openSUSE Build Service

Security update for java-17-openj9

This update for java-17-openj9 fixes the following issues:

- Update to OpenJDK 17.0.14 with OpenJ9 0.49.0 virtual machine
- Including Oracle October 2024 and January 2025 CPU changes
* CVE-2024-21208 (boo#1231702), CVE-2024-21210 (boo#1231711),
CVE-2024-21217 (boo#1231716), CVE-2024-21235 (boo#1231719),
CVE-2025-21502 (boo#1236278)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.49/

- Update to OpenJDK 17.0.12 with OpenJ9 0.46.0 virtual machine
- Including Oracle July 2024 CPU changes
* CVE-2024-21131 (boo#1228046), CVE-2024-21138 (boo#1228047),
CVE-2024-21140 (boo#1228048), CVE-2024-21147 (boo#1228052),
CVE-2024-21145 (boo#1228051)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.46/

- Update to OpenJDK 17.0.11 with OpenJ9 0.44.0 virtual machine
- Including Oracle April 2024 CPU changes
* CVE-2024-21012 (boo#1222987), CVE-2024-21094 (boo#1222986),
CVE-2024-21011 (boo#1222979), CVE-2024-21068 (boo#1222983)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.44/

- Update to OpenJDK 17.0.10 with OpenJ9 0.43.0 virtual machine
- Including Oracle January 2024 CPU changes
* CVE-2024-20918 (boo#1218907), CVE-2024-20919 (boo#1218903),
CVE-2024-20921 (boo#1218905), CVE-2024-20932 (boo#1218908),
CVE-2024-20945 (boo#1218909), CVE-2024-20952 (boo#1218911)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.43/

- Update to OpenJDK 17.0.9 with OpenJ9 0.41.0 virtual machine
- Including Oracle October 2023 CPU changes
* CVE-2023-22081, boo#1216374
* CVE-2023-22025, boo#1216339
- Including Openj9 0.41.0 fixes of CVE-2023-5676, boo#1217214
* For other OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.41

- Update to OpenJDK 17.0.8.1 with OpenJ9 0.40.0 virtual machine
* JDK-8313765: Invalid CEN header (invalid zip64 extra data
field size)

- Update to OpenJDK 17.0.8 with OpenJ9 0.40.0 virtual machine
- Including Oracle July 2023 CPU changes
* CVE-2023-22006 (boo#1213473), CVE-2023-22036 (boo#1213474),
CVE-2023-22041 (boo#1213475), CVE-2023-22044 (boo#1213479),
CVE-2023-22045 (boo#1213481), CVE-2023-22049 (boo#1213482),
CVE-2023-25193 (boo#1207922)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.40

- Update to OpenJDK 17.0.7 with OpenJ9 0.38.0 virtual machine
- Including Oracle April 2023 CPU changes
* CVE-2023-21930 (boo#1210628), CVE-2023-21937 (boo#1210631),
CVE-2023-21938 (boo#1210632), CVE-2023-21939 (boo#1210634),
CVE-2023-21954 (boo#1210635), CVE-2023-21967 (boo#1210636),
CVE-2023-21968 (boo#1210637)
* OpenJ9 specific vulnerability: CVE-2023-2597 (boo#1211615)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.38

- Update to OpenJDK 17.0.6 with OpenJ9 0.36.0 virtual machine
* including Oracle January 2023 CPU changes
+ CVE-2023-21835, boo#1207246
+ CVE-2023-21843, boo#1207248
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.36

- Update to OpenJDK 17.0.5 with OpenJ9 0.35.0 virtual machine
* Including Oracle October 2022 CPU changes
CVE-2022-21618 (boo#1204468), CVE-2022-21619 (boo#1204473),
CVE-2022-21626 (boo#1204471), CVE-2022-21624 (boo#1204475),
CVE-2022-21628 (boo#1204472), CVE-2022-39399 (boo#1204480)
* Fixes OpenJ9 vulnerability boo#1204703, CVE-2022-3676
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.35

Submitted by Fridrich Strba (fstrba)

Fixed bugs

VUL-0: CVE-2024-21210: java-*-openjdk,java-*-ibm: component: Hotspot

bnc#1228046

VUL-0: CVE-2024-21131: java-*-openjdk,java-*-ibm: OpenJDK: potential UTF8 size overflow

bnc#1218903

VUL-0: CVE-2024-20919: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295)

bnc#1228052

VUL-0: CVE-2024-21147: java-*-openjdk,java-*-ibm: OpenJDK: RangeCheckElimination array index overflow

bnc#1218907

VUL-0: CVE-2024-20918: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)

bnc#1216374

VUL-0: CVE-2023-22081: java-1_8_0-openjdk,java-9-openjdk,java-10-openjdk,java-11-openjdk,java-17-openjdk: Oracle October 2023 CPU

bnc#1217214

VUL-0: CVE-2023-5676: java-1_8_0-openj9: receiving a signal before initialization may lead to an infinite loop or unexpected crash

bnc#1210631

VUL-0: CVE-2023-21937: java-11-openjdk,java-17-openjdk,java-1_8_0-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).

