpng to 1.6.40
  - JDK-8316106: Open source few swing JInternalFrame and
    JMenuBar tests
  - JDK-8316304: (fs) Add support for BasicFileAttributes
    .creationTime() for Linux
  - JDK-8316392: compiler/interpreter/
    /TestVerifyStackAfterDeopt.java failed with SIGBUS in
    PcDescContainer::find_pc_desc_internal
  - JDK-8316414: C2: large byte array clone triggers ‘failed:
    malformed control flow’ assertion failure on linux-x86
  - JDK-8316415: Parallelize
    sun/security/rsa/SignedObjectChain.java subtests
  - JDK-8316418: containers/docker/TestMemoryWithCgroupV1.java
    get OOM killed with Parallel GC
  - JDK-8316445: Mark com/sun/management/HotSpotDiagnosticMXBean/
    /CheckOrigin.java as vm.flagless
  - JDK-8316679: C2 SuperWord: wrong result, load should not be
    moved before store if not comparable
  - JDK-8316693: Simplify at-requires checkDockerSupport()
  - JDK-8316929: Shenandoah: Shenandoah degenerated GC and full
    GC need to cleanup old OopMapCache entries
  - JDK-8316947: Write a test to check textArea triggers
    MouseEntered/MouseExited events properly
  - JDK-8317039: Enable specifying the JDK used to run jtreg
  - JDK-8317144: Exclude sun/security/pkcs11/sslecc/
    /ClientJSSEServerJSSE.java on Linux ppc64le
  - JDK-8317307: test/jdk/com/sun/jndi/ldap/
    /LdapPoolTimeoutTest.java fails with ConnectException:
    Connection timed out: no further information
  - JDK-8317603: Improve exception messages thrown by
    sun.nio.ch.Net native methods (win)
  - JDK-8317771: [macos14] Expand/collapse a JTree using keyboard
    freezes the application in macOS 14 Sonoma
  - JDK-8317807: JAVA_FLAGS removed from jtreg running in
    JDK-8317039
  - JDK-8317960: [17u] Excessive CPU usage on
    AbstractQueuedSynchronized.isEnqueued
  - JDK-8318154: Improve stability of WheelModifier.java test
  - JDK-8318183: C2: VM may crash after hitting node limit
  - JDK-8318410: jdk/java/lang/instrument/BootClassPath/
    /BootClassPathTest.sh fails on Japanese Windows
  - JDK-8318468: compiler/tiered/LevelTransitionTest.java fails
    with -XX:CompileThreshold=100 -XX:TieredStopAtLevel=1
  - JDK-8318490: Increase timeout for JDK tests that are close to
    the limit when run with libgraal
  - JDK-8318603: Parallelize sun/java2d/marlin/ClipShapeTest.java
  - JDK-8318607: Enable parallelism in vmTestbase/nsk/stress/jni
    tests
  - JDK-8318608: Enable parallelism in
    vmTestbase/nsk/stress/threads tests
  - JDK-8318689: jtreg is confused when folder name is the same
    as the test name
  - JDK-8318736: com/sun/jdi/JdwpOnThrowTest.java failed with
    ‘transport error 202: bind failed: Address already in use’
  - JDK-8318951: Additional negative value check in JPEG decoding
  - JDK-8318955: Add ReleaseIntArrayElements in
    Java_sun_awt_X11_XlibWrapper_SetBitmapShape XlbWrapper.c to
    early return
  - JDK-8318957: Enhance agentlib:jdwp help output by info about
    allow option
  - JDK-8318961: increase javacserver connection timeout values
    and max retry attempts
  - JDK-8318971: Better Error Handling for Jar Tool When
    Processing Non-existent Files
  - JDK-8318983: Fix comment typo in PKCS12Passwd.java
  - JDK-8319124: Update XML Security for Java to 3.0.3
  - JDK-8319213: Compatibility.java reads both stdout and stderr
    of JdkUtils
  - JDK-8319436: Proxy.newProxyInstance throws NPE if loader is
    null and interface not visible from class loader
  - JDK-8319456: jdk/jfr/event/gc/collection/
    /TestGCCauseWith[Serial|Parallel].java : GC cause ‘GCLocker
    Initiated GC’ not in the valid causes
  - JDK-8319668: Fixup of jar filename typo in BadFactoryTest.sh
  - JDK-8319922: libCreationTimeHelper.so fails to link in JDK 21
  - JDK-8319961: JvmtiEnvBase doesn’t zero _ext_event_callbacks
  - JDK-8320001: javac crashes while adding type annotations to
    the return type of a constructor
  - JDK-8320168: handle setsocktopt return values
