Your message dated Sun, 11 Jun 2023 21:11:04 +0200 with message-id <ziycsnfnil03b...@eldamar.lan> and subject line [ftpmas...@ftp-master.debian.org: Accepted openjdk-11 11.0.19+7-1 (source) into unstable] has caused the Debian Bug report #1036280, regarding openjdk-11: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036280: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036280 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openjdk-11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-11. CVE-2023-21930[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via TLS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized creation, deletion or modification access | to critical data or all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized access to critical | data or complete access to all Oracle Java SE, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability applies | to Java deployments, typically in clients running sandboxed Java Web | Start applications or sandboxed Java applets, that load and run | untrusted code (e.g., code that comes from the internet) and rely on | the Java sandbox for security. This vulnerability can also be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). CVE-2023-21937[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Networking). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21938[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and | 22.3.0. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted code | (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21939[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Swing). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Easily exploitable vulnerability allows unauthenticated attacker with | network access via HTTP to compromise Oracle Java SE, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability applies to Java deployments, typically in | clients running sandboxed Java Web Start applications or sandboxed | Java applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. This | vulnerability can also be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21954[4]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Hotspot). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized access to critical data or | complete access to all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 | (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). CVE-2023-21967[5]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via HTTPS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM | Enterprise Edition. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21968[6]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-21930 https://www.cve.org/CVERecord?id=CVE-2023-21930 [1] https://security-tracker.debian.org/tracker/CVE-2023-21937 https://www.cve.org/CVERecord?id=CVE-2023-21937 [2] https://security-tracker.debian.org/tracker/CVE-2023-21938 https://www.cve.org/CVERecord?id=CVE-2023-21938 [3] https://security-tracker.debian.org/tracker/CVE-2023-21939 https://www.cve.org/CVERecord?id=CVE-2023-21939 [4] https://security-tracker.debian.org/tracker/CVE-2023-21954 https://www.cve.org/CVERecord?id=CVE-2023-21954 [5] https://security-tracker.debian.org/tracker/CVE-2023-21967 https://www.cve.org/CVERecord?id=CVE-2023-21967 [6] https://security-tracker.debian.org/tracker/CVE-2023-21968 https://www.cve.org/CVERecord?id=CVE-2023-21968 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: openjdk-11 Source-Version: 11.0.19+7-1 Fixes as well #1036280, so closing manually: ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 Jun 2023 12:55:28 +0200 Source: openjdk-11 Architecture: source Version: 11.0.19+7-1 Distribution: unstable Urgency: high Maintainer: OpenJDK Team <openjdk...@packages.debian.org> Changed-By: Matthias Klose <d...