Ubuntu Security Notice 5388-2 - It was discovered that OpenJDK incorrectly verified ECDSA signatures. An attacker could use this issue to bypass the signature verification process. It was discovered that OpenJDK incorrectly limited memory when compiling a specially crafted XPath expression. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK incorrectly handled converting certain object arguments into their textual representations. An attacker could possibly use this issue to cause a denial of service.

`==========================================================================   Ubuntu Security Notice USN-5388-2   April 26, 2022  openjdk-17 vulnerabilities   ==========================================================================  A security issue affects these releases of Ubuntu and its derivatives:  - Ubuntu 22.04 LTS   - Ubuntu 21.10   - Ubuntu 20.04 LTS   - Ubuntu 18.04 LTS  Summary:  Several security issues were fixed in OpenJDK.  Software Description:   - openjdk-17: Open Source Java implementation  Details:  It was discovered that OpenJDK incorrectly verified ECDSA signatures. An   attacker could use this issue to bypass the signature verification process.   (CVE-2022-21449)  It was discovered that OpenJDK incorrectly limited memory when compiling a   specially crafted XPath expression. An attacker could possibly use this   issue to cause a denial of service. (CVE-2022-21426)  It was discovered that OpenJDK incorrectly handled converting certain   object arguments into their textual representations. An attacker could   possibly use this issue to cause a denial of service. (CVE-2022-21434)  It was discovered that OpenJDK incorrectly validated the encoded length of   certain object identifiers. An attacker could possibly use this issue to   cause a denial of service. (CVE-2022-21443)  It was discovered that OpenJDK incorrectly validated certain paths. An   attacker could possibly use this issue to bypass the secure validation   feature and expose sensitive information in XML files. (CVE-2022-21476)  It was discovered that OpenJDK incorrectly parsed certain URI strings. An   attacker could possibly use this issue to make applications accept   invalid of malformed URI strings. (CVE-2022-21496)  Update instructions:  The problem can be corrected by updating your system to the following   package versions:  Ubuntu 22.04 LTS:   openjdk-17-jdk 17.0.3+7-0ubuntu0.22.04.1   openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.22.04.1   openjdk-17-jre 17.0.3+7-0ubuntu0.22.04.1   openjdk-17-jre-headless 17.0.3+7-0ubuntu0.22.04.1   openjdk-17-jre-zero 17.0.3+7-0ubuntu0.22.04.1  Ubuntu 21.10:   openjdk-17-jdk 17.0.3+7-0ubuntu0.21.10.1   openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.21.10.1   openjdk-17-jre 17.0.3+7-0ubuntu0.21.10.1   openjdk-17-jre-headless 17.0.3+7-0ubuntu0.21.10.1   openjdk-17-jre-zero 17.0.3+7-0ubuntu0.21.10.1  Ubuntu 20.04 LTS:   openjdk-17-jdk 17.0.3+7-0ubuntu0.20.04.1   openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.20.04.1   openjdk-17-jre 17.0.3+7-0ubuntu0.20.04.1   openjdk-17-jre-headless 17.0.3+7-0ubuntu0.20.04.1   openjdk-17-jre-zero 17.0.3+7-0ubuntu0.20.04.1  Ubuntu 18.04 LTS:   openjdk-17-jdk 17.0.3+7-0ubuntu0.18.04.1   openjdk-17-jdk-headless 17.0.3+7-0ubuntu0.18.04.1   openjdk-17-jre 17.0.3+7-0ubuntu0.18.04.1   openjdk-17-jre-headless 17.0.3+7-0ubuntu0.18.04.1   openjdk-17-jre-zero 17.0.3+7-0ubuntu0.18.04.1  This update uses a new upstream release, which includes additional bug   fixes. After a standard system update you need to restart any Java   applications or applets to make all the necessary changes.  References:   https://ubuntu.com/security/notices/USN-5388-2   https://ubuntu.com/security/notices/USN-5388-1   CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21449,   CVE-2022-21476, CVE-2022-21496  Package Information:   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.21.10.1   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.20.04.1   https://launchpad.net/ubuntu/+source/openjdk-17/17.0.3+7-0ubuntu0.18.04.1  `

Ubuntu Security Notice USN-5388-2

Ubuntu Security Notice 5388-1 - It was discovered that OpenJDK incorrectly limited memory when compiling a specially crafted XPath expression. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK incorrectly handled converting certain object arguments into their textual representations. An attacker could possibly use this issue to cause a denial of service. It was discovered that OpenJDK incorrectly validated the encoded length of certain object identifiers. An attacker could possibly use this issue to cause a denial of service.

