Opened 10 months ago
Closed 8 months ago
#19508 closed enhancement (fixed)
jdk-22.0.1
Reported by: | Xi Ruoyao | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | elevated | Milestone: | 12.2 |
Component: | BOOK | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
New major version.
Just seen the release note at https://mail.openjdk.org/pipermail/jdk-dev/2024-March/008827.html. I've not found a download link yet.
Change History (11)
comment:1 by , 10 months ago
comment:2 by , 10 months ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
follow-up: 4 comment:3 by , 9 months ago
Priority: | normal → high |
---|---|
Summary: | jdk-22 → jdk-22.0.1 (wait for Tuesday) |
Oracle Java SE Executive Summary This Critical Patch Update contains 13 new security patches for Oracle Java SE. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5. The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are: Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9 Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22 Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22
comment:4 by , 9 months ago
Replying to Douglas R. Reno:
Oracle Java SE Executive Summary This Critical Patch Update contains 13 new security patches for Oracle Java SE. 10 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The highest CVSS v3.1 Base Score of vulnerabilities affecting Oracle Java SE is 7.5. The Oracle Java SE products and versions affected by vulnerabilities that are addressed in this Critical Patch Update are: Oracle GraalVM Enterprise Edition, versions 20.3.13, 21.3.9 Oracle GraalVM for JDK, versions 17.0.10, 21.0.2, 22 Oracle Java SE, versions 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22
Is that also true for OpenJDKs?
comment:6 by , 9 months ago
Priority: | high → elevated |
---|
The source is now available, though we're going to go with jdk-22.0.1+0 for a regression fix
The highest severity issues only impact Oracle GraalVM, so we're only affected by...
CVE-2024-21011 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be a denial of service vulnerability
CVE-2024-21068 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
CVE-2024-21094 (Hotspot), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
CVE-2024-21012 (Networking), Network exploitable with no user interaction or privileges required, looks to be an unauthorized information reading/modification vulnerability
comment:7 by , 9 months ago
Note though that these are all remotely exploitable with no authentication or user interaction required
comment:8 by , 9 months ago
Summary: | jdk-22.0.1 (wait for Tuesday) → jdk-22.0.1 |
---|
comment:9 by , 8 months ago
The jtreg and x86_64 binaries have been uploaded to anduin. Now finishing up i686.
comment:11 by , 8 months ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Fixed at a60e359f88ea891544f097d00915eee51c94fc72
SA-12.1-049 issued
The tag for the source has been published