Red Hat Security Advisory 2022-1490-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  ====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1490-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1490   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   ====================================================================   1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.4 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder EUS (v. 8.4) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v.8.4):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_4.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_4.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_4.x86_64.rpm  Red Hat CodeReady Linux Builder EUS (v. 8.4):  aarch64:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_4.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJltzjgjWX9erEAQixhg/9FlN+3plAc+A56+yeOsQFp10F8gb8c3Du   rKpHuht4ZZtfSXf9RjW/DigMdpo9+2d2LAQc3rVEZydM7CwP2v051CUxU6Okukz2   MDYLcT4xV9SVl0XJxw3YMbOuH1HgSL3qkypnOOL7G5WeQHV5iU3khQ07IlousGQu   jKYzdOLwzm/LqAWgKhj+hRCruS+ZlVjsX+FuU09wpwI1BjtW7e7Kcl6lzO/9QoBa   29h+bmEYBR6cZWdqfxtvIwtOOqbx7csnl3oOOxhOiDHbgn6aq/7kyfeexvk0uiSw   IeSijMTcxeE0/HbI+QXkI3iws2yetf8mZSrXZYCzhDulwRyKNY8x04FpkDq1YUrT   xZTGzlw7iiZaeMqVRfHQCBBnQy1di4hQiGdafeIvWZBT730BpVkrjLGcvzG5v1Ul   PGyjq4LoCPUJUGUITi/1O3GDiizXH/qSeYxjxcD5K4KjoMuCxIbqoBoB21nQVxcN   NIG+iiuwaojdK1UWGGJ2wAwui4PLh+wCujXYGXuSgeK3GVtaWPAwAJU7kPO3F2y7   n00IB9CmxIDXLLHwuxRCpWoVxcK/lXRyH28iNvyys7+b9ZUvpEeFthrM/BcZi0UL   kldsaQETrT6TLIaBu00+ImXzLOsc8QnqJGpcXZ80tj7YURXVloin57kHQtf5OiJd   nznTOjxJ3RE=U1D6   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1490-01

Red Hat Security Advisory 2022-1491-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1491-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1491   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream (v. 8):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_5.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_5.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.x86_64.rpm  Red Hat CodeReady Linux Builder (v. 8):  aarch64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJi9zjgjWX9erEAQiJFw//aHWpEtdVlArGK/D4EUJG8P7QKzMgLGYh   y6WHYvXmMjiwhl/1o7PXUzUXjmGkAQQ4bOOkyWndbc4DsBMwuz7/otmF64h0Ol5K   LMEiW1EZPkn8zaVzRJegL9y8GbP0jEg0MNFJ6SUtYS1fkYIxXc22LfFskzeNKxFy   vNfWIPx7lN1+jQgubTi0WKVcBnXjBwQ/ZloPQzzRanrW6QfM3K8a0C7X+DeJO5wR   lWGMYCkRZCKXxSCEWDv81pNwXy2S9SuV6Mo9VgW3TG+UfLkhIePA4yebDhnFQi/p   BizL9/b8UIb6CEgdNIj4csK49b7Ae8ABArhWSi1aAscQZNO9gAwgWGTKZAh7ZhQt   jEnaZpf9U/V+imLXyiqsknUQHH/vqIVYWTSnAwgYwNDDrPWtnHwBuRUh2MzE3cUY   CCHTneQ3GRYSm3hVlixf8L27uLh7ofad9vVHo/Jo33XM+o7dbC3/HGQasxWljNgY   j6aEKnNgtFTrLc4fARgKwC2j0qbZm9Nb5KXTmzdbtwgzFOGBlMnEmFWuDWncZ/Y/   el7MVYb/BiEGFhUH520mOPE+heeJYdRladjbgaq9+wu5zDyZ3K4CFIND81JPY1OT   X6QTIP8K0NGoAxOrhOOKQYDWi07I1AjCy86QPGIoMBaOW+RezxKjp3PDQovaNAAl   HNuIUczreHE=   =Kska   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1491-01

