openjdk-8, openjdk-lts vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 19.10
* Ubuntu 19.04
* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJDK.

Software Description

* openjdk-lts - Open Source Java implementation
* openjdk-8 - Open Source Java implementation

Details

Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a
side- channel vulnerability existed in the ECDSA implementation in
OpenJDK. An Attacker could use this to expose sensitive
information. (CVE-2019-2894)

It was discovered that the Socket implementation in OpenJDK did
not properly restrict the creation of subclasses with a custom
Socket implementation. An attacker could use this to specially
create a Java class that could possibly bypass Java sandbox
restrictions. (CVE-2019-2945)

Rob Hamm discovered that the Kerberos implementation in OpenJDK
did not properly handle proxy credentials. An attacker could
possibly use this to impersonate another user. (CVE-2019-2949)

It was discovered that a NULL pointer dereference existed in the
font handling implementation in OpenJDK. An attacker could use
this to cause a denial of service (application crash).
(CVE-2019-2962)

It was discovered that the Concurrency subsystem in OpenJDK did
not properly bound stack consumption when compiling regular
expressions. An attacker could use this to cause a denial of
service (application crash). (CVE-2019-2964)

It was discovered that the JAXP subsystem in OpenJDK did not
properly handle XPath expressions in some situations. An attacker
could use this to cause a denial of service (application crash).
(CVE-2019-2973, CVE-2019-2981)

It was discovered that the Nashorn JavaScript subcomponent in
OpenJDK did not properly handle regular expressions in some
situations. An attacker could use this to cause a denial of
service (application crash). (CVE-2019-2975)

It was discovered that the String class in OpenJDK contained an
out-of- bounds access vulnerability. An attacker could use this to
cause a denial of service (application crash) or possibly expose
sensitive information. This issue only affected OpenJDK 11 in
Ubuntu 18.04 LTS, Ubuntu 19.04, and Ubuntu 19.10. (CVE-2019-2977)

It was discovered that the Jar URL handler in OpenJDK did not
properly handled nested Jar URLs in some situations. An attacker
could use this to cause a denial of service (application crash).
(CVE-2019-2978)

It was discovered that the Serialization component of OpenJDK did
not properly handle deserialization of certain object attributes.
An attacker could use this to cause a denial of service
(application crash). (CVE-2019-2983)

It was discovered that the FreetypeFontScaler class in OpenJDK did
not properly validate dimensions of glyph bitmap images read from
font files. An attacker could specially craft a font file that
could cause a denial of service (application crash).
(CVE-2019-2987)

It was discovered that a buffer overflow existed in the
SunGraphics2D class in OpenJDK. An attacker could possibly use
this to cause a denial of service (excessive memory consumption or
application crash). (CVE-2019-2988)

It was discovered that the Networking component in OpenJDK did not
properly handle certain responses from HTTP proxies. An attacker
controlling a malicious HTTP proxy could possibly use this to
inject content into a proxied HTTP connection. (CVE-2019-2989)

It was discovered that the font handling implementation in OpenJDK
did not properly validate TrueType font files in some situations.
An attacker could specially craft a font file that could cause a
denial of service (excessive memory consumption). (CVE-2019-2992)

It was discovered that the JavaDoc generator in OpenJDK did not
properly filter out some HTML elements properly, including
documentation comments in Java source code. An attacker could
possibly use this to craft a Cross-Site Scripting attack.
(CVE-2019-2999)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 19.10
openjdk-11-jdk - 11.0.5+10-0ubuntu1.1
openjdk-11-jre - 11.0.5+10-0ubuntu1.1
openjdk-11-jre-headless - 11.0.5+10-0ubuntu1.1
openjdk-11-jre-zero - 11.0.5+10-0ubuntu1.1

Ubuntu 19.04
openjdk-11-jdk - 11.0.5+10-0ubuntu1.1~19.04
openjdk-11-jre - 11.0.5+10-0ubuntu1.1~19.04
openjdk-11-jre-headless - 11.0.5+10-0ubuntu1.1~19.04
openjdk-11-jre-zero - 11.0.5+10-0ubuntu1.1~19.04

Ubuntu 18.04 LTS
openjdk-11-jdk - 11.0.5+10-0ubuntu1.1~18.04
openjdk-11-jre - 11.0.5+10-0ubuntu1.1~18.04
openjdk-11-jre-headless - 11.0.5+10-0ubuntu1.1~18.04
openjdk-11-jre-zero - 11.0.5+10-0ubuntu1.1~18.04

Ubuntu 16.04 LTS
openjdk-8-jdk - 8u232-b09-0ubuntu1~16.04.1
openjdk-8-jre - 8u232-b09-0ubuntu1~16.04.1
openjdk-8-jre-headless - 8u232-b09-0ubuntu1~16.04.1
openjdk-8-jre-jamvm - 8u232-b09-0ubuntu1~16.04.1
openjdk-8-jre-zero - 8u232-b09-0ubuntu1~16.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

* CVE-2019-2894
* CVE-2019-2945
* CVE-2019-2949
* CVE-2019-2962
* CVE-2019-2964
* CVE-2019-2973
* CVE-2019-2975
* CVE-2019-2977
* CVE-2019-2978
* CVE-2019-2981
* CVE-2019-2983
* CVE-2019-2987
* CVE-2019-2988
* CVE-2019-2989
* CVE-2019-2992
* CVE-2019-2999

--- Mystic BBS v1.12 A43 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

openjdk-8, openjdk-lts vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 19.10
* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJDK.

