File _patchinfo of Package patchinfo.18792
<patchinfo incident="18792">
<issue tracker="cve" id="2024-21094"/>
<issue tracker="cve" id="2024-21011"/>
<issue tracker="cve" id="2024-21210"/>
<issue tracker="cve" id="2024-20918"/>
<issue tracker="cve" id="2024-21147"/>
<issue tracker="cve" id="2021-41041"/>
<issue tracker="cve" id="2024-21131"/>
<issue tracker="cve" id="2024-21217"/>
<issue tracker="cve" id="2023-21939"/>
<issue tracker="cve" id="2022-21628"/>
<issue tracker="cve" id="2024-20952"/>
<issue tracker="cve" id="2024-21235"/>
<issue tracker="cve" id="2022-34169"/>
<issue tracker="cve" id="2024-21144"/>
<issue tracker="cve" id="2023-5676"/>
<issue tracker="cve" id="2022-21443"/>
<issue tracker="cve" id="2024-20926"/>
<issue tracker="cve" id="2022-3676"/>
<issue tracker="cve" id="2022-21618"/>
<issue tracker="cve" id="2022-21541"/>
<issue tracker="cve" id="2024-21138"/>
<issue tracker="cve" id="2024-21140"/>
<issue tracker="cve" id="2022-21626"/>
<issue tracker="cve" id="2023-2597"/>
<issue tracker="cve" id="2023-21937"/>
<issue tracker="cve" id="2024-20921"/>
<issue tracker="cve" id="2023-22081"/>
<issue tracker="cve" id="2023-21938"/>
<issue tracker="cve" id="2024-21085"/>
<issue tracker="cve" id="2023-21954"/>
<issue tracker="cve" id="2023-21968"/>
<issue tracker="cve" id="2024-21208"/>
<issue tracker="cve" id="2023-21843"/>
<issue tracker="cve" id="2022-21619"/>
<issue tracker="cve" id="2022-21540"/>
<issue tracker="cve" id="2023-22036"/>
<issue tracker="cve" id="2024-3933"/>
<issue tracker="cve" id="2023-22045"/>
<issue tracker="cve" id="2023-21930"/>
<issue tracker="cve" id="2024-20919"/>
<issue tracker="cve" id="2023-21835"/>
<issue tracker="cve" id="2024-21145"/>
<issue tracker="cve" id="2024-20945"/>
<issue tracker="cve" id="2022-21476"/>
<issue tracker="cve" id="2022-21426"/>
<issue tracker="cve" id="2022-21496"/>
<issue tracker="cve" id="2023-22041"/>
<issue tracker="cve" id="2024-21068"/>
<issue tracker="cve" id="2023-22049"/>
<issue tracker="cve" id="2023-22006"/>
<issue tracker="cve" id="2022-39399"/>
<issue tracker="cve" id="2024-21012"/>
<issue tracker="cve" id="2022-21624"/>
<issue tracker="cve" id="2022-21434"/>
<issue tracker="cve" id="2023-25193"/>
<issue tracker="cve" id="2023-21967"/>
<issue tracker="cve" id="2020-14803"/>
<issue tracker="cve" id="2025-21502"/>
<issue tracker="bnc" id="1213482">VUL-0: CVE-2023-22049: java-11-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries).</issue>
<issue tracker="bnc" id="1216374">VUL-0: CVE-2023-22081: java-1_8_0-openjdk,java-9-openjdk,java-10-openjdk,java-11-openjdk,java-17-openjdk: Oracle October 2023 CPU</issue>
<issue tracker="bnc" id="1194927">VUL-0: CVE-2022-21366: java-17-openjdk,java-11-openjdk: Excessive memory allocation in TIFF*Decompressor</issue>
<issue tracker="bnc" id="1201684">VUL-0: CVE-2022-34169: java,openjdk: integer truncation issue in Xalan</issue>
<issue tracker="bnc" id="1231719">VUL-0: CVE-2024-21235: java-*-openjdk,java-*-ibm: unauthorized read/write access to data in component Hotspot</issue>
<issue tracker="bnc" id="1194939">VUL-0: CVE-2022-21305: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Array indexing issues in LIRGenerator</issue>
<issue tracker="bnc" id="1211615">VUL-0: CVE-2023-2597: java-1_8_0-openj9: buffer overflow in shared cache implementation</issue>
<issue tracker="bnc" id="1185055">VUL-0: CVE-2021-2163: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk: Incomplete enforcement of JAR signing disabled algorithms</issue>
<issue tracker="bnc" id="1222979">VUL-0: CVE-2024-21011: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: long Exception message leading to crash (8319851)</issue>
