-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3494
                      java-11-openjdk security update
                              21 October 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           java-11-openjdk
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Overwrite Arbitrary Files       -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-35603 CVE-2021-35586 CVE-2021-35578
                   CVE-2021-35567 CVE-2021-35565 CVE-2021-35564
                   CVE-2021-35561 CVE-2021-35559 CVE-2021-35556
                   CVE-2021-35550  

Reference:         ASB-2021.0207
                   ESB-2021.3493

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:3886
   https://access.redhat.com/errata/RHSA-2021:3892
   https://access.redhat.com/errata/RHSA-2021:3887
   https://access.redhat.com/errata/RHSA-2021:3891

Comment: This bulletin contains four (4) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update
Advisory ID:       RHSA-2021:3886-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3886
Issue date:        2021-10-20
CVE Names:         CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 
                   CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 
                   CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 
                   CVE-2021-35603 
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
8.1 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE,
8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained
Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE,
8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
(CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
(CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt
keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
(CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
(CVE-2021-35586)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
(CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2014508 - CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
2014515 - CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
2014518 - CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
2015061 - CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
2015308 - CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
2015653 - CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
2015658 - CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.1):

Source:
java-11-openjdk-11.0.13.0.8-1.el8_1.src.rpm

aarch64:
java-11-openjdk-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.aarch64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_1.aarch64.rpm

ppc64le:
java-11-openjdk-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.ppc64le.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_1.ppc64le.rpm

s390x:
java-11-openjdk-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.s390x.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_1.s390x.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_1.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35550
https://access.redhat.com/security/cve/CVE-2021-35556
https://access.redhat.com/security/cve/CVE-2021-35559
https://access.redhat.com/security/cve/CVE-2021-35561
https://access.redhat.com/security/cve/CVE-2021-35564
https://access.redhat.com/security/cve/CVE-2021-35565
https://access.redhat.com/security/cve/CVE-2021-35567
https://access.redhat.com/security/cve/CVE-2021-35578
https://access.redhat.com/security/cve/CVE-2021-35586
https://access.redhat.com/security/cve/CVE-2021-35603
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXAVKtzjgjWX9erEAQi61Q/9Gdg5sgGp/6GdcN3fpKpFi3Suu9myx+ky
hp38sQOCxTsZGfhjt0JCNpXwTAICgwonW5Nquz60rzwkh0uKkGK++5HuKojgEP5x
RPlvUJwztTfGE1YfajCXfPFB4CL7eaKCnQOa/+FIrO4VLtdnNGwqFgzxdEojriVr
ExztpCMjO0S5HNcr+v5WLV/G9ZIss0tgT3urlSsM4vHm2p28Ucj+MvyLDNvLhbqk
kH9bJEwwUwq9Zo+BnRoDRavYxeJP32sVnas2af1p5weQS/xDOeoNwuAMS3sCTDSi
AsFhyaJ/oYvafLdzRLemTrzrvQjuyq54tuovu1vE21HEvTVGma5UbzFqGUclaBI9
XxcX4P66FOgEG/hcxw3AzKis3lEpQ6tcG9lqz9TNI/f/xKZnMYWH0SbciJQgVTZX
xZ8A/Tp0BpeDkQ12SotPQAsXSXBwnDU+z5ICpyq0rKFjUiO1p0RQLeIhdR9mmhl6
DCccl9dyFP+paHBAhACXZwHFUBsjx34P8C1CmKwXeOlzg/EzKvpHLzB+Ezqrci/B
R9180pim3qWyKBuMpmPfUyDpFKVJJnc89+xWoIanXjpGQG4zEvU8ZA2izqnq0y5V
+jqV5Tttn0Y73anvaaiTvoCYI946iEBLNgV/Wae5F23VD7jtlQXEJdxZvTRkYRgg
Wb4tF6zWXlI=
=x6OX
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update
Advisory ID:       RHSA-2021:3887-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3887
Issue date:        2021-10-20
CVE Names:         CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 
                   CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 
                   CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 
                   CVE-2021-35603 
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
8.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE,
8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained
Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE,
8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
(CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
(CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt
keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
(CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
(CVE-2021-35586)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
(CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2014508 - CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
2014515 - CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
2014518 - CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
2015061 - CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
2015308 - CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
2015653 - CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
2015658 - CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v. 8.2):

