Your message dated Fri, 1 Nov 2024 23:20:34 +0100 (CET) with message-id <2e260697-545b-e82d-cb47-f507ba127...@debian.org> and subject line Bug#1085696: fixed in openjdk-8 8u432-b06-1 has caused the Debian Bug report #1085696, regarding openjdk-8: CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1085696: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085696 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21208[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Networking). Supported versions that are affected are Oracle Java | SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM | for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: | 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted | code (e.g., code installed by an administrator). CVSS 3.1 Base Score | 3.7 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21210[1]: | Vulnerability in Oracle Java SE (component: Hotspot). Supported | versions that are affected are Oracle Java SE: 8u421, 8u421-perf, | 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE. Successful attacks of this | vulnerability can result in unauthorized update, insert or delete | access to some of Oracle Java SE accessible data. Note: This | vulnerability can be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. This vulnerability also applies to Java deployments, typically | in clients running sandboxed Java Web Start applications or | sandboxed Java applets, that load and run untrusted code (e.g., code | that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21217[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Serialization). Supported versions that are affected are Oracle | Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle | GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise | Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, | Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized ability to cause a partial | denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM | for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability | can be exploited by using APIs in the specified Component, e.g., | through a web service which supplies data to the APIs. This | vulnerability also applies to Java deployments, typically in clients | running sandboxed Java Web Start applications or sandboxed Java | applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. CVSS | 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21235[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM | for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: | 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized read access to a | subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21208 https://www.cve.org/CVERecord?id=CVE-2024-21208 [1] https://security-tracker.debian.org/tracker/CVE-2024-21210 https://www.cve.org/CVERecord?id=CVE-2024-21210 [2] https://security-tracker.debian.org/tracker/CVE-2024-21217 https://www.cve.org/CVERecord?id=CVE-2024-21217 [3] https://security-tracker.debian.org/tracker/CVE-2024-21235 https://www.cve.org/CVERecord?id=CVE-2024-21235 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Version: 8u432-b06-1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Nov 2024 22:24:27 +0100 Source: openjdk-8 Architecture: source Version: 8u432-b06-1 Distribution: unstable Urgency: medium Maintainer: Java Maintenance <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emilio Pozuelo Monfort <po...@debian.org> Closes: 1076752 Changes: openjdk-8 (8u432-b06-1) unstable; urgency=medium . [ Vladimir Petko ] * Include /usr/share/dpkg/buildflags.mk to work around *buntu breaking package builds without it (Closes: #1076752) . [ Thorsten Glaser ] * Include /usr/share/dpkg/buildflags.mk only if it exists * Set JT_JAVA if needed to not need default-jre-headless . [ Emilio Pozuelo Monfort ] * New upstream release. Checksums-Sha1: 402890bc35cc55ca510884b56d50cef13a4e8943 4662 openjdk-8_8u432-b06-1.dsc 7e9c0cdd5ba2258aeafeb10200fd95189075a13e 66675402 openjdk-8_8u432-b06.orig.tar.gz 2ecd93f8ada2a416af9b8faeecbb44acdfc1afff 178636 openjdk-8_8u432-b06-1.debian.tar.xz d265e4120869770a9bac580a6644fcfda0132744 12122 openjdk-8_8u432-b06-1_source.buildinfo Checksums-Sha256: ea574a9a0dd46ea48119de8e7ebfa4af8aa7d4aed85e040c83d69ff168ffefa6 4662 openjdk-8_8u432-b06-1.dsc ce53158096490c75d68fc44ca7978717b20ada27167217c62d46dc9d8bd19c86 66675402 openjdk-8_8u432-b06.orig.tar.gz b28341a47fd266300547c024c740da300ec1b8c433e308db317d5443d40becfb 178636 openjdk-8_8u432-b06-1.debian.tar.xz d0a0a9ff43cff90210eb0dc79910942cf98e3bc1b4b50d275d02793eab084e23 12122 openjdk-8_8u432-b06-1_source.buildinfo Files: 4282f92264dee9e0ddb82e0d5375adb3 4662 java optional openjdk-8_8u432-b06-1.dsc 07ed6c82d13ea837840c0db315799cd4 66675402 java optional openjdk-8_8u432-b06.orig.tar.gz 4598ca6cfb038e4a7b4b1e1818bb372e 178636 java optional openjdk-8_8u432-b06-1.debian.tar.xz 580c633de99c851e8c50017e9f12d2e9 12122 java optional openjdk-8_8u432-b06-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmclR0UACgkQnUbEiOQ2 gwKnag//dl4YjY2/LM6Wz4Ri8RzFEz92UniLoG0c0WhUtRGT7N2oD+pGROs7brKF vUYqn3Vc+xWh7rVAQkPkRMVFpwGREhqZDzL8lhu4JRPV/7WWEKuEMQPTCdUnPXbu HM3D9IJAoelLoD4+qI5WklBD5IWPx45yeeJkoFkJr03n8cEys19EazZq7vJe5eCf Ux7ssb/TJYvCuHSNTx6jRJLyIbJghUWbXZXt+Oj2NTlZALulpHWoTyTR9ik7aKvr tnkRe4iiLTBTpcrtSs7C72XATezkeSYEEWUVKcpcZTfubyK4w8Jx09xADsfJysdh 6uZnxGxI2ZeDN3yFKgxiDQQn06qFpwnrvqaT80xlzi0jdTmvsXOT0zkzL4UWR+Gf uV6NXyFqUxeKTLtj5WKMZHnfal1GCRCXYH7IUuHqL3B4Wzr3/ErXCfZhCzvqQh1f 3DDyjRY9CnhbzdknPJJEgm/KybWCC8QmzPT9FoqvJ8HYi4lt5LRfyW8wOixS3n34 EPVupo7NJKhIMXgMfDpdCFM9FCLKkvarHZeUJo10/G5j+Z5IItQXPAYHLjDwcXFY R9meBwbyPAr/j6zKtrkrMNDaOam+c0pGCOL4T7uoYIZAcErFdtg3H4xAo9o4NKFA 8cWXJZmREf0wja8chcRN/Y0ZxeoTUK+xUWuc1YWF6Rl+zwiWEyA= =ZFMb -----END PGP SIGNATURE-----
--- End Message ---