<issue tracker="bnc" id="1207246">VUL-0: CVE-2023-21835: java-openjdk: handshake DoS attack against DTLS connections (JSSE, 8287411)</issue>
<issue tracker="bnc" id="1194931">VUL-0: CVE-2022-21299: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Infinite loop related to incorrect handling of newlines in XMLEntityScanner</issue>
<issue tracker="bnc" id="1210637">VUL-0: CVE-2023-21968: java-1_8_0-ibm,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).</issue>
<issue tracker="bnc" id="1194929">VUL-0: CVE-2022-21360: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Excessive memory allocation in BMPImageReader</issue>
<issue tracker="bnc" id="1204480">VUL-0: CVE-2022-39399: java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
<issue tracker="bnc" id="1191909">VUL-0: CVE-2021-35565: java-1_7_0-openjdk,java-11-openjdk,java-1_8_0-openjdk: Loop in HttpsServer triggered during TLS session close (JSSE, 8254967)</issue>
<issue tracker="bnc" id="1191911">VUL-0: CVE-2021-35559: java-1_8_0-openjdk,java-1_7_0-openjdk,java-11-openjdk: Excessive memory allocation in RTFReader (Swing, 8265580)</issue>
<issue tracker="bnc" id="1210635">VUL-0: CVE-2023-21954: java-17-openjdk,java-1_8_0-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).</issue>
<issue tracker="bnc" id="1228046">VUL-0: CVE-2024-21131: java-*-openjdk,java-*-ibm: OpenJDK: potential UTF8 size overflow</issue>
<issue tracker="bnc" id="1188564">VUL-0: CVE-2021-2341: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk: flaw inside the FtpClient</issue>
<issue tracker="bnc" id="1204472">VUL-0: CVE-2022-21628: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTP can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
<issue tracker="bnc" id="1204471">VUL-0: CVE-2022-21626: java-1_8_0-openjdk,java-11-openjdk: unauthenticated attacker with network access via HTTPS can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
<issue tracker="bnc" id="1213475">VUL-0: CVE-2023-22041: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk,java-1_8_0-ibm: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).</issue>
<issue tracker="bnc" id="1228050">VUL-0: CVE-2024-21144: java-*-openjdk,java-*-ibm: OpenJDK: Pack200 increase loading time due to improper header validation</issue>
<issue tracker="bnc" id="1218905">VUL-0: CVE-2024-20921: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: range check loop optimization issue (8314307)</issue>
<issue tracker="bnc" id="1198672">VUL-0: CVE-2022-21426: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1210631">VUL-0: CVE-2023-21937: java-11-openjdk,java-17-openjdk,java-1_8_0-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).</issue>
<issue tracker="bnc" id="1198675">VUL-0: CVE-2022-21443: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1194940">VUL-0: CVE-2022-21340: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Excessive resource use when reading JAR manifest attributes</issue>
<issue tracker="bnc" id="1191912">VUL-0: CVE-2021-35561: java-1_8_0-openjdk,java-11-openjdk,java-1_7_0-openjdk: Excessive memory allocation in HashMap and HashSet (Utility, 8266097)</issue>
<issue tracker="bnc" id="1194928">VUL-0: CVE-2022-21365: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Integer overflow in BMPImageReader</issue>
<issue tracker="bnc" id="1191904">VUL-0: CVE-2021-35578: java-11-openjdk,java-1_7_0-openjdk,java-1_8_0-openjdk: Unexpected exception raised during TLS handshake (JSSE, 8267729)</issue>
<issue tracker="bnc" id="1217214">VUL-0: CVE-2023-5676: java-1_8_0-openj9: receiving a signal before initialization may lead to an infinite loop or unexpected crash</issue>
