Your message dated Fri, 9 Jun 2023 21:07:12 +0200 with message-id <zin4ycdgmzlkt...@eldamar.lan> and subject line Accepted openjdk-17 17.0.7+7-1 (source) into unstable has caused the Debian Bug report #1035957, regarding openjdk-17: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1035957: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035957 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openjdk-17 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-17. CVE-2023-21930[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via TLS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized creation, deletion or modification access | to critical data or all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized access to critical | data or complete access to all Oracle Java SE, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability applies | to Java deployments, typically in clients running sandboxed Java Web | Start applications or sandboxed Java applets, that load and run | untrusted code (e.g., code that comes from the internet) and rely on | the Java sandbox for security. This vulnerability can also be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). CVE-2023-21937[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Networking). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21938[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and | 22.3.0. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted code | (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21939[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Swing). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Easily exploitable vulnerability allows unauthenticated attacker with | network access via HTTP to compromise Oracle Java SE, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability applies to Java deployments, typically in | clients running sandboxed Java Web Start applications or sandboxed | Java applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. This | vulnerability can also be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21954[4]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Hotspot). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized access to critical data or | complete access to all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). CVE-2023-21967[5]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via HTTPS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM | Enterprise Edition. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21968[6]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-21930 https://www.cve.org/CVERecord?id=CVE-2023-21930 [1] https://security-tracker.debian.org/tracker/CVE-2023-21937 https://www.cve.org/CVERecord?id=CVE-2023-21937 [2] https://security-tracker.debian.org/tracker/CVE-2023-21938 https://www.cve.org/CVERecord?id=CVE-2023-21938 [3] https://security-tracker.debian.org/tracker/CVE-2023-21939 https://www.cve.org/CVERecord?id=CVE-2023-21939 [4] https://security-tracker.debian.org/tracker/CVE-2023-21954 https://www.cve.org/CVERecord?id=CVE-2023-21954 [5] https://security-tracker.debian.org/tracker/CVE-2023-21967 https://www.cve.org/CVERecord?id=CVE-2023-21967 [6] https://security-tracker.debian.org/tracker/CVE-2023-21968 https://www.cve.org/CVERecord?id=CVE-2023-21968 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openjdk-17 Source-Version: 17.0.7+7-1 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 06 Jun 2023 13:36:52 +0200 Source: openjdk-17 Architecture: source Version: 17.0.7+7-1 Distribution: unstable Urgency: high Maintainer: OpenJDK Team <openjdk...@packages.debian.org> Changed-By: Matthias Klose <d...