Opened 2 years ago

Closed 2 years ago

#15845 closed enhancement (fixed)


Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 11.1
Component: BOOK Version: git
Severity: critical Keywords:


New major version.

Note that this is a supported LTS release until at least April 2022, with a major distribution like RedHat taking support after that.

We should update this to assist with preventing attacks with Log4j, like ones that have been described using Minecraft. I have personally confirmed this update to prevent remote code execution using the Minecraft 1.18 server and a client running 1.18.1.

Some news articles:

U.S. Government Advisory:

Since 16.0.2 is unsupported anyway, and we'd have to create new binaries, I don't really feel like it's worth the trouble to patch it at this time. Updating to 17.0.2 is the best way.

Quote from Cloudflare: "When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine."

Change History (7)

comment:1 by Douglas R. Reno, 2 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 2 years ago

This also contains fixes for:

CVE-2021-35567 - Medium, remote code execution, may allow for access to "privileged and critical system data"

CVE-2021-35586 - Medium, application crash

CVE-2021-35564 - Medium, unauthorized creation, modification, or deletion of data

CVE-2021-35556 - Medium, application crash

CVE-2021-35559 - Medium, application crash

CVE-2021-35561 - Medium, application crash

CVE-2021-35578 - Medium, application crash

CVE-2021-35603 - Low, unauthorized access of data via TLS bypass

comment:3 by Douglas R. Reno, 2 years ago

We need a new jtreg. Just grabbed the sources from GitHub and built it (sh make/ --jdk /opt/jdk). Waiting to see now if jdk-17 accepts it

comment:4 by Douglas R. Reno, 2 years ago

Test results: passed: 6,231; failed: 49; error: 8

JDK-17 accepts it with my new jtreg tarball.

comment:5 by Douglas R. Reno, 2 years ago

The 64-bit binary is done, just testing it with fop, libreoffice, graphviz, subversion, ant, and opencv. I found a bunch of dependencies that are no longer valid, so I'm going to commit those shortly.

Progress on i686 is going very smoothly.

comment:6 by Douglas R. Reno, 2 years ago

64-bit binary confirmed good with all packages in the book. Shifting focus to other packages once the i686 system is at a point where it can run on its own for a bit.

comment:7 by Douglas R. Reno, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at 172f41cfa0ffefbe4331a4ba66a1121d26e623cf and a security advisory has been issued.

Note: See TracTickets for help on using tickets.