<issue tracker="bnc" id="1188566">VUL-0: CVE-2021-2388: java-11-openjdk,java-1_8_0-openjdk: flaw inside the Hotspot component performed range check elimination</issue>
<issue tracker="bnc" id="1194933">VUL-0: CVE-2022-21282: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Insufficient URI checks in the XSLT TransformerImpl</issue>
<issue tracker="bnc" id="1198673">VUL-0: CVE-2022-21496: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1194926">VUL-0: CVE-2022-21248: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Incomplete deserialization class filtering in ObjectInputStream</issue>
<issue tracker="bnc" id="1218909">VUL-0: CVE-2024-20945: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: logging of digital signature private keys (8316976)</issue>
<issue tracker="bnc" id="1194925">VUL-0: CVE-2022-21291: java-17-openjdk,java-11-openjdk: Incorrect marking of writeable fields</issue>
<issue tracker="bnc" id="1210636">VUL-0: CVE-2023-21967: java-17-openjdk,java-1_8_0-ibm,java-11-openjdk,java-1_8_0-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).</issue>
<issue tracker="bnc" id="1194935">VUL-0: CVE-2022-21293: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Incomplete checks of StringBuffer and StringBuilder during deserialization</issue>
<issue tracker="bnc" id="1228052">VUL-0: CVE-2024-21147: java-*-openjdk,java-*-ibm: OpenJDK: RangeCheckElimination array index overflow</issue>
<issue tracker="bnc" id="1222987">VUL-0: CVE-2024-21012: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: HTTP/2 client improper reverse DNS lookup (8315708)</issue>
<issue tracker="bnc" id="1222984">VUL-0: CVE-2024-21085: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: Pack200 excessive memory allocation (8322114)</issue>
<issue tracker="bnc" id="1225470">VUL-0: CVE-2024-3933: java-*-openjdk,java-*-ibm,java-*-openj9: out-of-bounds read/write in Eclipse OpenJ9 when running with JVM option -Xgc:concurrentScavenge on the IBM Z platform with hardware and software support for guarded storage</issue>
<issue tracker="bnc" id="1213481">VUL-0: CVE-2023-22045: java-1_8_0-openjdk,java-1_8_0-ibm,java-17-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).</issue>
<issue tracker="bnc" id="1207922">VUL-0: CVE-2023-25193: firefox-harfbuzz,harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks</issue>
<issue tracker="bnc" id="1191901">VUL-0: CVE-2021-35550: java-1_7_0-openjdk,java-11-openjdk,java-1_8_0-openjdk: Weak ciphers preferred over stronger ones for TLS (JSSE, 8264210)</issue>
<issue tracker="bnc" id="1231716">VUL-0: CVE-2024-21217: java-*-openjdk,java-*-ibm: partial DoS in component Serialization</issue>
<issue tracker="bnc" id="1222986">VUL-0: CVE-2024-21094: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: C2 compilation fails with "Exceeded _node_regs array" (8317507)</issue>
<issue tracker="bnc" id="1198671">VUL-0: CVE-2022-21476: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1185056">VUL-0: CVE-2021-2161: java-11-openjdk,java-1_7_0-openjdk,java-1_8_0-openjdk: Incorrect handling of partially quoted arguments in ProcessBuilder on Windows</issue>
<issue tracker="bnc" id="1194934">VUL-0: CVE-2022-21294: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Incorrect IdentityHashMap size checks during deserialization</issue>
<issue tracker="bnc" id="1213470">timezone-java 2023c contains corrupt data for some timezones</issue>
<issue tracker="bnc" id="1191913">VUL-0: CVE-2021-35564: java-1_8_0-openjdk,java-1_7_0-openjdk,java-11-openjdk: Certificates with end dates too far in the future can corrupt keystore (Keytool, 8266137)</issue>
