概述
Moderate: java-11-openjdk security and bug fix update
类型/严重性
Security Advisory: Moderate
标题
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
描述
The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.
Security Fix(es):
- OpenJDK: ZIP file parsing infinite loop (8302483) (CVE-2023-22036)
- OpenJDK: weakness in AES implementation (8308682) (CVE-2023-22041)
- OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312) (CVE-2023-22049)
- harfbuzz: OpenJDK: O(n^2) growth via consecutive marks (CVE-2023-25193)
- OpenJDK: HTTP client insufficient file name validation (8302475) (CVE-2023-22006)
- OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Prepare for the next quarterly OpenJDK upstream release (2023-07, 11.0.20) [rhel-9] (BZ#2223100)
解决方案
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of OpenJDK Java must be restarted for this update to take effect.
受影响的产品
-
Red Hat Enterprise Linux for x86_64 9 x86_64
-
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
-
Red Hat Enterprise Linux Server - AUS 9.2 x86_64
-
Red Hat Enterprise Linux for IBM z Systems 9 s390x
-
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
-
Red Hat Enterprise Linux for Power, little endian 9 ppc64le
-
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
-
Red Hat Enterprise Linux for ARM 64 9 aarch64
-
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
-
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
-
Red Hat CodeReady Linux Builder for x86_64 9 x86_64
-
Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le
-
Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
-
Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
-
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
-
Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.2 x86_64
-
Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.2 ppc64le
-
Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.2 s390x
-
Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.2 aarch64
-
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
-
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x
修复
-
BZ - 2167254
- CVE-2023-25193 harfbuzz: OpenJDK: O(n^2) growth via consecutive marks
-
BZ - 2221619
- OpenJDK: font processing denial of service vulnerability (8301998)
-
BZ - 2221626
- CVE-2023-22006 OpenJDK: HTTP client insufficient file name validation (8302475)
-
BZ - 2221634
- CVE-2023-22036 OpenJDK: ZIP file parsing infinite loop (8302483)
-
BZ - 2221645
- CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)
-
BZ - 2221647
- CVE-2023-22049 OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)
-
BZ - 2223100
- Prepare for the next quarterly OpenJDK upstream release (2023-07, 11.0.20) [rhel-9] [rhel-9.2.0.z]
-
BZ - 2223207
- CVE-2023-22041 OpenJDK: weakness in AES implementation (8308682)