Mageia alert MGASA-2019-0302 (java-1.8.0-openjdk)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
             
 
updates-announce@ml.mageia.org 
Subject:
             
 
[updates-announce] MGASA-2019-0302: Updated java-1.8.0-openjdk packages fix security vulnerabilities 
Date:
             
 
Wed, 23 Oct 2019 23:07:54 +0200
Message-ID:
             
 
<20191023210754.4AD969F739@duvel.mageia.org>
MGASA-2019-0302 - Updated java-1.8.0-openjdk packages fix security vulnerabilities

Publication date: 23 Oct 2019
URL: https://advisories.mageia.org/MGASA-2019-0302.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-2945,
     CVE-2019-2949,
     CVE-2019-2962,
     CVE-2019-2964,
     CVE-2019-2973,
     CVE-2019-2975,
     CVE-2019-2978,
     CVE-2019-2981,
     CVE-2019-2983,
     CVE-2019-2987,
     CVE-2019-2988,
     CVE-2019-2989,
     CVE-2019-2992,
     CVE-2019-2999

Description:
The updated packages fix several bugs and some security issues:

Missing restrictions on use of custom SocketImpl (Networking, 8218573).
(CVE-2019-2945)

Improper handling of Kerberos proxy credentials (Kerberos, 8220302).
(CVE-2019-2949)

NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962)

Unexpected exception thrown by Pattern processing crafted regular
expression (Concurrency, 8222684). (CVE-2019-2964)

Unexpected exception thrown by XPathParser processing crafted XPath
expression (JAXP, 8223505). (CVE-2019-2973)

Unexpected exception thrown during regular expression processing in
Nashorn (Scripting, 8223518). (CVE-2019-2975)

Incorrect handling of nested jar: URLs in Jar URL handler
(Networking, 8223892). (CVE-2019-2978)

Unexpected exception thrown by XPath processing crafted XPath expression
(JAXP, 8224532). (CVE-2019-2981)

Unexpected exception thrown during Font object deserialization
(Serialization, 8224915). (CVE-2019-2983)

Missing glyph bitmap image dimension check in FreetypeFontScaler
(2D, 8225286). (CVE-2019-2987)

Integer overflow in bounds check in SunGraphics2D (2D, 8225292).
(CVE-2019-2988)

Incorrect handling of HTTP proxy responses in HttpURLConnection
(Networking, 8225298). (CVE-2019-2989)

Excessive memory allocation in CMap when reading TrueType font
(2D, 8225597). (CVE-2019-2992)

Insufficient filtering of HTML event attributes in Javadoc
(Javadoc, 8226765). (CVE-2019-2999)

References:
- https://bugs.mageia.org/show_bug.cgi?id=25576
- https://access.redhat.com/errata/RHSA-2019:3128
- https://www.oracle.com/technetwork/security-advisory/cpuo...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999

SRPMS:
- 7/core/java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7