<issue tracker="bnc" id="1213473">VUL-0: CVE-2023-22006: java-17-openjdk,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking)</issue>
<issue tracker="bnc" id="1218907">VUL-0: CVE-2024-20918: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)</issue>
<issue tracker="bnc" id="1191914">VUL-0: CVE-2021-35586: java-1_8_0-openjdk,java-1_7_0-openjdk,java-11-openjdk: Excessive memory allocation in BMPImageReader (ImageIO, 8267735)</issue>
<issue tracker="bnc" id="1198674">VUL-0: CVE-2022-21434: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1191906">VUL-1: CVE-2021-35603: java-11-openjdk,java-1_7_0-openjdk,java-1_8_0-openjdk: Non-constant comparison during TLS handshakes (JSSE, 8269618)</issue>
<issue tracker="bnc" id="1218906">VUL-0: CVE-2024-20926: java-11-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: arbitrary Java code execution in Nashorn (8314284)</issue>
<issue tracker="bnc" id="1228048">VUL-0: CVE-2024-21140: java-*-openjdk,java-*-ibm: OpenJDK: Range Check Elimination (RCE) pre-loop limit overflow</issue>
<issue tracker="bnc" id="1194941">VUL-0: CVE-2022-21341: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: OpenJDK: Insufficient checks when deserializing exceptions in ObjectInputStream</issue>
<issue tracker="bnc" id="1191910">VUL-0: CVE-2021-35556: java-11-openjdk,java-1_7_0-openjdk,java-1_8_0-openjdk: Excessive memory allocation in RTFParser (Swing, 8265167)</issue>
<issue tracker="bnc" id="1218911">VUL-0: CVE-2024-20952: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547)</issue>
<issue tracker="bnc" id="1194937">VUL-0: CVE-2022-21283: java-11-openjdk,java-17-openjdk: Unexpected exception thrown in regex Pattern</issue>
<issue tracker="bnc" id="1207248">VUL-0: CVE-2023-21843: java-openjdk: soundbank URL remote loading (Sound, 8293742)</issue>
<issue tracker="bnc" id="1206549"></issue>
<issue tracker="bnc" id="1210634">VUL-0: CVE-2023-21939: java-11-openjdk,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing).</issue>
<issue tracker="bnc" id="1218903">VUL-0: CVE-2024-20919: java-11-openjdk,java-17-openjdk,java-1_8_0-ibm,java-1_8_0-openjdk: OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295)</issue>
<issue tracker="bnc" id="1231711">VUL-0: CVE-2024-21210: java-*-openjdk,java-*-ibm: component: Hotspot</issue>
<issue tracker="bnc" id="1222983">VUL-0: CVE-2024-21068: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: OpenJDK: integer overflow in C1 compiler address generation (8322122)</issue>
<issue tracker="bnc" id="1204475">VUL-0: CVE-2022-21624: java-1_8_0-openjdk-plugin,java-10-openjdk,java-1_8_0-openjdk,java-11-openjdk,java-1_8_0-ibm,java-17-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise</issue>
<issue tracker="bnc" id="1201692">VUL-0: CVE-2022-21541: java,openjdk: improper restriction of MethodHandle.invokeBasic()</issue>
<issue tracker="bnc" id="1204468">VUL-0: CVE-2022-21618: java-17-openjdk: JGSS: unauthenticated attacker with network access via Kerberos can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
<issue tracker="bnc" id="1236278">VUL-0: CVE-2025-21502: java-10-openjdk,java-11-openjdk,java-17-openjdk,java-1_7_0-openjdk,java-1_8_0-ibm,java-1_8_0-openj9,java-1_8_0-openjdk,java-21-openjdk,java-9-openjdk: JDK: Enhance array handling (Oracle CPU 2025-01)</issue>
<issue tracker="bnc" id="1228051">VUL-0: CVE-2024-21145: java-*-openjdk,java-*-ibm: OpenJDK: Out-of-bounds access in 2D image handling</issue>
<issue tracker="bnc" id="1191903">VUL-0: CVE-2021-35567: java-11-openjdk,java-1_7_0-openjdk,java-1_8_0-openjdk: Incorrect principal selection when using Kerberos Constrained Delegation (Libraries, 8266689)</issue>
