Context Navigation

← Previous Ticket
Next Ticket →

#18192 closed enhancement (fixed)

jdk-20.0.1

Reported by:	Douglas R. Reno	Owned by:	Douglas R. Reno
Priority:	high	Milestone:	12.0
Component:	BOOK	Version:	git
Severity:	normal	Keywords:
Cc:

Description

New major version

This seems to be a rather significant security update that'll probably go pretty high on my priority list for this week since Pierre is out of town:

"This Critical Patch Update contains 8 new security patches, plus additional third party patches noted below, for Oracle Java SE. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials."

(In our case, all of these require no authentication)

The table shows that we are vulnerable to:

CVE-2023-21930 - High severity in the TLS component. Attack complexity is high, but it does allow for unauthorized creation, modification, or deletion of data.

CVE-2023-21967 - Medium severity in the HTTPS component. Denial of service with high attack complexity.

CVE-2023-21939 - Medium severity in the Swing component. Attack Complexity is trivial and allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21938 - Low severity in multiple libraries. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21968 - Low severity in multiple libraries. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21937 - Low severity in the networking component. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

Change History (7)

comment:1 by Douglas R. Reno, 11 months ago

Owner:	changed from blfs-book to Douglas R. Reno
Status:	new → assigned

comment:2 by Douglas R. Reno, 11 months ago

Similar to jdk17, we need a new jtreg! To create a new tarball with the latest version, prepare it as follows:

Grab the latest from https://github.com/openjdk/jtreg/tags. In our case, we'll go with 7.2+1

Untar it to a directory and run the following commands:

sh make/build.sh --jdk /opt/jdk
cd build/images
tar -cJvf jtreg-7.2+1.tar.xz jtreg/

If you don't have apache-ant installed, it will download a copy for you.

The build number for jdk20 will be '9'.

comment:3 by Douglas R. Reno, 11 months ago

jtreg and the i686 version of the binary have been uploaded to anduin. I'll get x86_64 done and the book page updates in the morning

comment:4 by Douglas R. Reno, 11 months ago

The x86_64 binary is now uploaded to anduin. I'll commit the changes to the book once I've wrapped up some testing

comment:5 by Douglas R. Reno, 11 months ago

Resolution:	→ fixed
Status:	assigned → closed

Fixed at dde26e3f605a8f9b64eabe966e792aa5f8c404a1

comment:6 by Douglas R. Reno, 11 months ago

SA-11.3-053 issued

comment:7 by Bruce Dubbs, 10 months ago

Milestone:	11.4 → 12.0

Milestone renamed

Note: See TracTickets for help on using tickets.

Download in other formats: