File _patchinfo of Package patchinfo.26863

<patchinfo incident="26863">
  <issue tracker="bnc" id="1204471">VUL-0: CVE-2022-21626: java-1_8_0-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
  <issue tracker="bnc" id="1204468">VUL-0: CVE-2022-21618: java-17-openjdk: JGSS: unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
  <issue tracker="bnc" id="1204473">VUL-0: CVE-2022-21619: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1204472">VUL-0: CVE-2022-21628: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
  <issue tracker="bnc" id="1204475">VUL-0: CVE-2022-21624: java-1_8_0-openjdk-plugin,java-10-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-1_8_0-ibm,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise</issue>
  <issue tracker="bnc" id="1204480">VUL-0: CVE-2022-39399: java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
  <issue tracker="bnc" id="1205302">VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update October 2022</issue>
  <issue tracker="bnc" id="1202427">VUL-0: java-1_8_0-ibm, java-1_7_1-ibm, java-1_7_0-ibm: IBM Security Update July 2022</issue>
  <issue tracker="bnc" id="1201685">VUL-0: CVE-2022-21549: java-17-openjdk: random exponentials issue</issue>
  <issue tracker="bnc" id="1201692">VUL-0: CVE-2022-21541: java,openjdk: improper restriction of MethodHandle.invokeBasic()</issue>
  <issue tracker="bnc" id="1201684">VUL-0: CVE-2022-34169: java,openjdk: integer truncation issue in Xalan</issue>
  <issue tracker="bnc" id="1201694">VUL-0: CVE-2022-21540: java,openjdk: class compilation issue</issue>
  <issue tracker="cve" id="2022-21540"/>
  <issue tracker="cve" id="2022-21626"/>
  <issue tracker="cve" id="2022-21628"/>
  <issue tracker="cve" id="2022-21619"/>
  <issue tracker="cve" id="2022-21549"/>
  <issue tracker="cve" id="2022-21624"/>
  <issue tracker="cve" id="2022-34169"/>
  <issue tracker="cve" id="2022-21618"/>
  <issue tracker="cve" id="2022-39399"/>
  <issue tracker="cve" id="2022-21541"/>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for java-1_8_0-ibm</summary>
  <description>This update for java-1_8_0-ibm fixes the following issues:

- CVE-2022-21626: An unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204471).
- CVE-2022-21618: An unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204468).
- CVE-2022-21619: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE (bsc#1204473).
- CVE-2022-21628: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204472).
- CVE-2022-21624: An unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise (bsc#1204475).
- CVE-2022-39399: An unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition (bsc#1204480).
- CVE-2022-21549: Fixed exponentials issue (bsc#1201685).
- CVE-2022-21541: Fixed an improper restriction of MethodHandle.invokeBasic() (bsc#1201692).
- CVE-2022-34169; Fixed an integer truncation issue in Xalan (bsc#1201684).
- CVE-2022-21540: Fixed a class compilation issue (bsc#1201694).


- Update to Java 8.0 Service Refresh 7 Fix Pack 20.
  * Security:
    - The IBM ORB Does Not Support Object-Serialisation Data Filtering
    - Large Allocation In CipherSuite
    - Avoid Evaluating Sslalgorithmconstraints Twice
    - Cache The Results Of Constraint Checks
    - An incorrect ShortBufferException is thrown by IBMJCEPlus,
      IBMJCEPlusFIPS during cipher update operation
    - Disable SHA-1 Signed Jars For Ea
    - JSSE Performance Improvement
    - Oracle Road Map Kerberos Deprecation Of 3DES And RC4 Encryption
  * Java 8/Orb:
    - Upgrade ibmcfw.jar To Version o2228.02
  * Class Libraries:
    - Crash In Libjsor.So During An Rdma Failover
    - High CPU Consumption Observed In ZosEventPort$EventHandlerTask.run
    - Update Timezone Information To The Latest tzdata2022c
  * Jit Compiler:
    - Crash During JIT Compilation
    - Incorrect JIT Optimization Of Java Code
    - Incorrect Return From Class.isArray()
    - Unexpected ClassCastException
    - Performance Regression When Calling VM Helper Code On X86
  * X/Os Extentions:
    - Add RSA-OAEP Cipher Function To IBMJCECCA

- Update to Java 8.0 Service Refresh 7 Fix Pack 16
  * Java Virtual Machine
    - Assertion failure at ClassLoaderRememberedSet.cpp
	- Assertion failure at StandardAccessBarrier.cpp when
	  -Xgc:concurrentScavenge is set.
    - GC can have unflushed ownable synchronizer objects which
	  can eventually lead to heap corruption and failure when
	  -Xgc:concurrentScavenge is set.
  *	JIT Compiler:
    - Incorrect JIT optimization of Java code
    - JAVA JIT Power: JIT compile time assert on AIX or LINUXPPC
  *	Reliability and Serviceability:
    - javacore with "kill -3" SIGQUIT signal freezes Java process
</description>
</patchinfo>