Source:
java-11-openjdk-11.0.13.0.8-1.el8_2.src.rpm

aarch64:
java-11-openjdk-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_2.aarch64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_2.aarch64.rpm

ppc64le:
java-11-openjdk-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_2.ppc64le.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_2.ppc64le.rpm

s390x:
java-11-openjdk-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_2.s390x.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_2.s390x.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_2.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35550
https://access.redhat.com/security/cve/CVE-2021-35556
https://access.redhat.com/security/cve/CVE-2021-35559
https://access.redhat.com/security/cve/CVE-2021-35561
https://access.redhat.com/security/cve/CVE-2021-35564
https://access.redhat.com/security/cve/CVE-2021-35565
https://access.redhat.com/security/cve/CVE-2021-35567
https://access.redhat.com/security/cve/CVE-2021-35578
https://access.redhat.com/security/cve/CVE-2021-35586
https://access.redhat.com/security/cve/CVE-2021-35603
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXAdYNzjgjWX9erEAQjn4hAAhlHRXnz7SBi/MnHykr2kaVzndMG8i/Y9
skw1AN/T4ts6JdoTQ4ulZcZe2x2yBPQ5XVje7UCatwqLs8AbBgFOq561Mp3qN8Uw
KvNWSgMRNMi1+IUEfN6Xnckwz8MODMu7ItsYqccvZLN2XvyE8Fuhv3P1Wm6OHJqo
7c0tvO/TcGK98XQgA4Bunbu9dREr5iHuLIeYw9+aUoE00Rhc4Kzs5oEFaRSlpePR
RlYhgJFkECF3nzNCAQvnEte4+EzIxcFkN3AFTDhbmcNgDr+PX+6txymuMt+MFk6L
CX9ay/LWK2dWHfKuMmucdJaRI0rtXRn+gwrWpyQ/qxJtK4LROs3fcMpFzrjquO0Z
P7wRTJPCPKMkB0X8OaV0pjVudashdDEZ+KkUB2hcZcvTQPSCkFuViZ3rTyudQD76
LtVpmTBOHN9LmWlHYHKf0krgQbjcphpAmwaVxSEJ8JQy+LzWt+64vz99RguY3YO/
YRJwFVOJIEeiYLQknM/EJlqv+inea0ii0jGss0oKjWdQ6/u6S+u7bXlNWCLGOhne
yInZ2TGjeUTXOinRWPgv6m9PG79g3E/9jDSy3D0kr2CZT+jS3B3mSwO1I6IpkjDr
r29FALI4SsqkjUoFNMxT/CpY31RCRhm8YRKk+W7FTwPB25CkyEJKiEESezbr+b8q
h70YZf8csTU=
=rPra
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update
Advisory ID:       RHSA-2021:3891-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3891
Issue date:        2021-10-20
CVE Names:         CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 
                   CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 
                   CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 
                   CVE-2021-35603 
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE,
8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained
Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE,
8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
(CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
(CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt
keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
(CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
(CVE-2021-35586)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
(CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2014508 - CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
2014515 - CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
2014518 - CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
2015061 - CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
2015308 - CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
2015653 - CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
2015658 - CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
java-11-openjdk-11.0.13.0.8-1.el8_4.src.rpm

aarch64:
java-11-openjdk-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_4.aarch64.rpm

ppc64le:
java-11-openjdk-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_4.ppc64le.rpm

s390x:
java-11-openjdk-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_4.s390x.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el8_4.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-demo-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-jmods-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-src-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm
java-11-openjdk-static-libs-slowdebug-11.0.13.0.8-1.el8_4.aarch64.rpm

ppc64le:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-demo-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-jmods-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-src-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm
java-11-openjdk-static-libs-slowdebug-11.0.13.0.8-1.el8_4.ppc64le.rpm

s390x:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-demo-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-jmods-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-src-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm
java-11-openjdk-static-libs-slowdebug-11.0.13.0.8-1.el8_4.s390x.rpm

