user/openjdk: multiple vulnerabilities
| Bugzilla ID | 333 |
| Alias(es) | CVE-2020-14556, CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621, CVE-2020-14664, CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14803 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-07-16 18:39:18 -0500 |
| Modified | 2020-10-26 01:43:04 -0500 |
| Status | UNCONFIRMED |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/openjdk |
| URL | https://www.oracle.com/security-alerts/cpujul2020.html |
Description
CVE-2020-14556: Better ForkJoinPool behavior
CVE-2020-14577: Enhance certificate verification
CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)
CVE-2020-14581: Better matrix operations
CVE-2020-14583: Better Buffer support
CVE-2020-14593: Less Affine Transformations
CVE-2020-14621: Better XML namespace handling
Fixed in >= OpenJDK 8u262 https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-July/012143.html
Waiting on icedtea 3.17.0 to drop https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3787
Note: the Oracle advisory mentions that CVE-2020-14664 affects 8u251 as well. It is unclear whether this was already addressed in 8u252 (unlikely) or does not affect OpenJDK/IcedTea. I could not find any references in their bug trackers, nor on RedHat's bug tracker.