`==========================================================================   Ubuntu Security Notice USN-5388-1   April 26, 2022  openjdk-lts vulnerabilities   ==========================================================================  A security issue affects these releases of Ubuntu and its derivatives:  - Ubuntu 22.04 LTS   - Ubuntu 21.10   - Ubuntu 20.04 LTS   - Ubuntu 18.04 LTS  Summary:  Several security issues were fixed in OpenJDK.  Software Description:   - openjdk-lts: Open Source Java implementation  Details:  It was discovered that OpenJDK incorrectly limited memory when compiling a   specially crafted XPath expression. An attacker could possibly use this   issue to cause a denial of service. (CVE-2022-21426)  It was discovered that OpenJDK incorrectly handled converting certain   object arguments into their textual representations. An attacker could   possibly use this issue to cause a denial of service. (CVE-2022-21434)  It was discovered that OpenJDK incorrectly validated the encoded length of   certain object identifiers. An attacker could possibly use this issue to   cause a denial of service. (CVE-2022-21443)  It was discovered that OpenJDK incorrectly validated certain paths. An   attacker could possibly use this issue to bypass the secure validation   feature and expose sensitive information in XML files. (CVE-2022-21476)  It was discovered that OpenJDK incorrectly parsed certain URI strings. An   attacker could possibly use this issue to make applications accept   invalid of malformed URI strings. (CVE-2022-21496)  Update instructions:  The problem can be corrected by updating your system to the following   package versions:  Ubuntu 22.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.22.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.22.04.1  Ubuntu 21.10:   openjdk-11-jdk 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.21.10.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.21.10.1  Ubuntu 20.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.20.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.20.04.1  Ubuntu 18.04 LTS:   openjdk-11-jdk 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jdk-headless 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre-headless 11.0.15+10-0ubuntu0.18.04.1   openjdk-11-jre-zero 11.0.15+10-0ubuntu0.18.04.1  This update uses a new upstream release, which includes additional bug   fixes. After a standard system update you need to restart any Java   applications or applets to make all the necessary changes.  References:   https://ubuntu.com/security/notices/USN-5388-1   CVE-2022-21426, CVE-2022-21434, CVE-2022-21443, CVE-2022-21476,   CVE-2022-21496  Package Information:   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.22.04.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.21.10.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.20.04.1   https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.15+10-0ubuntu0.18.04.1  `

Ubuntu Security Notice USN-5388-1

Red Hat Security Advisory 2022-1490-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  ====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1490-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1490   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   ====================================================================   1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.4 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v.8.4):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_4.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_4.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.x86_64.rpm  Red Hat CodeReady Linux Builder EUS (v. 8.4):  aarch64:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJltzjgjWX9erEAQixhg/9FlN+3plAc+A56+yeOsQFp10F8gb8c3Du   rKpHuht4ZZtfSXf9RjW/DigMdpo9+2d2LAQc3rVEZydM7CwP2v051CUxU6Okukz2   MDYLcT4xV9SVl0XJxw3YMbOuH1HgSL3qkypnOOL7G5WeQHV5iU3khQ07IlousGQu   jKYzdOLwzm/LqAWgKhj+hRCruS+ZlVjsX+FuU09wpwI1BjtW7e7Kcl6lzO/9QoBa   29h+bmEYBR6cZWdqfxtvIwtOOqbx7csnl3oOOxhOiDHbgn6aq/7kyfeexvk0uiSw   IeSijMTcxeE0/HbI+QXkI3iws2yetf8mZSrXZYCzhDulwRyKNY8x04FpkDq1YUrT   xZTGzlw7iiZaeMqVRfHQCBBnQy1di4hQiGdafeIvWZBT730BpVkrjLGcvzG5v1Ul   PGyjq4LoCPUJUGUITi/1O3GDiizXH/qSeYxjxcD5K4KjoMuCxIbqoBoB21nQVxcN   NIG+iiuwaojdK1UWGGJ2wAwui4PLh+wCujXYGXuSgeK3GVtaWPAwAJU7kPO3F2y7   n00IB9CmxIDXLLHwuxRCpWoVxcK/lXRyH28iNvyys7+b9ZUvpEeFthrM/BcZi0UL   kldsaQETrT6TLIaBu00+ImXzLOsc8QnqJGpcXZ80tj7YURXVloin57kHQtf5OiJd   nznTOjxJ3RE=U1D6   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1490-01

