File _patchinfo of Package patchinfo.25537
<patchinfo incident="25537">
<issue tracker="cve" id="2022-21434"/>
<issue tracker="cve" id="2022-34169"/>
<issue tracker="cve" id="2022-21426"/>
<issue tracker="cve" id="2022-21476"/>
<issue tracker="cve" id="2022-21496"/>
<issue tracker="cve" id="2022-21541"/>
<issue tracker="cve" id="2022-21443"/>
<issue tracker="cve" id="2021-41041"/>
<issue tracker="cve" id="2022-21540"/>
<issue tracker="bnc" id="1201692">VUL-0: CVE-2022-21541: java,openjdk: improper restriction of MethodHandle.invokeBasic()</issue>
<issue tracker="bnc" id="1198935">VUL-1: CVE-2021-41041: java-11-openj9,java-1_8_0-openj9: unverified methods can be invoked using MethodHandles</issue>
<issue tracker="bnc" id="1198671">VUL-0: CVE-2022-21476: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1198673">VUL-0: CVE-2022-21496: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1198674">VUL-0: CVE-2022-21434: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1201684">VUL-0: CVE-2022-34169: java,openjdk: integer truncation issue in Xalan</issue>
<issue tracker="bnc" id="1198672">VUL-0: CVE-2022-21426: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1198675">VUL-0: CVE-2022-21443: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1201694">VUL-0: CVE-2022-21540: java,openjdk: class compilation issue</issue>
<packager>fstrba</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for java-1_8_0-openj9</summary>
<description>This update for java-1_8_0-openj9 fixes the following issues:
- Updated to OpenJDK 8u345 build 01 with OpenJ9 0.33.0 virtual machine:
- CVE-2022-34169: Fixed an integer truncation issue in the Xalan
Java XSLT library that occurred when processing malicious
stylesheets (bsc#1201684).
- CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201692).
- CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
in the Hotspot component (bsc#1201694).
- Updated to OpenJDK 8u332 build 09 with OpenJ9 0.32.0 virtual machine:
- CVE-2021-41041: Failed an issue that could allow unverified methods
to be invoked using MethodHandles (bsc#1198935).
- CVE-2022-21426: Fixed a remote partial denial of service issue
(component: JAXP) (bsc#1198672).
- CVE-2022-21434: Fixed an issue that could allow a remote attacker
to update, insert or delete data (component: Libraries) (bsc#1198674).
- CVE-2022-21443: Fixed a remote partial denial of service issue
(component: Libraries) (bsc#1198675).
- CVE-2022-21476: Fixed an issue that could allow unauthorized
access to confidential data (component: Libraries) (bsc#1198671).
- CVE-2022-21496: Fixed an issue that could allow a remote attacker
to update, insert or delete data (component: JNDI) (bsc#1198673).
</description>
</patchinfo>