bnc#1222987

VUL-0: CVE-2024-21012: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: HTTP/2 client improper reverse DNS lookup (8315708)

bnc#1228048

VUL-0: CVE-2024-21140: java-*-openjdk,java-*-ibm: OpenJDK: Range Check Elimination (RCE) pre-loop limit overflow

bnc#1213482

VUL-0: CVE-2023-22049: java-11-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).

bnc#1231702

VUL-0: CVE-2024-21208: java-*-openjdk,java-*-ibm: component: Networking

bnc#1228051

VUL-0: CVE-2024-21145: java-*-openjdk,java-*-ibm: OpenJDK: Out-of-bounds access in 2D image handling

bnc#1213470

timezone-java 2023c contains corrupt data for some timezones

bnc#1218911

VUL-0: CVE-2024-20952: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)

bnc#1207922

VUL-0: CVE-2023-25193: firefox-harfbuzz,harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks

bnc#1228047

VUL-0: CVE-2024-21138: java-*-openjdk,java-*-ibm: OpenJDK: Excessive symbol length can lead to infinite loop

bnc#1204472

VUL-0: CVE-2022-21628: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition

bnc#1231719

VUL-0: CVE-2024-21235: java-*-openjdk,java-*-ibm: unauthorized read/write access to data in component Hotspot

bnc#1213481

VUL-0: CVE-2023-22045: java-1_8_0-openjdk,java-1_8_0-ibm,java-17-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).

bnc#1210637

VUL-0: CVE-2023-21968: java-1_8_0-ibm,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).

bnc#1204480

VUL-0: CVE-2022-39399: java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition

bnc#1222983

VUL-0: CVE-2024-21068: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: integer overflow in C1 compiler address generation (8322122)

bnc#1210635

VUL-0: CVE-2023-21954: java-17-openjdk,java-1_8_0-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).

bnc#1213473

VUL-0: CVE-2023-22006: java-17-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking)

bnc#1210632

VUL-0: CVE-2023-21938: java-11-openjdk,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).

bnc#1218908

VUL-0: CVE-2024-20932: java-17-openjdk: OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123)

bnc#1204473

VUL-0: CVE-2022-21619: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE

bnc#1213474

VUL-0: CVE-2023-22036: java-17-openjdk,java-1_8_0-openjdk,java-1_8_0-ibm,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).

bnc#1213475

VUL-0: CVE-2023-22041: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk,java-1_8_0-ibm: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).

bnc#1204471

VUL-0: CVE-2022-21626: java-1_8_0-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition

bnc#1231716

VUL-0: CVE-2024-21217: java-*-openjdk,java-*-ibm: partial DoS in component Serialization

bnc#1204475

VUL-0: CVE-2022-21624: java-1_8_0-openjdk-plugin,java-10-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-1_8_0-ibm,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise

bnc#1213479

VUL-0: CVE-2023-22044: java-17-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).

bnc#1210628

VUL-0: CVE-2023-21930: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk: unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition

bnc#1222986

VUL-0: CVE-2024-21094: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: C2 compilation fails with "Exceeded _node_regs array" (8317507)

bnc#1236804

bnc#1218909

VUL-0: CVE-2024-20945: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: logging of digital signature private keys (8316976)

bnc#1216339

VUL-0: CVE-2023-22025: java-17-openjdk, java-21-openjdk: memory corruption issue on x86_64 with AVX-512

bnc#1210636

VUL-0: CVE-2023-21967: java-17-openjdk,java-1_8_0-ibm,java-11-openjdk,java-1_8_0-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).

bnc#1207246

VUL-0: CVE-2023-21835: java-openjdk: handshake DoS attack against DTLS connections (JSSE, 8287411)

bnc#1206549

bnc#1218905

VUL-0: CVE-2024-20921: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: range check loop optimization issue (8314307)

bnc#1204468

VUL-0: CVE-2022-21618: java-17-openjdk: JGSS: unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition

bnc#1211615

VUL-0: CVE-2023-2597: java-1_8_0-openj9: buffer overflow in shared cache implementation

bnc#1204703

VUL-0: CVE-2022-3676: In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.

bnc#1236278

VUL-0: CVE-2025-21502: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: JDK: Enhance array handling (Oracle CPU 2025-01)

bnc#1222979

VUL-0: CVE-2024-21011: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: long Exception message leading to crash (8319851)

bnc#1207248

VUL-0: CVE-2023-21843: java-openjdk: soundbank URL remote loading (Sound, 8293742)

bnc#1210634

VUL-0: CVE-2023-21939: java-11-openjdk,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).

Places

Fixed bugs

Selected Binaries

Places