Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1797 java-1.8.0-ibm security update 21 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-1.8.0-ibm Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2830 CVE-2020-2805 CVE-2020-2803 CVE-2020-2800 CVE-2020-2781 CVE-2020-2757 CVE-2020-2756 CVE-2020-2755 CVE-2020-2754 CVE-2020-2654 CVE-2019-2949 Reference: ASB-2020.0076 ASB-2019.0294 ESB-2020.1460 ESB-2020.1413 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2237 https://access.redhat.com/errata/RHSA-2020:2239 https://access.redhat.com/errata/RHSA-2020:2241 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.8.0-ibm security update Advisory ID: RHSA-2020:2237-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2020:2237 Issue date: 2020-05-20 CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 ===================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP10. Security Fix(es): * OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) * OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) * OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) * OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) * OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) 1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) 1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) 6. Package List: Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.ppc64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64.rpm ppc64le: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.s390x.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-2949 https://access.redhat.com/security/cve/CVE-2020-2654 https://access.redhat.com/security/cve/CVE-2020-2754 https://access.redhat.com/security/cve/CVE-2020-2755 https://access.redhat.com/security/cve/CVE-2020-2756 https://access.redhat.com/security/cve/CVE-2020-2757 https://access.redhat.com/security/cve/CVE-2020-2781 https://access.redhat.com/security/cve/CVE-2020-2800 https://access.redhat.com/security/cve/CVE-2020-2803 https://access.redhat.com/security/cve/CVE-2020-2805 https://access.redhat.com/security/cve/CVE-2020-2830 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXsU9w9zjgjWX9erEAQh39A/+O1RaRaPwJWFhMyhrVfyW/795PmJUmH4Z WEVgoCZEsKX13BcRB81w8m2uv1O8NZj2hu+I0PvzqqOu62evgIZY8i7K/oqntxgJ 6tQte4yTXcYZj8aLrvG2qbBEAMH6Xey6T6iv/7y2coY73gBTCw0O2zY41DP6Yi4r SdGObur1bg88pMsQqdZ3HqQCVy4hnvEweLrGLtOO21QII4qSkTeRZW0+JQMc0TP8 eV5Q2xHZtwYCMnP67kO4NP8m1EkCCQ1dLowTtzci52hXsOJebA9FsOad8tqYT+Wp AcUAssNcrMrP6SO7sdlB1MrA0sGNBNzMxv6jewwjnfr2DVZfjDIEbf2ExHF7q/JO cMLvloRjQ0rIYHf6Kf+JCMftqK61C0KVMlrJidrJ4FZ9AtT2IvBAJW5MCHdER/Yw M/vqBSzcQ4GxDHxKZ7EviRwEJs93fv6678fAvmyAD3gVvDkdO27gLFBmmh4+3Jwf qIWLYqOxxHol4iSq9cenJqeCJK5giRr2p9w+IpWLWm/BlGiVBbQ0HEh1WzlMs9Rd G3md61azTC5vs8nW3+Bo1Eb5hRtnEe2/fYY+frpPBF/0NYACMQH6/blOXt+OgCw0 2xKGTrqOfbs3F+o2cFzGppoivutRbpGRm6Ydo7/mqQ18MYoIIaS5lKU2h/50KocB oEhIU28Yv+I= =vNoR - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.8.0-ibm security update Advisory ID: RHSA-2020:2239-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2020:2239 Issue date: 2020-05-20 CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 ===================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP10. Security Fix(es): * OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) * OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) * OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) * OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) * OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) 1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) 1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm ppc64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm s390x: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm x86_64: java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-2949 https://access.redhat.com/security/cve/CVE-2020-2654 https://access.redhat.com/security/cve/CVE-2020-2754 https://access.redhat.com/security/cve/CVE-2020-2755 https://access.redhat.com/security/cve/CVE-2020-2756 https://access.redhat.com/security/cve/CVE-2020-2757 https://access.redhat.com/security/cve/CVE-2020-2781 https://access.redhat.com/security/cve/CVE-2020-2800 https://access.redhat.com/security/cve/CVE-2020-2803 https://access.redhat.com/security/cve/CVE-2020-2805 https://access.redhat.com/security/cve/CVE-2020-2830 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXsU+ANzjgjWX9erEAQgWDQ//fWaz+bAUBVUThfzlQgjXH0EFgEhIWpSQ HER3J++aJOSlD1WnpiaAw9qdzJWcSuuj0MxBqpXklhyr+yNnTxsvw+iT8AssqWHP ffCD5K2dRVeCkKXiplMpuZQxxYr3ZdrTDCCAbd7oTKFLsGwjwqcw96YIT+dt5+GP 