Red Hat Security Advisory 2022-1487-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security, bug fix, and enhancement update   Advisory ID: RHSA-2022:1487-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1487   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 7.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux Client (v. 7) - x86_64   Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64   Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Workstation (v. 7) - x86_64   Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2047529 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 8u332) [rhel-7]   2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux Client (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Client Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  ppc64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  ppc64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJhNzjgjWX9erEAQhPuw//Zb0N99JyndrQMfmjrUw7kGh4hagh5/6v   EmZbNfmYZ3WtF7kOdNWzJ1bVnND5FsUZD1gHKz12ico5O+L+3yfkvqbPZe6F8DtE   XM391+BBLRe5A27rArHPpx1gM76N01BO7SBdawDXR7ZOHw0qF8nWa7AGzmzbNAYx   mn6RXFVvmlCLGDI83/aRY5wi7WPssQ0FAj4HB5ngeYLMEzzlQ63bQM6zoysW5aD9   K/Y0b1b/zpdawLaHJSCMLGPjNd5rRgBmQtNK94OVITMcgbYBEvQU9buDq9NoGrbK   Qp+MXaweMYtFJoDVP3PqiiZdu20nagfH8sfnBpw6LXqh2yWjvrSPJpniNm0jRPLk   YBReD1bLSk8JpQkTKjdSq8S6hQlNqzTHukNFTi4O7wkI031h2G/EV9kGf3nF7/uX   hGiwl2WAgwfM1CnFm9keiVZYj5aGHsLaxHqe0At8SU0c60UqAqJ4Ms924XKAkxrK   5+qAErYzOENysGss43zcwW2ru585gJzQmXUwLZmQ4AKeNp19xSwBro4RFJfKtZgv   N6rukoMIr3X9AE++k7iNTYh3c5wWoExU3yri8TYaap8sCk+Uys0kLHhMTW7eXH9X   U81tTAy5JVvLLmlijIe4/exnpdBXcJTeruKpNX7NT6BR/kQtApDORJcLoOK5Eowg   kmZ0zK+vqwM=   =TsnX   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1487-01

Red Hat Security Advisory 2022-1488-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1488-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1488   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.1 Update Services for SAP Solutions.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream E4S (v. 8.1):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJfNzjgjWX9erEAQgiKxAAoi0SREMKqTnKqWglR369v/Ni6B3d7xxj   glSaMGBkgf+2xZkI4eXqAr1EjpzNtTxWAvP6ORU+G03K38lhjKW77cJVCWntN83m   QpQ2pE936Lgcq03dJYX8KcVWutFS3WKeLXFdwlVGFxTvMMa+3BTYDMMrQWgahjet   jZAb1xqEYFJJ/MQ8hAIaZeHR5aM+G+BMhGFbNsHD+HVeLFl8vfgzJGNPQ2C9HJS8   9iZiaKRKEF4otzu+qYG7FPuZYqjE41xEzlQvmDcADBuD+CJUq9s1uf4dBKwhoAdc   E3GYmziH/WIMOKs1q/vyT8otnGZLd8V2PJTJYgMl33y/GWbMycFP5+VUaN5ag+je   36iBwmWsoVtDUz2UYrZJn28mUPGBEeaaFJ7+YFYpoo1hS3xwoNm6l8qB+LYJT8sk   v2Wh0IZolzQHEYhFYSapbpFciVOUaZZ7xfZ9k7MUJilT6oLj25kgrE/YLBF1xG12   KqQxiFDJ/r1Lh0P1ZaBc30gdsGMmQZ6sxJD0AJsLTq+zd6WJA9/bna4d/e5nsNPw   kGmazfEukC3vOUVV2wQ1QqihHUhx6ZJNyZb/KdO6oj5RWSu1t/wVuovqDZyeMNMs   /w7rQiTGU9q2HgggRq0EpuoN344t/dP94IJKESffvZDdSYLmaeVsIXHJ8RzYHS9M   tpSd0s3muU8=   =bWrm   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1488-01