  - JDK-8320208: Update Public Suffix List to b5bf572
  - JDK-8320300: Adjust hs_err output in malloc/mmap error cases
  - JDK-8320363: ppc64 TypeEntries::type_unknown logic looks
    wrong, missed optimization opportunity
  - JDK-8320597: RSA signature verification fails on signed data
    that does not encode params correctly
  - JDK-8320798: Console read line with zero out should zero out
    underlying buffer
  - JDK-8320885: Bump update version for OpenJDK: jdk-17.0.11
  - JDK-8320921: GHA: Parallelize hotspot_compiler test jobs
  - JDK-8320937: support latest VS2022 MSC_VER in
    abstract_vm_version.cpp
  - JDK-8321151: JDK-8294427 breaks Windows L&F on all older
    Windows versions
  - JDK-8321215: Incorrect x86 instruction encoding for VSIB
    addressing mode
  - JDK-8321408: Add Certainly roots R1 and E1
  - JDK-8321480: ISO 4217 Amendment 176 Update
  - JDK-8321599: Data loss in AVX3 Base64 decoding
  - JDK-8321815: Shenandoah: gc state should be synchronized to
    java threads only once per safepoint
  - JDK-8321972: test runtime/Unsafe/InternalErrorTest.java
    timeout on linux-riscv64 platform
  - JDK-8322098: os::Linux::print_system_memory_info enhance the
    THP output with
    /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
  - JDK-8322321: Add man page doc for -XX:+VerifySharedSpaces
  - JDK-8322417: Console read line with zero out should zero out
    when throwing exception
  - JDK-8322583: RISC-V: Enable fast class initialization checks
  - JDK-8322725: (tz) Update Timezone Data to 2023d
  - JDK-8322750: Test ‘api/java_awt/interactive/
    /SystemTrayTests.html’ failed because A blue ball icon is
    added outside of the system tray
  - JDK-8322772: Clean up code after JDK-8322417
  - JDK-8322783: prioritize /etc/os-release over
    /etc/SuSE-release in hs_err/info output
  - JDK-8322968: [17u] Amend Atomics gtest with 1-byte tests
  - JDK-8323008: filter out harmful -std* flags added by autoconf
    from CXX
  - JDK-8323021: Shenandoah: Encountered reference count always
    attributed to first worker thread
  - JDK-8323086: Shenandoah: Heap could be corrupted by oom
    during evacuation
  - JDK-8323243: JNI invocation of an abstract instance method
    corrupts the stack
  - JDK-8323331: fix typo hpage_pdm_size
  - JDK-8323428: Shenandoah: Unused memory in regions compacted
    during a full GC should be mangled
  - JDK-8323515: Create test alias ‘all’ for all test roots
  - JDK-8323637: Capture hotspot replay files in GHA
  - JDK-8323640: [TESTBUG]testMemoryFailCount in
    jdk/internal/platform/docker/TestDockerMemoryMetrics.java
    always fail because OOM killed
  - JDK-8323806: [17u] VS2017 build fails with warning after
    8293117.
  - JDK-8324184: Windows VS2010 build failed with ‘error C2275:
    ‘int64_t’’
  - JDK-8324280: RISC-V: Incorrect implementation in
    VM_Version::parse_satp_mode
  - JDK-8324347: Enable ‘maybe-uninitialized’ warning for
    FreeType 2.13.1
  - JDK-8324514: ClassLoaderData::print_on should print address
    of class loader
  - JDK-8324647: Invalid test group of lib-test after JDK-8323515
  - JDK-8324659: GHA: Generic jtreg errors are not reported
  - JDK-8324937: GHA: Avoid multiple test suites per job
  - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/
    /AKISerialNumber.java is failing
  - JDK-8325150: (tz) Update Timezone Data to 2024a
  - JDK-8325585: Remove no longer necessary calls to
    set/unset-in-asgct flag in JDK 17
  - JDK-8326000: Remove obsolete comments for class
    sun.security.ssl.SunJSSE
  - JDK-8327036: [macosx-aarch64] SIGBUS in
    MarkActivationClosure::do_code_blob reached from
    Unsafe_CopySwapMemory0
  - JDK-8327391: Add SipHash attribution file
  - JDK-8329836: [17u] Remove designator
    DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.11
Removed the possibility to use the system timezone-java (bsc#1213470).