Opened 22 months ago

Closed 21 months ago

Last modified 20 months ago

#18192 closed enhancement (fixed)

jdk-20.0.1

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 12.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New major version

This seems to be a rather significant security update that'll probably go pretty high on my priority list for this week since Pierre is out of town:

"This Critical Patch Update contains 8 new security patches, plus additional third party patches noted below, for Oracle Java SE. 7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials."

(In our case, all of these require no authentication)

The table shows that we are vulnerable to:

CVE-2023-21930 - High severity in the TLS component. Attack complexity is high, but it does allow for unauthorized creation, modification, or deletion of data.

CVE-2023-21967 - Medium severity in the HTTPS component. Denial of service with high attack complexity.

CVE-2023-21939 - Medium severity in the Swing component. Attack Complexity is trivial and allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21938 - Low severity in multiple libraries. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21968 - Low severity in multiple libraries. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

CVE-2023-21937 - Low severity in the networking component. High attack complexity, but allows for unauthorized creation, modification, or deletion of data.

Change History (7)

comment:1 by Douglas R. Reno, 22 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 21 months ago

Similar to jdk17, we need a new jtreg! To create a new tarball with the latest version, prepare it as follows:

  • Untar it to a directory and run the following commands: 
sh make/build.sh --jdk /opt/jdk
cd build/images
tar -cJvf jtreg-7.2+1.tar.xz jtreg/

If you don't have apache-ant installed, it will download a copy for you.

The build number for jdk20 will be '9'.

comment:3 by Douglas R. Reno, 21 months ago

jtreg and the i686 version of the binary have been uploaded to anduin. I'll get x86_64 done and the book page updates in the morning

comment:4 by Douglas R. Reno, 21 months ago

The x86_64 binary is now uploaded to anduin. I'll commit the changes to the book once I've wrapped up some testing

comment:5 by Douglas R. Reno, 21 months ago

Resolution: fixed
Status: assignedclosed

Fixed at dde26e3f605a8f9b64eabe966e792aa5f8c404a1

comment:6 by Douglas R. Reno, 21 months ago

SA-11.3-053 issued

comment:7 by Bruce Dubbs, 20 months ago

Milestone: 11.412.0

Milestone renamed

Note: See TracTickets for help on using tickets.