Red Hat Security Advisory 2022-1489-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1489-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1489   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.2 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v. 8.2):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_2.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_2.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJcdzjgjWX9erEAQiaBBAAhsv+re6Xov/rKez1Zu38eQ3HX4oeHWVc   W/em2WfOnx52qXAoSOVSXOil7+b36Og8y+q/aTbfVqVYJgdvuXysGpbr5ny2M9Yo   JKvCMtvY01nQ7A1yZqejxBVmVTRpcb0uOJWnV1c2Ma9dozTNw++7bMybCeTVuU9H   A8R9l2gOnf82rQ0cLyktwBSicoPAC7B3HmMmE3K+D04bgzlBwQUJniLA7oE+Z5HC   yA0nZiH629g0DBVpEEhEfsVjNbc+qAHrXk0r0FV6BaNCvZqqsk48+ma+jcMDgfJe   Uos/y3VRf31+msru1a2bhHRVUcMVvLjqD+hAHZV/WIf++YqkkojG5sSfdTL/jxrR   RTTB0vvfaPZJH2a7STkGqfAeKTWjWXBjVf9UeectEKPwW00PTgTTBEQ3I/22qADB   x+/MF382C4WhAVmviKke1tXfn0cJIuIJdPfnGuoSeNPxnIzw4hb385OeAInQdTkK   HgdVtJXmHSqG8DU5gaP9r5LCeU3GtogBwj9ARTZ2z5b2dbOOZSslzH80PUkjdi4w   /BTlG0LTgGj06lgfX64GOhTadEsVTHuNaKFfk2a2781ETLF3Cv67fMrLl2jfM70r   +Npu8oJ/sBX5TK4Whv+hEDZBQcBUDge5xEDJ2J/m4MxI3XyAVkl88CT1tuGjYbS7   nGyAfWdwLoY=   =0y1v   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1489-01

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

At Line 470 in the code below, we call yang_data_new, which will further call strdup(raw_pdu). However, raw_pdu is not guaranteed to be a zero-terminated string and, thus, will lead to a stack overflow in strdup. When I set raw_pdu[raw_pdu_len - 1] to \0, then the bug disappears. Note that strdup should be used with a C-string.

In the same file, isis_nb_notifications.c, there are **8 places** where yang_data_new are used with raw_pdu and, thus, may have the overflow bug. Please check and suggest a fix. I can give a pull request then.

void isis\_notif\_id\_len\_mismatch(const struct isis\_circuit \*circuit,

uint8\_t rcv\_id\_len, const char \*raw\_pdu,

size\_t raw\_pdu\_len)

{

const char \*xpath = "/frr-isisd:id-len-mismatch";

struct list \*arguments = yang\_data\_list\_new();

char xpath\_arg\[XPATH\_MAXLEN\];

struct yang\_data \*data;

struct isis\_area \*area = circuit->area;

notif\_prep\_instance\_hdr(xpath, area, "default", arguments);

notif\_prepr\_iface\_hdr(xpath, circuit, arguments);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/pdu-field-len", xpath);

data = yang\_data\_new\_uint8(xpath\_arg, rcv\_id\_len);

listnode\_add(arguments, data);

snprintf(xpath\_arg, sizeof(xpath\_arg), "%s/raw-pdu", xpath);

data = yang\_data\_new(xpath\_arg, raw\_pdu);

listnode\_add(arguments, data);

What follows is the output of the address sanitizer:

    ==48351==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffe596a3a76 at pc 0x000000543e97 bp 0x7ffe596a3020 sp 0x7ffe596a27e0
    READ of size 23 at 0x7ffe596a3a76 thread T0
        #0 0x543e96 in strdup (/home/parallels/myfrr/isisd/isisd+0x543e96)
        #1 0x84f73d in yang_data_new /home/parallels/myfrr/lib/yang.c:608:17
        #2 0x6716eb in isis_notif_id_len_mismatch /home/parallels/myfrr/isisd/isis_nb_notifications.c:470:9
        #3 0x5cedcf in isis_handle_pdu /home/parallels/myfrr/isisd/isis_pdu.c:1706:3

CVE-2022-26126: isisd: misusing strdup leads to stack overflow · Issue #10505 · FRRouting/frr

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-42117: Release Notes - TopEase Documentation

vim is vulnerable to Heap-based Buffer Overflow

@@ -464,13 +464,13 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

\*(p + len++) = ' ';

if (bt\_help(wp->w\_buffer))