@ubuntu.com> Changes: openjdk-11 (11.0.19+7-1) unstable; urgency=high . * OpenJDK 11.0.19 release, build 7. - CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968. - Release notes: https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-April/021900.html - d/p/*: refresh patches. . [ Vladimir Petko ] * debian/JB-jre-headless.postinst.in: trigger ca-certificates-java after jre is set up. * d/p: drop obsolete patches (LP: #2011653). - workaround_expand_exec_shield_cs_limit.diff: obsoleted by hotspot-disable-exec-shield-workaround.diff. - generated-headers.patch: include is already added by openjdk makefile. - parallel-build-fix.diff: include is not necessary. * d/copyright, d/watch: implement uscan repackaging (LP: #2011749). * d/rules: use --with-debug-symbols=none (LP: #2003820). * d/control: add jtreg6 dependencies, regenerate control. * d/t/{jdk,hotspot,jaxp,langtools}: run tier1 and tier2 jtreg tests only, add test options from OpenJDK makefile. * d/t/*: fix test environment: add missing -nativepath (LP: #2001563). * d/t/jdk: provide dbus session for the window manager (LP: #2001576). * d/p/*: add patches for jtreg tests: - disable-thumb-assertion.patch: fix JDK-8305481. - update-assertion-for-armhf.patch: fix JDK-8305480. - log-generated-classes-test.patch: workaround JDK-8166162. - update-permission-test.patch: add security permissions for testng 7. - ldap-timeout-test-use-ip.patch, test-use-ip-address.patch: Ubuntu-specific patches to workaround missing DNS resolver on the build machines. - exclude_broken_tests.patch: quarantine failing tests. * d/rules: package external debug symbols (LP: #2015835). * drop d/p/{jaw-classpath.diff, jaw-optional.diff}: the atk wrapper is disabled and these patches cause class data sharing tests to fail (LP: #2016194). * d/p/exclude-broken-tests.patch: add OpenJDK 11 failures. * d/t/jtreg-autopkgtest.in: pass JTREG home to locate junit.jar, regenerate d/t/jtreg-autopkgtest.sh (LP: #2016206). * d/t/control.in: disable jtreg autopkgtests in line with openjdk 17, regenerate control (LP: #2016438). * d/rules: pack external debug symbols with build-id, do not pack duplicate symbols, do not strip JVM shared libraries (LP: #2012326, LP: #2016739). * d/rules: always use jtreg6. . [ Matthias Klose ] * d/rules: Fix using CC/CXX for recent releases. Checksums-Sha1: 38ed90cfba304561c4aedb5231cec209040eabd0 4600 openjdk-11_11.0.19+7-1.dsc bf2ecbb084c3ae6b51fdcff3bf6403b9c09d58fd 78706772 openjdk-11_11.0.19+7.orig.tar.xz ca228c0ee6838c9c4a76a75ced8f33948bf7c6f6 160416 openjdk-11_11.0.19+7-1.debian.tar.xz 4c62e92c386a6e432d892a901b112a2390938bcd 15430 openjdk-11_11.0.19+7-1_source.buildinfo Checksums-Sha256: da3f0f2f788576285f11c250e0cbfd913a9773a655e7cbb30394b93475a98d9c 4600 openjdk-11_11.0.19+7-1.dsc 8aeb8c865b11b102268bcea4e0e9d1dc39c1b0596b8ec0fb184dd2deed5b8b61 78706772 openjdk-11_11.0.19+7.orig.tar.xz 490efad4888f606a82e1021983d0f1aa44c12132357797aa5147fca27a890b62 160416 openjdk-11_11.0.19+7-1.debian.tar.xz 7c20e50d71bd1d4e22b5637da89db5e00d2a5ad4c1a93dbc17c6fbe7334257f3 15430 openjdk-11_11.0.19+7-1_source.buildinfo Files: 9ac81a9ef773773ccc4dc28dd7d34553 4600 java optional openjdk-11_11.0.19+7-1.dsc ff2769235b5aae5c116e19a104d26397 78706772 java optional openjdk-11_11.0.19+7.orig.tar.xz 9cc4c03e13388e480a52c9158ae04ff2 160416 java optional openjdk-11_11.0.19+7-1.debian.tar.xz 1351e8f6e9266f524f15c88a789ea7a2 15430 java optional openjdk-11_11.0.19+7-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCgAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmSFqD8QHGRva29AdWJ1 bnR1LmNvbQAKCRC9fqpgd4+m9WT8EAC8d7IgQiUTMHdVInW83J/sjB04b4WVXAxJ zTcv28VTGnLvraGNqTkXNZxhz4iFEDxjzXUNrXImpongto2Vn/rIPa7VJWm204Vq 9u1r+ZlcfkmQYb1zdvNI2M/gulZJZTMnj91bN2WEJz7Vwtm+49otmwzcp3f50smo jejmI4h/IVA6U8qyMLNHDAd+Na26ySjUyBTDF5GpUajczpmIRBROZveWn+qL3xfY 5xqG0rOv5077df8EpSPzzUqldKh7RRTMRsMR2YOBXe3RR0BVC0vT8ccFTtRzpxL5 LNO1yKEJhjiaARzWZYUUzUGxMBHVnUKRBmcRNjMO2uQ6KrrgENBC7MWpAKqVsqxc qpeUkz1tPp3gO1xLIBoE14rSgulcQ/ZJf6cRaopkkaDgWFw8wbdy45F2pEUF693J hBVuWbQB7+TNYutr8tFcod/1v9L5Uq6TQj/Vf0LWWpKt58fFEdc4INAZFXvKy6lP EHlXFfk52WgJk55j3QDBq9hKdHp+c9aQItAlB2uh/venZq5qXQ2xtLmEg9Ph8xKt ioAOfjo04Ks/xTPAEaDzEIXWhkKKWZdLjyXvisvBgsUZSjDm4KdEGsaDdu5n3iEN 7SEbf/7Er7K5aPCZTpH23uTvq962R5UKNK3s3VIpyRGRxFTEFRcvbhpnvMWHcX+u Vl8bkjhM9g== =YQZK -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