x86_64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-debugsource-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-demo-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-demo-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-devel-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-fastdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-headless-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-jmods-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-jmods-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-slowdebug-debuginfo-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-src-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-src-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-static-libs-fastdebug-11.0.13.0.8-1.el8_4.x86_64.rpm
java-11-openjdk-static-libs-slowdebug-11.0.13.0.8-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35550
https://access.redhat.com/security/cve/CVE-2021-35556
https://access.redhat.com/security/cve/CVE-2021-35559
https://access.redhat.com/security/cve/CVE-2021-35561
https://access.redhat.com/security/cve/CVE-2021-35564
https://access.redhat.com/security/cve/CVE-2021-35565
https://access.redhat.com/security/cve/CVE-2021-35567
https://access.redhat.com/security/cve/CVE-2021-35578
https://access.redhat.com/security/cve/CVE-2021-35586
https://access.redhat.com/security/cve/CVE-2021-35603
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXAfutzjgjWX9erEAQjuchAAjwVcb6hQRwxul8BJg8sYBYvsez4tQT+D
NlKdbCdUcxmaNJet9Ik1uU2sPpts8up+BWfzqsrubDItpWtgklSkMjb5nNMWcpNs
Akw7gsT4wYGhgSfd7uDyf4RZMGblR0YmDRQ6FSU4p7w1GL35LxEGQpf6JDipchpJ
Ho17sS+htvSznBQG0whgq+ea29CITt/6auFzzSZqs9dpwK/VRxWUuC3utU8NPCOa
y5/T2MT9tNH4qCoN1ZYfw6p8qsPnAMY/rEkYvpeyZggJfbOjQ7bb5HJ/eCFDva1B
8Js6rv0rn6tamvOb7p/VbuLsQUmQJ+/xwX0eZYaI/yHFLxHB8XcW4Nv9tnCWEEk4
KobaLPwzzJKB/4zu7qxaZs7tfEzJzlL9pZYqVdaXvFUwdGj1T2XVL7BmQljwla3m
YrpMMFMw9gB1gQCjUVOtb30hIkjyI/L32TGkZ00MIcWg7uO60Mbycepe8Legd5NA
a64vezaOM932joC0Cvq5cp+Uxj2aMEC/Dyq+QCb8RLqH+SCmFH8mtH40Sa0kq9c8
EHYF1q0WGcXtYHujIMoaEwnnw2XV/P/DHxNhGu8GrZrQMWgIxuJPtp68lxL9W3X7
0LmEGMBxPWLSnW+HYwVokMpwWSLN3MyF8AogqEY5NVRZ079iu6NCkJeC4piBL75C
ZThonbPBHAs=
=pGJl
- -----END PGP SIGNATURE-----

- ------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security and bug fix update
Advisory ID:       RHSA-2021:3892-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3892
Issue date:        2021-10-20
CVE Names:         CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 
                   CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 
                   CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 
                   CVE-2021-35603 
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux
7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE,
8254967) (CVE-2021-35565)

* OpenJDK: Incorrect principal selection when using Kerberos Constrained
Delegation (Libraries, 8266689) (CVE-2021-35567)

* OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE,
8264210) (CVE-2021-35550)

* OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
(CVE-2021-35556)

* OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
(CVE-2021-35559)

* OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility,
8266097) (CVE-2021-35561)

* OpenJDK: Certificates with end dates too far in the future can corrupt
keystore (Keytool, 8266137) (CVE-2021-35564)

* OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
(CVE-2021-35578)

* OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
(CVE-2021-35586)

* OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
(CVE-2021-35603)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Previously, uninstalling the OpenJDK RPMs attempted to remove a client
directory that did not exist. This directory is no longer used in
java-11-openjdk and all references to it have now been removed.
(RHBZ#1698873)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1698873 - warning: file /usr/lib/jvm/java-11-openjdk-11.0.ea.28-7.el7.x86_64/lib/client: remove failed: No such file or directory
1999936 - Prepare for the next quarterly OpenJDK upstream release (2021-10, 11.0.13) [rhel-7]
2014508 - CVE-2021-35565 OpenJDK: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)
2014515 - CVE-2021-35556 OpenJDK: Excessive memory allocation in RTFParser (Swing, 8265167)
2014518 - CVE-2021-35559 OpenJDK: Excessive memory allocation in RTFReader (Swing, 8265580)
2014524 - CVE-2021-35561 OpenJDK: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)
2015061 - CVE-2021-35564 OpenJDK: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)
2015308 - CVE-2021-35586 OpenJDK: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)
2015311 - CVE-2021-35603 OpenJDK: Non-constant comparison during TLS handshakes (JSSE, 8269618)
2015648 - CVE-2021-35550 OpenJDK: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)
2015653 - CVE-2021-35578 OpenJDK: Unexpected exception raised during TLS handshake (JSSE, 8267729)
2015658 - CVE-2021-35567 OpenJDK: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
java-11-openjdk-11.0.13.0.8-1.el7_9.src.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
java-11-openjdk-11.0.13.0.8-1.el7_9.src.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
java-11-openjdk-11.0.13.0.8-1.el7_9.src.rpm

ppc64:
java-11-openjdk-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.ppc64.rpm

ppc64le:
java-11-openjdk-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.ppc64le.rpm

s390x:
java-11-openjdk-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.s390x.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.ppc64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.ppc64.rpm

ppc64le:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.ppc64le.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.ppc64le.rpm

