[USN-3747-2] OpenJDK 10 regression


–===============1905215917317727096==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol=”application/pgp-signature”; boundary=”a+b56+3nqLzpiR9O”
Content-Disposition: inline

–a+b56+3nqLzpiR9O
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-3747-2
September 12, 2018

openjdk-lts regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS

Summary:

USN-3747-1 introduced a regression in OpenJDK 10.

Software Description:
– openjdk-lts: Open Source Java implementation

Details:

USN-3747-1 fixed vulnerabilities in OpenJDK 10 for Ubuntu 18.04 LTS.
Unfortunately, that update introduced a regression around accessability
support that prevented some Java applications from starting.
This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that OpenJDK did not properly validate types in some
situations. An attacker could use this to construct a Java class that could
possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826)

It was discovered that the PatternSyntaxException class in OpenJDK did not
properly validate arguments passed to it. An attacker could use this to
potentially construct a class that caused a denial of service (excessive
memory consumption). (CVE-2018-2952)

Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode
(GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker
could use this to expose sensitive information. (CVE-2018-2972)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
openjdk-11-jdk 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jdk-headless 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.2
openjdk-11-jre-zero 10.0.2+13-1ubuntu0.18.04.2

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3747-2
https://usn.ubuntu.com/usn/usn-3747-1
https://launchpad.net/bugs/1788250

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.2

–a+b56+3nqLzpiR9O
Content-Type: application/pgp-signature; name=”signature.asc”

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAluZlskACgkQLwmejQBe
gfRt1xAAnCtl51726vQyMg0c2Nrflq2eC/8S3aN+BvG+7vNvJQg3w/+Rn1kygJGS
eYtYCWTD0Sxx8GYkVFtPMZSFCVe6JPX+rHOe0CBV0OXzMMP4cnb8egiEJKoaupHP
yiDDX99XzJ+Sweqlimp4ni5WZ2crpUk1yYq8oLs2aitYSU0BjfqtBiZdl/vUH7Tw
EP4rjgS8/jroM7aChi5ojYpG+sxmAtlDs3ivfv8BAj4xSl2E4TO0SGexfGXS0/3r
e2XbEwV9eT5JGy0wTcZI283e3buHBWjhkwB/ozL4FLBI3geyTu8JS7q+nJK4koMu
VtChzODt53YQLOwjnTPoWmCcPyfVcoV/rZ3oT+AONzUMQrtwBD6y9Z5y8i/tbwoS
hWNWiRk34Sttrv3BZv0hU0WwKIZAh4qOmojxYs1VBrVO4Ac8Oo+IIFFpocQIB+G5
sxAyoMtnKNO+Db511X4xr2ehnfToN9CItrd22cFQjZWNL6mDukkvQ9NGABvHfc/l
/zcozSmqXjUqnkF3v48SpJdUeVYlYOzTRnZozla3N6blUydeDj9BdbdvrOE1Hd/a
h/nnhxgDfRk3fPhAnaG+Bh27dv061mLLVHDLNPIXjHwAN/Pp+1nxEvN9j3Pm1DHR
z2KxtWV0GJUibSAZKz8ymM8EF7rCkXYSCBc3GGs3KqkJnIFfa0o=
=YusV
—–END PGP SIGNATURE—–

–a+b56+3nqLzpiR9O–

–===============1905215917317727096==
Content-Type: text/plain; charset=”utf-8″
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

–===============1905215917317727096==–