<issue tracker="bnc" id="1236804"></issue>
<issue tracker="bnc" id="1231702">VUL-0: CVE-2024-21208: java-*-openjdk,java-*-ibm: component: Networking</issue>
<issue tracker="bnc" id="1228047">VUL-0: CVE-2024-21138: java-*-openjdk,java-*-ibm: OpenJDK: Excessive symbol length can lead to infinite loop</issue>
<issue tracker="bnc" id="1198935">VUL-1: CVE-2021-41041: java-11-openj9,java-1_8_0-openj9: unverified methods can be invoked using MethodHandles</issue>
<issue tracker="bnc" id="1194930">VUL-0: CVE-2022-21277: java-17-openjdk,java-11-openjdk: Incorrect reading of TIFF files in TIFFNullDecompressor</issue>
<issue tracker="bnc" id="1194932">VUL-0: CVE-2022-21296: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk,java-1_7_0-openjdk: Incorrect access checks in XMLEntityManager</issue>
<issue tracker="bnc" id="1213474">VUL-0: CVE-2023-22036: java-17-openjdk,java-1_8_0-openjdk,java-1_8_0-ibm,java-11-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility).</issue>
<issue tracker="bnc" id="1181239">VUL-0: java-1_7_0-openjdk,java-1_8_0-openjdk,java-11-openjdk: Oracle January 2021 CPU</issue>
<issue tracker="bnc" id="1210632">VUL-0: CVE-2023-21938: java-11-openjdk,java-1_8_0-openjdk,java-17-openjdk: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).</issue>
<issue tracker="bnc" id="1204473">VUL-0: CVE-2022-21619: java-1_8_0-openjdk,java-17-openjdk,java-11-openjdk: unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE</issue>
<issue tracker="bnc" id="1188565">VUL-0: CVE-2021-2369: java-1_8_0-openjdk,java-1_7_0-openjdk,java-11-openjdk: JAR file handling problem containing multiple MANIFEST.MF files</issue>
<issue tracker="bnc" id="1201694">VUL-0: CVE-2022-21540: java,openjdk: class compilation issue</issue>
<issue tracker="bnc" id="1210628">VUL-0: CVE-2023-21930: java-17-openjdk,java-11-openjdk,java-1_8_0-openjdk: unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition</issue>
<issue tracker="bnc" id="1204703">VUL-0: CVE-2022-3676: In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.</issue>
<packager>fstrba</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for java-11-openj9</summary>
<description>This update for java-11-openj9 fixes the following issues:
- Update to OpenJDK 11.0.26 with OpenJ9 0.49.0 virtual machine
- Including Oracle October 2024 and January 2025 CPU changes
* CVE-2024-21208 (boo#1231702), CVE-2024-21210 (boo#1231711),
CVE-2024-21217 (boo#1231716), CVE-2024-21235 (boo#1231719),
CVE-2025-21502 (boo#1236278)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.49/
- Update to OpenJDK 11.0.24 with OpenJ9 0.46.0 virtual machine
- Including Oracle July 2024 CPU changes
* CVE-2024-21131 (boo#1228046), CVE-2024-21138 (boo#1228047),
CVE-2024-21140 (boo#1228048), CVE-2024-21144 (boo#1228050),
CVE-2024-21147 (boo#1228052), CVE-2024-21145 (boo#1228051)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.46/
- Update to OpenJDK 11.0.23 with OpenJ9 0.44.0 virtual machine
- Including Oracle April 2024 CPU changes
* CVE-2024-21012 (boo#1222987), CVE-2024-21094 (boo#1222986),
CVE-2024-21011 (boo#1222979), CVE-2024-21085 (boo#1222984),
CVE-2024-21068 (boo#1222983)
- Including OpenJ9/OMR specific fix:
* CVE-2024-3933 (boo#1225470)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.44/
- Update to OpenJDK 11.0.22 with OpenJ9 0.43.0 virtual machine
- Including Oracle January 2024 CPU changes
* CVE-2024-20918 (boo#1218907), CVE-2024-20919 (boo#1218903),
CVE-2024-20921 (boo#1218905), CVE-2024-20926 (boo#1218906),
CVE-2024-20945 (boo#1218909), CVE-2024-20952 (boo#1218911)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.43/
- Remove the possibility to put back removes JavaEE modules, since