{

STRCPY(p + len, \_("\[Help\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Help\]"));

len += (int)STRLEN(p + len);

}

#ifdef FEAT\_QUICKFIX

if (wp->w\_p\_pvw)

{

STRCPY(p + len, \_("\[Preview\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[Preview\]"));

len += (int)STRLEN(p + len);

}

#endif

@@ -480,12 +480,12 @@ win\_redr\_status(win\_T \*wp, int ignore\_pum UNUSED)

#endif

)

{

STRCPY(p + len, "\[+\]");

len += 3;

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", "\[+\]");

len += (int)STRLEN(p + len);

}

if (wp->w\_buffer\->b\_p\_ro)

{

STRCPY(p + len, \_("\[RO\]"));

vim\_snprintf((char \*)p + len, MAXPATHL - len, "%s", \_("\[RO\]"));

len += (int)STRLEN(p + len);

}

CVE-2021-3872: patch 8.2.3487: illegal memory access if buffer name is very long · vim/vim@826bfe4

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2021-40690

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an XML Injection vulnerability in the Widgets Update Layout. An attacker with admin privileges can trigger a specially crafted script to achieve remote code execution.

Security Updates Available for Adobe Commerce | APSB21-64

Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.       

**Product**

**Version**

**Platform**

Adobe Commerce  

2.4.2 and earlier versions    

All  

2.4.2-p1 and earlier versions    

All

2.3.7 and earlier versions   

All  

Magento Open Source 

2.4.2-p1 and earlier versions  

All

2.3.7 and earlier versions     

All

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Adobe Commerce  

2.4.3    

All  

2  

2.4.x release notes

2.3.x release notes

2.4.2-p2  

All  

2  

2.3.7-p1  

All  

2  

Magento Open Source   

2.4.3    

All  

2  

2.4.2-p2  

All

2

2.3.7-p1   

All  

2  

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

**CVSS base score**  

**CVSS vector**  

Magento Bug ID

CVE numbers

Business Logic Errors (CWE-840)  

Security feature bypass

 Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2934

CVE-2021-36012

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

PRODSECBUG-2963

PRODSECBUG-2964

CVE-2021-36026

CVE-2021-36027

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2977

CVE-2021-36036

Improper Authorization (CWE-285)

Security feature bypass

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2968

CVE-2021-36029

Improper Authorization (CWE-285)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2980

CVE-2021-36037

Improper Input Validation (CWE-20)

Application denial-of-service

Critical

No

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PRODSECBUG-3004

CVE-2021-36044

Improper Input Validation (CWE-20)

Privilege escalation

Critical

yes

no

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

PRODSECBUG-2971

CVE-2021-36032

Improper Input Validation (CWE-20)

Security feature bypass

Critical

no

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2969

CVE-2021-36030

Improper Input Validation (CWE-20)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2982

CVE-2021-36038

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2959

 PRODSECBUG-2960

 PRODSECBUG-2962

PRODSECBUG-2975

PRODSECBUG-2976

PRODSECBUG-2987

PRODSECBUG-2988

PRODSECBUG-2992

CVE-2021-36021

CVE-2021-36024

CVE-2021-36025

CVE-2021-36034

CVE-2021-36035

CVE-2021-36040

CVE-2021-36041

CVE-2021-36042

Path Traversal

(CWE-22)

Arbitrary code execution

Critical

yes

yes

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-2970

CVE-2021-36031

OS Command Injection (CWE-78)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2958

PRODSECBUG-2960

CVE-2021-36022

CVE-2021-36023

Incorrect Authorization (CWE-863)

Arbitrary file system read

Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2984

CVE-2021-36039

Server-Side Request Forgery (SSRF)

(CWE-918)

Arbitrary code execution

Critical

yes

yes

8

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2996

CVE-2021-36043

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

no

no

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

PRODSECBUG-2937

CVE-2021-36020

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2965

PRODSECBUG-2972

CVE-2021-36028

CVE-2021-36033

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

*   Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
*   Igorsdv (CVE-2021-36012)
*   Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
*   Dftrace (CVE-2021-36044)
*   Floorz (CVE-2021-36030)
*   Eboda (CVE-2021-36022)
*   Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)  
    

August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce. 

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Tag

#xpath