Debian Bug report logs -
#1010597
openjdk-11-jdk: CVE-2022-21476 unfixed for weeks
Reported by: Michael Kesper <mkesper@web.de>
Date: Thu, 5 May 2022 08:48:01 UTC
Severity: critical
Tags: security
Found in version openjdk-11/11.0.14+9-1~deb11u1
Fixed in versions 11.0.15+10-1~deb10u1, 11.0.15+10-1~deb11u1, openjdk-11/11.0.15+10-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, mkesper@web.de, team@security.debian.org, team@security.debian.org, OpenJDK Team <openjdk-11@packages.debian.org>:
Bug#1010597; Package openjdk-11-jdk.
(Thu, 05 May 2022 08:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Kesper <mkesper@web.de>:
New Bug report received and forwarded. Copy sent to mkesper@web.de, team@security.debian.org, team@security.debian.org, OpenJDK Team <openjdk-11@packages.debian.org>.
(Thu, 05 May 2022 08:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openjdk-11-jdk
Version: 11.0.14+9-1~deb11u1
Severity: critical
Tags: security
Justification: causes serious data loss
X-Debbugs-Cc: mkesper@web.de, team@security.debian.org, Debian Security Team <team@security.debian.org>
Dear Maintainer,
since weeks, there is a known undisputed CVE for all openjdk versions in Debian,
https://security-tracker.debian.org/tracker/CVE-2022-21476
described as easily exploitable for unauthenticated attackers resulting in access to data.
However, there seems to be no security issue handling of this CVE, instead a fix
is only made available to unstable.
Please include a fix for Debian stable at least.
Best regards
Michael
-- System Information:
Debian Release: 11.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-14-amd64 (SMP w/6 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openjdk-11-jdk depends on:
ii libc6 2.31-13+deb11u3
ii openjdk-11-jdk-headless 11.0.14+9-1~deb11u1
ii openjdk-11-jre 11.0.14+9-1~deb11u1
Versions of packages openjdk-11-jdk recommends:
ii libxt-dev 1:1.2.0-1
Versions of packages openjdk-11-jdk suggests:
pn openjdk-11-demo <none>
pn openjdk-11-source <none>
pn visualvm <none>
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, OpenJDK Team <openjdk-11@packages.debian.org>:
Bug#1010597; Package openjdk-11-jdk.
(Thu, 05 May 2022 10:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sascha Girrulat <s.girrulat@conventic.com>:
Extra info received and forwarded to list. Copy sent to OpenJDK Team <openjdk-11@packages.debian.org>.
(Thu, 05 May 2022 10:06:04 GMT) (full text, mbox, link).
Message #10 received at 1010597@bugs.debian.org (full text, mbox, reply):
Dear Maintainer,
i saw that the CVE is already fixed for sid. I'm unsure if we have to
try to create a bullseye backport of the 11.0.15+10-1 for ourself or if
we have to wait a bit longer until it's fixed for bullseye too. We are
using the container images of debian with this openjdk-jre for our
services and we are looking forward to an update.
Cheers
Sascha
On Thu, 05 May 2022 10:45:26 +0200 Michael Kesper <mkesper@web.de> wrote:
> Package: openjdk-11-jdk
> Version: 11.0.14+9-1~deb11u1
> Severity: critical
> Tags: security
> Justification: causes serious data loss
> X-Debbugs-Cc: mkesper@web.de, team@security.debian.org, Debian Security Team <team@security.debian.org>
>
> Dear Maintainer,
>
> since weeks, there is a known undisputed CVE for all openjdk versions in Debian,
> https://security-tracker.debian.org/tracker/CVE-2022-21476
> described as easily exploitable for unauthenticated attackers resulting in access to data.
>
> However, there seems to be no security issue handling of this CVE, instead a fix
> is only made available to unstable.
>
> Please include a fix for Debian stable at least.
>
> Best regards
> Michael
>
> -- System Information:
> Debian Release: 11.3
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable'), (100, 'bullseye-fasttrack'), (100, 'bullseye-backports-staging')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-14-amd64 (SMP w/6 CPU threads)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de:en_US
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages openjdk-11-jdk depends on:
> ii libc6 2.31-13+deb11u3
> ii openjdk-11-jdk-headless 11.0.14+9-1~deb11u1
> ii openjdk-11-jre 11.0.14+9-1~deb11u1
>
> Versions of packages openjdk-11-jdk recommends:
> ii libxt-dev 1:1.2.0-1
>
> Versions of packages openjdk-11-jdk suggests:
> pn openjdk-11-demo <none>
> pn openjdk-11-source <none>
> pn visualvm <none>
>
> -- no debconf information
>
>
Marked as fixed in versions openjdk-11/11.0.15+10-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 05 May 2022 14:51:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 05 May 2022 14:51:05 GMT) (full text, mbox, link).
Notification sent
to Michael Kesper <mkesper@web.de>:
Bug acknowledged by developer.
(Thu, 05 May 2022 14:51:06 GMT) (full text, mbox, link).
Marked as fixed in versions 11.0.15+10-1~deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 05 May 2022 14:51:06 GMT) (full text, mbox, link).
Marked as fixed in versions 11.0.15+10-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 05 May 2022 14:51:06 GMT) (full text, mbox, link).
Message sent on
to Michael Kesper <mkesper@web.de>:
Bug#1010597.
(Thu, 05 May 2022 14:51:08 GMT) (full text, mbox, link).
Message #23 received at 1010597-submitter@bugs.debian.org (full text, mbox, reply):
close 1010597 11.0.15+10-1
# pending in upcoming DSA
close 1010597 11.0.15+10-1~deb11u1
close 1010597 11.0.15+10-1~deb10u1
thanks
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri May 6 13:11:34 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon