java-11-openjdk-11.0.25.0.9-2.el8

エラータID: AXSA:2024-8931:17

Release date: 
Tuesday, October 22, 2024 - 17:38
Subject: 
java-11-openjdk-11.0.25.0.9-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)
* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)
* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)
* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)
* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Solution: 

Update packages.

CVEs: 
CVE-2023-48161
Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c
CVE-2024-21208
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21210
Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2024-21217
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2024-21235
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-11-openjdk-11.0.25.0.9-2.el8.src.rpm
    MD5: cc176c82def7ff75d5f4f202128816b0
    SHA-256: e6ebfb29306bc6dab848edf7588fb46f5e5ada86826d44398d1fdaa29fc4cffe
    Size: 68.43 MB

Asianux Server 8 for x86_64
  1. java-11-openjdk-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 873ecac4b063f224f4ac61ed434c48e6
    SHA-256: 19ec161b79356a6809703eac9258e10c0ae30c3d4fa0713e2595ff37e0e141dd
    Size: 476.21 kB
  2. java-11-openjdk-demo-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: a6430c09780ccd43c51d068b506c4ed3
    SHA-256: 65c19d35d59cee4678d3b75d86c2da1d662e9a6b3f0cf7eaf0a79b29b35fd9bc
    Size: 4.40 MB
  3. java-11-openjdk-demo-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 13dea324fef84422ae7f9b5254efe1f0
    SHA-256: ef313ee25df959b5eb2a25a3b712ece39fa09a2a7d714015e300710270687bec
    Size: 4.40 MB
  4. java-11-openjdk-demo-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: b721df7be6551ecee6518d2ee9c03b87
    SHA-256: 52993f5759a884c1f954a0fa20af36605c7fdd0988c80739881be0269036c3fe
    Size: 4.40 MB
  5. java-11-openjdk-devel-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: f4587fdfb65af115964f9122a332158b
    SHA-256: f97e82e06e626549b0bc9a038874e6ebf9d02e15f2982dbe2877cb4eb9ad1a9d
    Size: 3.39 MB
  6. java-11-openjdk-devel-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 17fe3a31343ed5da6882672de321624c
    SHA-256: 4e68b2abf17a4882807f9fa1e2874a59d6133752fb125e5b97ff85834239811b
    Size: 3.39 MB
  7. java-11-openjdk-devel-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: f7e68cfc732dbfb226bd50939840eccd
    SHA-256: f8174ec403e495a106af6fd5eb63fa0c00976cdb7ebab3caa93654f80278f699
    Size: 3.39 MB
  8. java-11-openjdk-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 561924f3be06c75f21b0161ce78783b0
    SHA-256: ad9f69f1f53af929a3857fd10059919acd4fa2b83ba75f6c8db21dd4ccc352ff
    Size: 489.51 kB
  9. java-11-openjdk-headless-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: a6e6657ff50fcf4eba60534a41f5874b
    SHA-256: d27175d4e64f0b7067d4a6b528a47a2a0eb63276f7c4a6f4bf5b2482dd9aaab0
    Size: 41.63 MB
  10. java-11-openjdk-headless-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: ecba31c8195214683017899077568118
    SHA-256: 5727485e75516bf118c99d79627e4fdc8f77750fe96daa16d68ff55c959587f7
    Size: 46.65 MB
  11. java-11-openjdk-headless-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 3c3665ee94bcc47a8fe688a350fecc36
    SHA-256: 69da253ba012b07629dedda93742e92c54742459ab3f1e4f832b016af2970368
    Size: 46.18 MB
  12. java-11-openjdk-javadoc-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 2bd4a11fd9e96b7aec1b71f938b6f8e8
    SHA-256: c810a74bbe76682aee1e37955d1747ae7c2c2b982a679d3f52cc511012613e3c
    Size: 16.01 MB
  13. java-11-openjdk-javadoc-zip-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: ddb3c5c47075d6d9a57961a5aa812ad7
    SHA-256: 42f53f905432d71f6494975f68a9cbf80cd6f2c28150dbb8e3608003e41d463e
    Size: 42.17 MB
  14. java-11-openjdk-jmods-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 3493e47b14354b2f72e5c42c0a2c7737
    SHA-256: 40e4c21ca35a5dd7a663a509c4764d7e45c2142ac7be6892d50c13a3055d95ae
    Size: 344.34 MB
  15. java-11-openjdk-jmods-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 1a7d3d77ba21caf41d94e213df754eea
    SHA-256: fd653eac4b18f253bed6f96cbb3a764b07912cd9f6491588747c3a095793923d
    Size: 299.46 MB
  16. java-11-openjdk-jmods-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 7e5c20d375d2125b01d23e47e68e690a
    SHA-256: 7075af81f331541ed6123bca169ce524d6fb84e40eb755c9da8c11cd9a2aae89
    Size: 231.37 MB
  17. java-11-openjdk-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: f06ecd6267cee96bafce7f242e7a42d0
    SHA-256: e187fdcd8f9b4ad450129792263f7defc8ce8f41de992114754913a583213d45
    Size: 463.48 kB
  18. java-11-openjdk-src-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: ed9db4725bddeba5fe6491de5e925f3e
    SHA-256: fec4a5f21519eac5d8e63cd25065460e2786f476c4636113568d5c7e43f3d6cc
    Size: 50.56 MB
  19. java-11-openjdk-src-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: bc11d51ece00671f15ef434131564054
    SHA-256: daa8d2a8dbef2f365dff46f61b8789f9a8cc969d60eee084f31a5afc641cd741
    Size: 50.57 MB
  20. java-11-openjdk-src-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: eeb7cee56c3ad5d9a274b2c480c2ed45
    SHA-256: 844cc6fe8b61a7b37f4a1edfe47cbb114f2bc3af4bca63f75876d902ec9c38a5
    Size: 50.57 MB
  21. java-11-openjdk-static-libs-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 84367bcfc042efce915c7abe2021c478
    SHA-256: 8e6c61e17b4e0612e1a452ae1bce9ff5bb889ed6c0b39c2777ffad52b9b43a32
    Size: 38.42 MB
  22. java-11-openjdk-static-libs-fastdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 19d40489a263b72c03facfac7093573e
    SHA-256: 868d7325331c695448c851f0ba09f86f2bc044534eb936e7a921b6b956c91a5d
    Size: 38.76 MB
  23. java-11-openjdk-static-libs-slowdebug-11.0.25.0.9-2.el8.x86_64.rpm
    MD5: 343ee9e9abd4e0def6528eb034f7d073
    SHA-256: eccae0f9b1a94b21344bd459413bd0979352f291eb93aa24670511a0d919b810
    Size: 33.56 MB