our Java stack does not need this hack any more
- Update to OpenJDK 11.0.21 with OpenJ9 0.41.0 virtual machine
- Including Oracle October 2023 CPU changes
* CVE-2023-22081, boo#1216374
- Including Openj9 0.41.0 fixes of CVE-2023-5676, boo#1217214
* For other OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.41
- Update to OpenJDK 11.0.20.1 with OpenJ9 0.40.0 virtual machine
* JDK-8313765: Invalid CEN header (invalid zip64 extra data
field size)
- Update to OpenJDK 11.0.20 with OpenJ9 0.40.0 virtual machine
- Including Oracle April 2023 CPU changes
* CVE-2023-22006 (boo#1213473), CVE-2023-22036 (boo#1213474),
CVE-2023-22041 (boo#1213475), CVE-2023-22045 (boo#1213481),
CVE-2023-22049 (boo#1213482), CVE-2023-25193 (boo#1207922)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.40
- Update to OpenJDK 11.0.19 with OpenJ9 0.38.0 virtual machine
- Including Oracle April 2023 CPU changes
* CVE-2023-21930 (boo#1210628), CVE-2023-21937 (boo#1210631),
CVE-2023-21938 (boo#1210632), CVE-2023-21939 (boo#1210634),
CVE-2023-21954 (boo#1210635), CVE-2023-21967 (boo#1210636),
CVE-2023-21968 (boo#1210637)
* OpenJ9 specific vulnerability: CVE-2023-2597 (boo#1211615)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.38
- Update to OpenJDK 11.0.18 with OpenJ9 0.36.1 virtual machine
* Including Oracle January 2023 CPU changes
+ CVE-2023-21835, boo#1207246
+ CVE-2023-21843, boo#1207248
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.36
- Update to OpenJDK 11.0.17 with OpenJ9 0.35.0 virtual machine
* Including Oracle October 2022 CPU changes
CVE-2022-21618 (boo#1204468), CVE-2022-21619 (boo#1204473),
CVE-2022-21626 (boo#1204471), CVE-2022-21624 (boo#1204475),
CVE-2022-21628 (boo#1204472), CVE-2022-39399 (boo#1204480)
* Fixes OpenJ9 vulnerability boo#1204703, CVE-2022-3676
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.35
- Update to OpenJDK 11.0.16 with OpenJ9 0.33.0 virtual machine
* Including Oracle July 2022 CPU changes
CVE-2022-21540 (boo#1201694), CVE-2022-21541 (boo#1201692),
CVE-2022-34169 (boo#1201684)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.33
- Update to OpenJDK 11.0.15 with OpenJ9 0.32.0 virtual machine
* Fixes boo#1198935, CVE-2021-41041: unverified methods can be
invoked using MethodHandles
* Including Oracle April 2022 CPU fixes
CVE-2022-21426 (boo#1198672), CVE-2022-21434 (boo#1198674),
CVE-2022-21443 (boo#1198675), CVE-2022-21476 (boo#1198671),
CVE-2022-21496 (boo#1198673)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.32
- Update to OpenJDK 11.0.14.1 with OpenJ9 0.30.1 virtual machine
* including Oracle January 2022 CPU changes (boo#1194925,
boo#1194926, boo#1194927, boo#1194928, boo#1194929, boo#1194930,
boo#1194931, boo#1194932, boo#1194933, boo#1194934, boo#1194935,
boo#1194937, boo#1194939, boo#1194940, boo#1194941)
* OpenJ9 changes see
https://www.eclipse.org/openj9/docs/version0.30.1
- Update to OpenJDK 11.0.13 with OpenJ9 0.29.0 virtual machine
* including Oracle July 2021 and October 2021 CPU changes
(boo#1188564, boo#1188565, boo#1188566, boo#1191901,
boo#1191909, boo#1191910, boo#1191911, boo#1191912,
boo#1191913, boo#1191903, boo#1191904, boo#1191914,
boo#1191906)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.29
- Update to OpenJDK 11.0.11 with OpenJ9 0.26.0 virtual machine
* including Oracle April 2021 CPU changes (boo#1185055 and
boo#1185056)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.26
- Update to OpenJDK 11.0.10 with OpenJ9 0.24.0 virtual machine
* including Oracle January 2021 CPU changes (boo#1181239)
* OpenJ9 changes, see
https://www.eclipse.org/openj9/docs/version0.24
</description>
</patchinfo>
