Overview

File _patchinfo of Package patchinfo.25537

<patchinfo incident="25537">
  <issue tracker="cve" id="2022-21434"/>
  <issue tracker="cve" id="2022-34169"/>
  <issue tracker="cve" id="2022-21426"/>
  <issue tracker="cve" id="2022-21476"/>
  <issue tracker="cve" id="2022-21496"/>
  <issue tracker="cve" id="2022-21541"/>
  <issue tracker="cve" id="2022-21443"/>
  <issue tracker="cve" id="2021-41041"/>
  <issue tracker="cve" id="2022-21540"/>
  <issue tracker="bnc" id="1201692">VUL-0: CVE-2022-21541: java,openjdk: improper restriction of MethodHandle.invokeBasic()</issue>
  <issue tracker="bnc" id="1198935">VUL-1: CVE-2021-41041: java-11-openj9,java-1_8_0-openj9: unverified methods can be invoked using MethodHandles</issue>
  <issue tracker="bnc" id="1198671">VUL-0: CVE-2022-21476: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1198673">VUL-0: CVE-2022-21496: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1198674">VUL-0: CVE-2022-21434: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1201684">VUL-0: CVE-2022-34169: java,openjdk: integer truncation issue in Xalan</issue>
  <issue tracker="bnc" id="1198672">VUL-0: CVE-2022-21426: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1198675">VUL-0: CVE-2022-21443: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
  <issue tracker="bnc" id="1201694">VUL-0: CVE-2022-21540: java,openjdk: class compilation issue</issue>
  <packager>fstrba</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for java-1_8_0-openj9</summary>
  <description>This update for java-1_8_0-openj9 fixes the following issues:

- Updated to OpenJDK 8u345 build 01 with OpenJ9 0.33.0 virtual machine:
  - CVE-2022-34169: Fixed an integer truncation issue in the Xalan
    Java XSLT library that occurred when processing malicious
    stylesheets (bsc#1201684).
  - CVE-2022-21541: Fixed a potential bypass of sandbox restrictions
    in the Hotspot component (bsc#1201692).
  - CVE-2022-21540: Fixed a potential bypass of sandbox restrictions
    in the Hotspot component (bsc#1201694).

- Updated to OpenJDK 8u332 build 09 with OpenJ9 0.32.0 virtual machine:
  - CVE-2021-41041: Failed an issue that could allow unverified methods
    to be invoked using MethodHandles (bsc#1198935).
  - CVE-2022-21426: Fixed a remote partial denial of service issue
    (component: JAXP) (bsc#1198672).
  - CVE-2022-21434: Fixed an issue that could allow a remote attacker
    to update, insert or delete data (component: Libraries) (bsc#1198674).
  - CVE-2022-21443: Fixed a remote partial denial of service issue
    (component: Libraries) (bsc#1198675).
  - CVE-2022-21476: Fixed an issue that could allow unauthorized
    access to confidential data (component: Libraries) (bsc#1198671).
  - CVE-2022-21496: Fixed an issue that could allow a remote attacker
    to update, insert or delete data (component: JNDI) (bsc#1198673).
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places