s390x:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.s390x.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.s390x.rpm

x86_64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
java-11-openjdk-11.0.13.0.8-1.el7_9.src.rpm

x86_64:
java-11-openjdk-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-devel-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-headless-11.0.13.0.8-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-debuginfo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-demo-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-javadoc-zip-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-jmods-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-src-11.0.13.0.8-1.el7_9.x86_64.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.i686.rpm
java-11-openjdk-static-libs-11.0.13.0.8-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-35550
https://access.redhat.com/security/cve/CVE-2021-35556
https://access.redhat.com/security/cve/CVE-2021-35559
https://access.redhat.com/security/cve/CVE-2021-35561
https://access.redhat.com/security/cve/CVE-2021-35564
https://access.redhat.com/security/cve/CVE-2021-35565
https://access.redhat.com/security/cve/CVE-2021-35567
https://access.redhat.com/security/cve/CVE-2021-35578
https://access.redhat.com/security/cve/CVE-2021-35586
https://access.redhat.com/security/cve/CVE-2021-35603
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYXA0lNzjgjWX9erEAQgP0xAAoQdKswPTWEnMMEyy/0ohZLVviqbCGyqm
JTbT2pjUDOm1kD9naJyS1Op5mngpdx29QmiVA4AZ8WLE+gI/7xLKALXDX3+Ft50Q
52I0voXRq8Z+5n9ZptMBiywOryyh+ZSx5NCc4wZm7ZTX7BtQr0PAIoV8a8ERp44I
l3xaYv/GtX0FA5lTsX5zxHYLsPJ6F7ZshrYIZpnNK9t9N7nX11YjNCQK1LOjd92x
ctUozrc710eF+y2gaRifLEi6uH66C8Xamr4Q/t3z+a0hGpilaD4U2DPu54K0UkOk
NWcQFAdjIRVUo4ITpniJMZVJ1ylr385pRPCXAOpi+mlKQzTtRz+088R2F/iMVajX
PTb0qQIL5zmUX4rN0JLy2bXVJRT7oFZD0acMpoQNQnuwTnb1aLOGcjkzUTP4dN7z
UBFNLF+oxcNJ3NtAjpRtvcN8fqAqfkUVPsFACaSiAUKJIOYDQ6c6fHeefTQEhhOi
SKHPAn4emMQpgp6isUsT94Zg9OJIXKU11JRXQc038DYkknhPt6bisakEKtowa0ct
mnBGBe8785KXYjDxhxfkr2lBlyhERq60mWxXDEZ6GdPVJyozuNirjJpv5kkAN9Cg
O/JHU5g4bYSFHLylDZIa+UqvzFCmZ840dMrfofYUk3nb193Nu7REbv5m7DZX3OtG
720/5Abt+xY=
=3d3f
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYXCyZ+NLKJtyKPYoAQhGSw//ZPzp2CNQIXea2wliGiagHwIO+/UnBg5D
Sc2c4Gs57466zhhRet9vlw4q1QkknLfDpoRDZW4/c3Fnxs37JOZf2uKZvtAh5XoX
QPCUe0o5XkdSjAoJDf/pw1E3ACs3x2YeK09q2zOjklnJauh5uWW/OLtb2VO66NbC
xO6KjM3a4YNpQQ5AjWa/dSLCAyXBBKzYvA5uZnPZEVIuv2irJzpYsXfDzH5+dm3w
asvgK0fg9A1M3Ga6rLbkgXQjD8gjmcBB9us9GCLcfRxPVPKpHqWImWvhKpH4zLR6
HBu+gf5uhlKFPvD4ybOLG3+quDzu1OT0QjUT5w7v4NpwY9tLmiCRlLIrcWQbQeE/
6IGAEqWIf8d8uIhwtE8rsQ9ecZNJk60lO8LHDsEWyY0IVuFd+gbZl02Rlx6621UM
vxwFFYSvGXy931BfuWdhpY1HgiYsh3wxCRyWRhvOAj/4mVZle3YWDOPTVvpnELeU
F5HdxkbbUS2WeNiFiyNsab6U+VrBafv0xw2tQJFQw0kS9yFHOZhWpgqjAB5aOqFR
xYJ3nl+n3TuU9Wg/hK0rkCfOlWKLTlkm8kqI1M11M0YsgqFWwk1JOXWfRTuGMZj2
dDCJeNNLB+l0K68V3Zi965wD0tmTkdMHdDCGnAxtHBGFisST3SSCW09m0V4yA3S9
y24quWgfNLs=
=5OW8
-----END PGP SIGNATURE-----