-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3775
                         openjdk-8 security update
                             10 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjdk-8
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Modify Arbitrary Files    -- Remote with User Interaction
                   Overwrite Arbitrary Files -- Remote with User Interaction
                   Denial of Service         -- Remote with User Interaction
                   Access Confidential Data  -- Remote with User Interaction
                   Unauthorised Access       -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-35603 CVE-2021-35588 CVE-2021-35586
                   CVE-2021-35567 CVE-2021-35565 CVE-2021-35564
                   CVE-2021-35559 CVE-2021-35556 CVE-2021-35550
                   CVE-2021-3557 CVE-2021-3556 

Reference:         ESB-2021.3636
                   ESB-2021.3587
                   ESB-2021.3543
                   ESB-2021.3542

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/11/msg00008.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2814-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                  Roberto C. Sánchez
November 09, 2021                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openjdk-8
Version        : 8u312-b07-1~deb9u1
CVE ID         : CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 
                 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 
                 CVE-2021-35586 CVE-2021-35588 CVE-2021-35603

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
including issues with cyprographic hashing, TLS client handshaking, and
various other issues.

Thanks to Thorsten Glaser and tarent for contributing the updated
packages to address these vulnerabilities.

For Debian 9 stretch, these problems have been fixed in version
8u312-b07-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAmGKw5gACgkQLNd4Xt2n
sg8FgBAAi69XYU9eHn3sN/VIUayqs07Dx7kx4F2Kb5eE4ZIHlcgK6h8uo1QmARnd
tClLBxP53gOeKD61mmsuXj37tckLGcR+8sKj54p4HhB80HU1TWg2XTUvGCT8KoFu
xAR6NdvlNtOd9HunGXD7ziGL36Gw8StPL0uYhP53sXGBr/vWxzccV0li5Potwq9B
ggaZwtVblVSlqEs5e6Ca5ECB9SWaWOqYivQrlLnNVb/hfZbXbJlYEgUTHsb/LjjN
iGUGri6yC0tbFbNWfOnv9hXCteh31xGoXZdnkk/l23cIDw3Z42ioDcRcIV+flPhb
E+fJDxYQq983kobDVnqcdK9dmPz5W+Jd/l++9YzeH/vTaOK0YCpe/e/7FU3m2cIV
cFJXLdg+hVnCUHNbCbm9ha/qpQ/nH7SvTbBj1ay+KMQQXF1CCRQm7Re/AM1ud61g
3+YDcivJQ+ML29imqY4+78d++sUcAxKiaC/Npw5/RuuL9ZBz5UzvOR4IYbawD02D
smpi4YE5cfuh3tgkLWmqDg//D43x/pTqjHOXF8vZW2/2i1QVxKz5hOCJhkuZ0HQ3
grCNbrQYqlSIKFlh57TWl97gALn+R040ts3ra4XwjSZDHXQ+PEwvjaC6A5TWs84N
mayTnlZtOc6/GuxdP/LFYS4TCT6NUUeZ/9jARBDWQc3aVOziQG8=
=ip1b
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYYtICuNLKJtyKPYoAQhQlw//YGaGf8wg2llxoAQRTqEp5FsO7L/HyvcZ
9aLSVer2NWhdZDQ3B7LgYKGtScp3iqU2xYeM949lMMhmCyeaDafibf7FRifMEmTy
sV17Qa/e+vkbZ3u9vXW75nnI3PiZbm7EcJRrknATSZWZ5+TRUVJxiRn+UmK2Z5cs
jP/7JekeQUXfQFbew8CG0PPxOiM6WKTWNLNctvKopg+5+63Nsid5CzeyXhuMqksm
ratQub04iHMRfYWLdLxPpE6s2tiFLf/64AQUDKMLJf0e9ANjTsq8TeJ4H+cd4qOt
CEJyImUGmbdi+kpZ8meASDZ4mwyL7CCD4rtPc97tt4q8f+7Ncl2RxxGlWKdnxp3N
XbIxBElkJuKzVPKa2Mb1foyp4Up15pBmpiPv0aQ0jgC7YoWQ74344SaQkv8URD5W
6sEFSKKN/wUdBiS1PnyVsP+tcMMhJeo9LDb6nOEjbgQG57gJL2CAsWo7sr/U2vb2
PbQYXH4L82kBggXkG6VBPj3FWiqf/tqZ2nTfCd4HGGZ+Nys/8UkQmfecWyupmaPM
vc8Qnpgw+xHgZDu4a0NfM40hDb/ugOAWlDHLHHn2ZlfZnDI3PZEFCqJjIO5xJfth
MJLvCimFVIBJYE5nRPvFyOCT5z5o2wa6rqcgZgHWQgPH1nyscuiW3XbcWVMVftKd
MpuQ/Jy/8/I=
=4BfU
-----END PGP SIGNATURE-----