@debian.org> Changes: openjdk-17 (17.0.7+7-1) unstable; urgency=high . * OpenJDK 17.0.7 release, build 7. - CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968. - Release notes: https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-April/021899.html . [ Vladimir Petko ] * Refresh patches. * debian/copyright: Convert to machine readable format. * Update watch file. * Update tag and version handling in the rules file. * debian/JB-jre-headless.postinst.in: trigger ca-certificates-java after the JRE is set up. * d/control: add jtreg6 dependencies, regenerate control. * d/rules: only compile google tests when with_check is enabled, disable them for bullseye and jammy. * d/rules: always use jtreg6. * d/p/exclude-broken-tests.patch: add OpenJDK 17 failures. * d/p/*: add patches for jtreg tests: - disable-thumb-assertion.patch: fix JDK-8305481. - update-assertion-for-armhf.patch: fix JDK-8305480. - misalign-pointer-for-armhf.patch: packaging-specific patch to fix test - failure introduced by d/p/m68k-support.diff. - log-generated-classes-test.patch: workaround JDK-8166162. - update-permission-test.patch: add security permissions for testng 7. - ldap-timeout-test-use-ip.patch, test-use-ip-address.patch: Ubuntu-specific - patches to workaround missing DNS resolver on the build machines. - exclude_broken_tests.patch: quarantine failing tests. * d/t/{jdk,hotspot,jaxp,lantools}: run tier1 and tier2 jtreg tests only, * add test options from OpenJDK Makefile, patch problem list to exclude architecture-specific failing tests. * d/t/*: fix test environment: add missing -nativepath (LP: #2001563). * d/t/jdk: provide dbus session for the window manager (LP: #2001576). * d/t/jtreg-autopkgtest.in: pass JTREG home to locate junit.jar, regenerate * d/t/jtreg-autopkgtest.sh (LP: #2016206). * d/rules: pack external debug symbols with build-id, do not strip JVM shared libraries (LP: #2012326, LP: #2016739). * drop d/p/{jaw-classpath.diff, jaw-optional.diff}: the atk wrapper is disabled and these patches cause class data sharing tests to fail. LP: #2016194. Checksums-Sha1: 43a78086bbdcec3106d577bc2fb540daac07b353 4522 openjdk-17_17.0.7+7-1.dsc 38706ac1090cc214adc67f294b936f6222a6fe16 61894896 openjdk-17_17.0.7+7.orig.tar.xz 3467e46f8b96733412718bf9e43e3cf33aed1c8d 199104 openjdk-17_17.0.7+7-1.debian.tar.xz 77d309d1f93490bea26b4bbcd8aeb6e846bc2764 15621 openjdk-17_17.0.7+7-1_source.buildinfo Checksums-Sha256: e6b80ffc98e25e95f0f6e6bdb5452e27504d8b5bfa354fc282c1133d5938606a 4522 openjdk-17_17.0.7+7-1.dsc 54979d3108824cb1ff03063f9d00154395eeb6aa37153f1e3d990bd3064fe65f 61894896 openjdk-17_17.0.7+7.orig.tar.xz e921593bfb589d616cd511275bc6e400bfb3ec3d1fd71d9c7881f2d7ae111c18 199104 openjdk-17_17.0.7+7-1.debian.tar.xz 6a8390158c41bfea88ad6f9731fffbce0c9a04ff756d79de14da17b7b5cd8ae4 15621 openjdk-17_17.0.7+7-1_source.buildinfo Files: 3d4eae81da92046e8b9c05737156795b 4522 java optional openjdk-17_17.0.7+7-1.dsc 31686ecebc0181d2fce168e83c6f4791 61894896 java optional openjdk-17_17.0.7+7.orig.tar.xz 3dc12f5f83c48a32040eb8b0e68faafc 199104 java optional openjdk-17_17.0.7+7-1.debian.tar.xz d35cbe4ca8487b48527cb0673a16e377 15621 java optional openjdk-17_17.0.7+7-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmSDPlwQHGRva29AZGVi aWFuLm9yZwAKCRC9fqpgd4+m9RSuEACasTMv7CDSFc+/MBRQsq31WjGqzWAA/Yd5 C8geSHhKe+Qm/KzszIC1pKYspudn6eemVP8fsu3PSxes6zu0ccYbTjMoT/7Mo7qe nDnb9KXAmhXY2wyPPXW+8OPvZUCdfppR5Nb/1muogTcdkW3Yte1dMyfDaTQCsW9J qlnmb07obwK06bzrYEAcc17/J2Q4+/YEJUFFHenR+lU31XQ2V9F+0W4vSs6PPR5w maY+Gf/dksoPE3m4YMiJvWP9jtl9NFo5qoh3bPccP00S6Aaovi+Em5yxMOGJ0KcJ 9nIJ7kErtE2sNokOY32XVTDWodCq6L74bD5FF0UMpCHj4WCxGLAwzkUly2b6N2cq oD8MtQYaYwFS0cfr+svmD8FaOLcJ2TNiT3XfOCGDKKhvn24rF/qco8Z9f+1ub105 Qu6cZ5zVEsjAt1JM/iCvF2pXSy5EfEmqrpzmyXnPqytfBkYcj9qNiNZIchNX+TwB 1y5XcLmfIhBMlXWMEhHfszeBTWbU52wXmk5h6s29A4HygnlC80+mHHsgS3FoTUZ+ hwzQxenGwq6s+FnWnHnyyy5bgTleqPHwpbo8MwR8qPi7wCFcje4AaZPwpJcmdIMU CygCAk8yyyOohFR20C4AizQpiKBJedFW1zWemwiiOiu+hCTF+n+OABZn6mqbwJs8 2igybMAZFw== =cR7a -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
