Opened 10 months ago

Closed 8 months ago

#19508 closed enhancement (fixed)

jdk-22.0.1

Reported by: Xi Ruoyao Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New major version.

Just seen the release note at https://mail.openjdk.org/pipermail/jdk-dev/2024-March/008827.html. I've not found a download link yet.

Change History (11)

comment:1 by Douglas R. Reno, 10 months ago

The tag for the source has been published

comment:2 by Douglas R. Reno, 10 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 9 months ago

Priority: normalhigh
Summary: jdk-22jdk-22.0.1 (wait for Tuesday)
Oracle Java SE Executive Summary

This Critical Patch Update contains 13 new security patches for Oracle Java SE.  10 of 
these vulnerabilities may be remotely exploitable without authentication, i.e., may be 
exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5.

The Oracle Java SE products and versions affected by vulnerabilities that are addressed 
in this Critical Patch Update are:

    Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9
    Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22
    Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22

in reply to:  3 comment:4 by thomas, 9 months ago

Replying to Douglas R. Reno:

Oracle Java SE Executive Summary

This Critical Patch Update contains 13 new security patches for Oracle Java SE.  10 of 
these vulnerabilities may be remotely exploitable without authentication, i.e., may be 
exploited over a network without requiring user credentials. 

The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5.

The Oracle Java SE products and versions affected by vulnerabilities that are addressed 
in this Critical Patch Update are:

    Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9
    Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22
    Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22

Is that also true for OpenJDKs?

comment:5 by Douglas R. Reno, 9 months ago

Yes it is, OpenJDK tracks these and is also maintained by Oracle :)

comment:6 by Douglas R. Reno, 9 months ago

Priority: highelevated

The source is now available, though we're going to go with jdk-22.0.1+0 for a regression fix

The highest severity issues only impact Oracle GraalVM, so we're only affected by...

CVE-2024-21011 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be a denial of service vulnerability

CVE-2024-21068 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability

CVE-2024-21094 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability

CVE-2024-21012 (Networking), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability

comment:7 by Douglas R. Reno, 9 months ago

Note though that these are all remotely exploitable with no authentication or user interaction required

comment:8 by Douglas R. Reno, 9 months ago

Summary: jdk-22.0.1 (wait for Tuesday)jdk-22.0.1

comment:9 by Douglas R. Reno, 8 months ago

The jtreg and x86_64 binaries have been uploaded to anduin. Now finishing up i686.

comment:10 by Douglas R. Reno, 8 months ago

The i686 binary is now uploaded to anduin.

comment:11 by Douglas R. Reno, 8 months ago

Resolution: fixed
Status: assignedclosed

Fixed at a60e359f88ea891544f097d00915eee51c94fc72

SA-12.1-049 issued

Note: See TracTickets for help on using tickets.