Red Hat alert RHSA-2023:5733-01 (java-1.8.0-openjdk)

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise
Linux 9.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: segmentation fault in ciMethodBlocks (CVE-2022-40433)

* OpenJDK: IOR deserialization issue in CORBA (8303384) (CVE-2023-22067)

* OpenJDK: certificate path validation issue during client authentication
(8309966) (CVE-2023-22081)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* A maximum signature file size property, jdk.jar.maxSignatureFileSize, was
introduced in the 8u382 release of OpenJDK by JDK-8300596, with a default of
8 MB. This default proved to be too small for some JAR files. This release,
8u392, increases it to 16 MB. (RHEL-13593)

* The /usr/bin/jfr alternative is now owned by the java-1.8.0-openjdk package
(RHEL-13583)

This content is licensed under the Creative Commons Attribution 4.0
International License (https://creativecommons.org/licenses/by/4.0/). If you
distribute this content, or a modified version of it, you must provide
attribution to Red Hat Inc. and provide a link to the original.

Original: https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5733.json