Red Hat Security Advisory 2022-1491-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1491-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1491   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream (v. 8):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_5.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_5.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.x86_64.rpm  Red Hat CodeReady Linux Builder (v. 8):  aarch64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJi9zjgjWX9erEAQiJFw//aHWpEtdVlArGK/D4EUJG8P7QKzMgLGYh   y6WHYvXmMjiwhl/1o7PXUzUXjmGkAQQ4bOOkyWndbc4DsBMwuz7/otmF64h0Ol5K   LMEiW1EZPkn8zaVzRJegL9y8GbP0jEg0MNFJ6SUtYS1fkYIxXc22LfFskzeNKxFy   vNfWIPx7lN1+jQgubTi0WKVcBnXjBwQ/ZloPQzzRanrW6QfM3K8a0C7X+DeJO5wR   lWGMYCkRZCKXxSCEWDv81pNwXy2S9SuV6Mo9VgW3TG+UfLkhIePA4yebDhnFQi/p   BizL9/b8UIb6CEgdNIj4csK49b7Ae8ABArhWSi1aAscQZNO9gAwgWGTKZAh7ZhQt   jEnaZpf9U/V+imLXyiqsknUQHH/vqIVYWTSnAwgYwNDDrPWtnHwBuRUh2MzE3cUY   CCHTneQ3GRYSm3hVlixf8L27uLh7ofad9vVHo/Jo33XM+o7dbC3/HGQasxWljNgY   j6aEKnNgtFTrLc4fARgKwC2j0qbZm9Nb5KXTmzdbtwgzFOGBlMnEmFWuDWncZ/Y/   el7MVYb/BiEGFhUH520mOPE+heeJYdRladjbgaq9+wu5zDyZ3K4CFIND81JPY1OT   X6QTIP8K0NGoAxOrhOOKQYDWi07I1AjCy86QPGIoMBaOW+RezxKjp3PDQovaNAAl   HNuIUczreHE=   =Kska   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1491-01

Red Hat Security Advisory 2022-1487-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security, bug fix, and enhancement update   Advisory ID: RHSA-2022:1487-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1487   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 7.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux Client (v. 7) - x86_64   Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64   Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Workstation (v. 7) - x86_64   Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2047529 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 8u332) [rhel-7]   2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux Client (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Client Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  ppc64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  ppc64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJhNzjgjWX9erEAQhPuw//Zb0N99JyndrQMfmjrUw7kGh4hagh5/6v   EmZbNfmYZ3WtF7kOdNWzJ1bVnND5FsUZD1gHKz12ico5O+L+3yfkvqbPZe6F8DtE   XM391+BBLRe5A27rArHPpx1gM76N01BO7SBdawDXR7ZOHw0qF8nWa7AGzmzbNAYx   mn6RXFVvmlCLGDI83/aRY5wi7WPssQ0FAj4HB5ngeYLMEzzlQ63bQM6zoysW5aD9   K/Y0b1b/zpdawLaHJSCMLGPjNd5rRgBmQtNK94OVITMcgbYBEvQU9buDq9NoGrbK   Qp+MXaweMYtFJoDVP3PqiiZdu20nagfH8sfnBpw6LXqh2yWjvrSPJpniNm0jRPLk   YBReD1bLSk8JpQkTKjdSq8S6hQlNqzTHukNFTi4O7wkI031h2G/EV9kGf3nF7/uX   hGiwl2WAgwfM1CnFm9keiVZYj5aGHsLaxHqe0At8SU0c60UqAqJ4Ms924XKAkxrK   5+qAErYzOENysGss43zcwW2ru585gJzQmXUwLZmQ4AKeNp19xSwBro4RFJfKtZgv   N6rukoMIr3X9AE++k7iNTYh3c5wWoExU3yri8TYaap8sCk+Uys0kLHhMTW7eXH9X   U81tTAy5JVvLLmlijIe4/exnpdBXcJTeruKpNX7NT6BR/kQtApDORJcLoOK5Eowg   kmZ0zK+vqwM=   =TsnX   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1487-01

Red Hat Security Advisory 2022-1488-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1488-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1488   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.1 Update Services for SAP Solutions.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream E4S (v. 8.1):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJfNzjgjWX9erEAQgiKxAAoi0SREMKqTnKqWglR369v/Ni6B3d7xxj   glSaMGBkgf+2xZkI4eXqAr1EjpzNtTxWAvP6ORU+G03K38lhjKW77cJVCWntN83m   QpQ2pE936Lgcq03dJYX8KcVWutFS3WKeLXFdwlVGFxTvMMa+3BTYDMMrQWgahjet   jZAb1xqEYFJJ/MQ8hAIaZeHR5aM+G+BMhGFbNsHD+HVeLFl8vfgzJGNPQ2C9HJS8   9iZiaKRKEF4otzu+qYG7FPuZYqjE41xEzlQvmDcADBuD+CJUq9s1uf4dBKwhoAdc   E3GYmziH/WIMOKs1q/vyT8otnGZLd8V2PJTJYgMl33y/GWbMycFP5+VUaN5ag+je   36iBwmWsoVtDUz2UYrZJn28mUPGBEeaaFJ7+YFYpoo1hS3xwoNm6l8qB+LYJT8sk   v2Wh0IZolzQHEYhFYSapbpFciVOUaZZ7xfZ9k7MUJilT6oLj25kgrE/YLBF1xG12   KqQxiFDJ/r1Lh0P1ZaBc30gdsGMmQZ6sxJD0AJsLTq+zd6WJA9/bna4d/e5nsNPw   kGmazfEukC3vOUVV2wQ1QqihHUhx6ZJNyZb/KdO6oj5RWSu1t/wVuovqDZyeMNMs   /w7rQiTGU9q2HgggRq0EpuoN344t/dP94IJKESffvZDdSYLmaeVsIXHJ8RzYHS9M   tpSd0s3muU8=   =bWrm   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1488-01