6rpTFzpy6XdWt+wWvHhf9DsOdItHnTg9e3QM5LI/jNPU8P2kQLR0yIsH9pSMpKgr rTcE4tCaSEy7HpOglzzVNXYUcyIdPbHK3RIQTNjk5A52HNs/SYMUi2uOadefUPoY LnVQod7SYeq57uw/NwoHKuxwz7BPJesVTOVs3MASYAD5EVC6ukhEPrfXaKnlWrzG ruEfQLVAdFPXyo77JvdgSQIdeN5sSxCHnODdyoXgSGra9SPnBR8+oA0bZ9WEpuBy P5Tsyr5WjuXERG1tjdssirC1aJo4CleuPejmQ3TmWnZXkKYJvJbc9lFZAZUptS1M 27lF8EuC38Bf5n6NV7uH3l3m8q5OEXKccbYe97kmlBp5K/jpyLAGJygb5g2lTSf4 VYrUZPx1k/rNsZ7kcfAHuKxKnZvPQawGezVPP1GT9qnQgewzI8TwG+Rm/oahNeVG KklYUCqDF/CL6SO4eL++ffTBYgjU4/Tj9iCuKlVR/LRu8PgUuHnAsFMxn7c28VYe BTCkYDhQvoU= =8njU - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.8.0-ibm security update Advisory ID: RHSA-2020:2241-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2241 Issue date: 2020-05-20 CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830 ===================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux 8 Supplementary - ppc64le, s390x, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR6-FP10. Security Fix(es): * OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949) * OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803) * OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805) * OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654) * OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781) * OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800) * OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830) * OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754) * OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755) * OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756) * OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) 1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) 1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) 6. Package List: Red Hat Enterprise Linux 8 Supplementary: ppc64le: java-1.8.0-ibm-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.ppc64le.rpm java-1.8.0-ibm-webstart-1.8.0.6.10-1.el8_2.ppc64le.rpm s390x: java-1.8.0-ibm-1.8.0.6.10-1.el8_2.s390x.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.s390x.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.s390x.rpm java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.s390x.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.s390x.rpm java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-plugin-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.x86_64.rpm java-1.8.0-ibm-webstart-1.8.0.6.10-1.el8_2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-2949 https://access.redhat.com/security/cve/CVE-2020-2654 https://access.redhat.com/security/cve/CVE-2020-2754 https://access.redhat.com/security/cve/CVE-2020-2755 https://access.redhat.com/security/cve/CVE-2020-2756 https://access.redhat.com/security/cve/CVE-2020-2757 https://access.redhat.com/security/cve/CVE-2020-2781 https://access.redhat.com/security/cve/CVE-2020-2800 https://access.redhat.com/security/cve/CVE-2020-2803 https://access.redhat.com/security/cve/CVE-2020-2805 https://access.redhat.com/security/cve/CVE-2020-2830 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXsVU8tzjgjWX9erEAQgQYg/8DsN99sE3VjueIWpVuE+53Vdmzyk4qF8Z x4BxMLBYvwvSyKa4R3g7HNlBo1KZRoFOYbnii6PBVl6ldokTkovVU2gKtYIUDr1g 6fFktbaL+oTRfdT7XOg/KF9VtbmL/UdXvMHPGXUDkC5MB55UIMhocoHNP3zqjG92 lBviTQIIh0aRZdhUuqjI/uiBnuO+wkIvMzX2XxdtSCXR3pOUdzWJ4L9mo2qrR+Iz MTJ3H0A/ArtwTy49tB7gLR99mlxaONgP+gi1vlKmfepwTw0I64hQQ3Xt95Jjdjw8 uNCcKnzjkyNtngZy9fKe5EJtn1zKxY7/yjWqmXAiYUU/HHF/L907iUC1dD9ja3QW YO7sib/L5v5Wko6AZj2oQnxBmqGljOobtmYKnedHakYGF9WFP0Xlj/xqaHauAEEc Fk9Ffrdv0o+O+X+Y5Z5BTwP56dZ7/gj4Jo1L70Gd53B6qFM58VD8qq8/UrwLNBC9 JUO+nZBK0K5A6yR6beGwCT0DPpx/Elg/NO0yXNsyMefnGuV3jyTlx9jhPEmyiufe nYgoWMeO1E6TO/5vagycGjgP+bmcl8UPqk5WV7PaJ8kUSiyBOl3T0ZGKTGyxg3w5 QBCqbQSxge1UJ2b59bgD4Tcr0KT3nsR4xq+NkRdpkINGc1QCVX24roqdMJp3OPvg qX5hayTiKkY= =r5zd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXsXKCeNLKJtyKPYoAQj7RA//YqfcH/FzjteKP2GBvtlr+bq6caKO9CBX SzzYk1YE7DjulVpJ/p24xTPqnGpmLwODwg8sy20HMvhHHVmq9ZOKlw/GJc9fXgFp iN3s8V7ipMSs4GdwtMZNOusUQmmcyvoXo8HNqdjXqweoUQAHbYnmveitj+fr2J/b FbtUJ4hJ938zpWEARM6cWNlrs7yy8sN1DkHUgS6Mgs1vmD6PExrzWbtYPiE17djJ VxiwqI99xlsQhNthf88O7SQzrGRHiEgeer4Sw/ValUdXOtxG+gqO0AWuacbxOafR 5ogc4vx7bk2hcNL9c+FPbZzzhBrbmvFiKYA5Jy3sw5fr2ivP5T7FRL9AFwaGMhIk HGX8SIQmHeY10yOQMNSvZikufzkSah35jgbGO2xCpa2w5i6iet0e5LG6ukws1f8y PvALghaxEV04/F3oBTCY/fQbwn5kllQONCXEVYMzDKGJRtBPfEzjIVpUg+XlLOc0 7hRShLkMz68OjRDMlW+nJT6Oixpr4za4K3pMTcRmvBhEI4FWjUfrLSgyzbnMGCJh jRFw76FCtmgSq35tzwbEW7pCoBCNe7kx+LQ7JIQJRjwkL+11+owuwkYYGwBB2pAh Wkg83Wfswc6v8PZJXr75kIZL5nc7e/7rt7YmSiTBF6YGHQZTsZqDOsLBMp7SVHpj wCpuAqF8fsI= =x5RI -----END PGP SIGNATURE-----