SUSE-CU-2024:466-1: Security update of bci/openjdk-devel

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Tue Feb 6 08:04:11 UTC 2024 

SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2024:466-1
Container Tags        : bci/openjdk-devel:17 , bci/openjdk-devel:17-15.40 , bci/openjdk-devel:latest
Container Release     : 15.40
Severity              : important
Type                  : security
References            : 1107342 1215434 1218571 1218903 1218905 1218907 1218908 1218909
                        1218911 1219238 CVE-2023-7207 CVE-2024-20918 CVE-2024-20919 CVE-2024-20921
                        CVE-2024-20932 CVE-2024-20945 CVE-2024-20952 
-----------------------------------------------------------------

The container bci/openjdk-devel was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:305-1
Released:    Thu Feb  1 17:33:38 2024
Summary:     Security update for cpio
Type:        security
Severity:    moderate
References:  1218571,1219238,CVE-2023-7207
This update for cpio fixes the following issues:

- Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:322-1
Released:    Fri Feb  2 15:13:26 2024
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1107342,1215434
This update for aaa_base fixes the following issues:

- Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:325-1
Released:    Mon Feb  5 11:39:10 2024
Summary:     Security update for java-17-openjdk
Type:        security
Severity:    important
References:  1218903,1218905,1218907,1218908,1218909,1218911,CVE-2024-20918,CVE-2024-20919,CVE-2024-20921,CVE-2024-20932,CVE-2024-20945,CVE-2024-20952
This update for java-17-openjdk fixes the following issues:

Updated to version 17.0.10 (January 2024 CPU):

  - CVE-2024-20918: Fixed an out of bounds access in the Hotspot JVM
    due to a missing bounds check (bsc#1218907).
  - CVE-2024-20919: Fixed a sandbox bypass in the Hotspot JVM class
    file verifier (bsc#1218903).
  - CVE-2024-20921: Fixed an incorrect optimization in the Hotspot JVM
    that could lead to corruption of JVM memory (bsc#1218905).
  - CVE-2024-20932: Fixed an incorrect handling of ZIP files with
    duplicate entries (bsc#1218908).
  - CVE-2024-20945: Fixed a potential private key leak through debug
    logs (bsc#1218909).
  - CVE-2024-20952: Fixed an RSA padding issue and timing side-channel
    attack against TLS (bsc#1218911).

Find the full release notes at:

https://mail.openjdk.org/pipermail/jdk-updates-dev/2024-January/029089.html


The following package changes have been done:

- cpio-2.13-150400.3.6.1 updated
- aaa_base-84.87+git20180409.04c9dae-150300.10.9.1 updated
- java-17-openjdk-headless-17.0.10.0-150400.3.36.1 updated
- java-17-openjdk-17.0.10.0-150400.3.36.1 updated
- java-17-openjdk-devel-17.0.10.0-150400.3.36.1 updated
- container:bci-openjdk-17-15.5.17-15.19 updated

More information about the sle-container-updates mailing list