Red Hat Security Advisory 2022-1489-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1489-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1489   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.2 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v. 8.2):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_2.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_2.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJcdzjgjWX9erEAQiaBBAAhsv+re6Xov/rKez1Zu38eQ3HX4oeHWVc   W/em2WfOnx52qXAoSOVSXOil7+b36Og8y+q/aTbfVqVYJgdvuXysGpbr5ny2M9Yo   JKvCMtvY01nQ7A1yZqejxBVmVTRpcb0uOJWnV1c2Ma9dozTNw++7bMybCeTVuU9H   A8R9l2gOnf82rQ0cLyktwBSicoPAC7B3HmMmE3K+D04bgzlBwQUJniLA7oE+Z5HC   yA0nZiH629g0DBVpEEhEfsVjNbc+qAHrXk0r0FV6BaNCvZqqsk48+ma+jcMDgfJe   Uos/y3VRf31+msru1a2bhHRVUcMVvLjqD+hAHZV/WIf++YqkkojG5sSfdTL/jxrR   RTTB0vvfaPZJH2a7STkGqfAeKTWjWXBjVf9UeectEKPwW00PTgTTBEQ3I/22qADB   x+/MF382C4WhAVmviKke1tXfn0cJIuIJdPfnGuoSeNPxnIzw4hb385OeAInQdTkK   HgdVtJXmHSqG8DU5gaP9r5LCeU3GtogBwj9ARTZ2z5b2dbOOZSslzH80PUkjdi4w   /BTlG0LTgGj06lgfX64GOhTadEsVTHuNaKFfk2a2781ETLF3Cv67fMrLl2jfM70r   +Npu8oJ/sBX5TK4Whv+hEDZBQcBUDge5xEDJ2J/m4MxI3XyAVkl88CT1tuGjYbS7   nGyAfWdwLoY=   =0y1v   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1489-01

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are **8 places** where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis\_notif\_id\_len\_mismatch(const struct isis\_circuit \*circuit,

uint8\_t rcv\_id\_len, const char \*raw\_pdu,

size\_t raw\_pdu\_len)

{

const char \*xpath = "/frr-isisd:id-len-mismatch";

struct list \*arguments = yang\_data\_list\_new();

char xpath\_arg\[XPATH\_MAXLEN\];

struct yang\_data \*data;

struct isis\_area \*area = circuit->area;

notif\_prep\_instance\_hdr(xpath, area, "default", arguments);

notif\_prepr\_iface\_hdr(xpath, circuit, arguments);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/pdu-field-len", xpath);

data = yang\_data\_new\_uint8(xpath\_arg, rcv\_id\_len);

listnode\_add(arguments, data);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/raw-pdu", xpath);

data = yang\_data\_new(xpath\_arg, raw\_pdu);

listnode\_add(arguments, data);

What follows is the output of the address sanitizer:

    ==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
    READ of size 23 at 0x7ffe596a3a76 thread T0
        #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
        #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
        #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
        #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3

CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-42117: Release Notes - TopEase Documentation

vim is vulnerable to Heap-based Buffer Overflow

@@ -464,13 +464,13 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

\*(p + len++) = ' ';

if (bt\_help(wp->w\_buffer))

{

STRCPY(p + len, \_("\[Help\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Help\]"));

len += (int)STRLEN(p + len);

}

#ifdef FEAT\_QUICKFIX

if (wp->w\_p\_pvw)

{

STRCPY(p + len, \_("\[Preview\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Preview\]"));

len += (int)STRLEN(p + len);

}

#endif

@@ -480,12 +480,12 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

#endif

)

{

STRCPY(p + len, "\[+\]");

len += 3;

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", "\[+\]");

len += (int)STRLEN(p + len);

}

if (wp->w\_buffer\->b\_p\_ro)

{

STRCPY(p + len, \_("\[RO\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[RO\]"));

len += (int)STRLEN(p + len);

}

Tag

#xpath