#18317 closed enhancement (fixed)
jdk-20.0.2
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
New point version, contains several security fixes
Change History (8)
comment:1 by , 21 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 21 months ago
comment:3 by , 21 months ago
I'm going to add in --with-harfbuzz=system to the configure line and add a dependency on Harfbuzz to the Recommended dependencies section
comment:4 by , 21 months ago
The x86_64 binary is uploaded to anduin, and jtreg is copied over! Currently building the i686 binary. This should be good to go in tonight or early tomorrow.
comment:6 by , 21 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at aa1bc104f3ef472fe4ed558a908ac89b811df1fe
I need to stop for today, so I'll get the SA tomorrow or on Monday.
Note:
See TracTickets
for help on using tickets.
The vulnerabilities fixed are:
CVE-2023-22041 - in the Hotspot component, unauthorized access to data. Rated as Medium
CVE-2023-25193 - in it's internal fork of Harfbuzz, rated as High and denial of service
CVE-2023-22044 - in the Hotspot component, unauthorized read access. Rated as Low
CVE-2023-22045 - in the Hotspot component, unauthorized read access. Rated as Low
CVE-2023-22049 - in the Libraries component, allows remote modification or deletion of data. Rated as Low though
CVE-2023-22036 - in the Utility component, allows for remote attackers to cause a denial of service. Rated as Low
CVE-2023-22006 - in the Networking component, allows remote modification or deletion of data (but requires user interaction). Rated as Low
All but CVE-2023-22006 can be exploited without user interaction though and without authentication.