Software Description

* openjdk-8 - Open Source Java implementation
* openjdk-lts - Open Source Java implementation

Details

It was discovered that OpenJDK incorrectly handled exceptions
during deserialization in BeanContextSupport. An attacker could
possibly use this issue to cause a denial of service or other
unspecified impact. (CVE-2020-2583)

It was discovered that OpenJDK incorrectly validated properties of
SASL messages included in Kerberos GSSAPI. An unauthenticated
remote attacker with network access via Kerberos could possibly
use this issue to insert, modify or obtain sensitive information.
(CVE-2020-2590)

It was discovered that OpenJDK incorrectly validated URLs. An
attacker could possibly use this issue to insert, edit or obtain
sensitive information. (CVE-2020-2593)

It was discovered that OpenJDK Security component still used MD5
algorithm. A remote attacker could possibly use this issue to
obtain sensitive information. (CVE-2020-2601)

It was discovered that OpenJDK incorrectly handled the application
of serialization filters. An attacker could possibly use this
issue to bypass the intended filter during serialization.
(CVE-2020-2604)

Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled
X.509 certificates. An attacker could possibly use this issue to
cause a denial of service. (CVE-2020-2654)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau
Brostean and Robert Merget discovered that OpenJDK incorrectly
handled CertificateVerify TLS handshake messages. A remote
attacker could possibly use this issue to insert, edit or obtain
sensitive information. This issue only affected OpenJDK 11.
(CVE-2020-2655)

It was discovered that OpenJDK incorrectly enforced the limit of
datagram sockets that can be created by a code running within a
Java sandbox. An attacker could possibly use this issue to bypass
the sandbox restrictions causing a denial of service. This issue
only affected OpenJDK 8. (CVE-2020-2659)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 19.10
openjdk-11-jdk - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~19.10.1
openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~19.10.1
openjdk-8-jdk - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~19.10
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~19.10

Ubuntu 18.04 LTS
openjdk-11-jdk - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~18.04.1
openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~18.04.1
openjdk-8-jdk - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~18.04
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~18.04

Ubuntu 16.04 LTS
openjdk-8-jdk - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-headless - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-jamvm - 8u242-b08-0ubuntu3~16.04
openjdk-8-jre-zero - 8u242-b08-0ubuntu3~16.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

* CVE-2020-2583
* CVE-2020-2590
* CVE-2020-2593
* CVE-2020-2601
* CVE-2020-2604
* CVE-2020-2654
* CVE-2020-2655
* CVE-2020-2659

--- Mystic BBS v1.12 A43 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)

openjdk-lts vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

* Ubuntu 20.04 LTS
* Ubuntu 18.04 LTS

Summary

Several security issues were fixed in OpenJDK.

Software Description

* openjdk-lts - Open Source Java implementation

Details

Johannes Kuhn discovered that OpenJDK incorrectly handled access
control contexts. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2020-14556)

It was discovered that OpenJDK incorrectly handled memory
allocation when reading TIFF image files. An attacker could
possibly use this issue to cause a denial of service.
(CVE-2020-14562)

It was discovered that OpenJDK incorrectly handled input data. An
attacker could possibly use this issue to insert, edit or obtain
sensitive information. (CVE-2020-14573)

Philippe Arteau discovered that OpenJDK incorrectly verified names
in TLS server's X.509 certificates. An attacker could possibly use
this issue to obtain sensitive information. (CVE-2020-14577)

It was discovered that OpenJDK incorrectly handled image files. An
attacker could possibly use this issue to obtain sensitive
information. (CVE-2020-14581)

Markus Loewe discovered that OpenJDK incorrectly handled
concurrent access in java.nio.Buffer class. An attacker could use
this issue to bypass the sandbox restrictions and cause
unspecified impact. (CVE-2020-14583)

It was discovered that OpenJDK incorrectly handled transformation
of images. An attacker could possibly use this issue to bypass
sandbox restrictions and insert, edit or obtain sensitive
information. (CVE-2020-14593)

Roman Shemyakin discovered that OpenJDK incorrectly handled XML
files. An attacker could possibly use this issue to insert, edit
or obtain sensitive information. (CVE-2020-14621)

Update instructions

The problem can be corrected by updating your system to the
following package versions:

Ubuntu 20.04 LTS
openjdk-11-jdk - 11.0.8+10-0ubuntu1~20.04
openjdk-11-jre - 11.0.8+10-0ubuntu1~20.04
openjdk-11-jre-headless - 11.0.8+10-0ubuntu1~20.04
openjdk-11-jre-zero - 11.0.8+10-0ubuntu1~20.04

Ubuntu 18.04 LTS
openjdk-11-jdk - 11.0.8+10-0ubuntu1~18.04.1
openjdk-11-jre - 11.0.8+10-0ubuntu1~18.04.1
openjdk-11-jre-headless - 11.0.8+10-0ubuntu1~18.04.1
openjdk-11-jre-zero - 11.0.8+10-0ubuntu1~18.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

* CVE-2020-14556
* CVE-2020-14562
* CVE-2020-14573
* CVE-2020-14577
* CVE-2020-14581
* CVE-2020-14583
* CVE-2020-14593
* CVE-2020-14621

--- Mystic BBS v1.12 A45 (Linux/64)
* Origin: BZ&BZ BBS (21:4/110)