Category Archives: Advisories

java-latest-openjdk-19.0.1.0.10-2.rolling.fc36

Read Time:1 Minute, 54 Second

FEDORA-2022-e8698f2e5e

Packages in this update:

java-latest-openjdk-19.0.1.0.10-2.rolling.fc36

Update description:

New in release OpenJDK 19.0.1 (2022-10-18)

Full release notes

CVEs Fixed

CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21628
CVE-2022-39399

Security Fixes

JDK-8282252: Improve BigInteger/Decimal validation
JDK-8285662: Better permission resolution
JDK-8286077: Wider MultiByte conversions
JDK-8286511: Improve macro allocation
JDK-8286519: Better memory handling
JDK-8286526: Improve NTLM support
JDK-8286910: Improve JNDI lookups
JDK-8286918: Better HttpServer service
JDK-8287446: Enhance icon presentations
JDK-8288508: Enhance ECDSA usage
JDK-8289366: Improve HTTP/2 client usage
JDK-8289853: Update HarfBuzz to 4.4.1
JDK-8290334: Update FreeType to 2.12.1

Major Changes

JDK-8292654: G1 Remembered set memory footprint regression after JDK-8286115

JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of G1RemSetArrayOfCardsEntries as printed by running the application with -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions to your application.

E.g. pass -XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128 if a previous run showed a value of 64 for G1RemSetArrayOfCardsEntries in the output of -XX:+PrintFlagsFinal.

JDK-8292579: Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b

Read More

java-latest-openjdk-19.0.1.0.10-2.rolling.fc37

Read Time:1 Minute, 56 Second

FEDORA-2022-d0ed59bee7

Packages in this update:

java-latest-openjdk-19.0.1.0.10-2.rolling.fc37

Update description:

New in release OpenJDK 19.0.1 (2022-10-18)

Full release notes
This update depends on FEDORA-2022-d0fc6f0dd4

CVEs Fixed

CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21628
CVE-2022-39399

Security Fixes

JDK-8282252: Improve BigInteger/Decimal validation
JDK-8285662: Better permission resolution
JDK-8286077: Wider MultiByte conversions
JDK-8286511: Improve macro allocation
JDK-8286519: Better memory handling
JDK-8286526: Improve NTLM support
JDK-8286910: Improve JNDI lookups
JDK-8286918: Better HttpServer service
JDK-8287446: Enhance icon presentations
JDK-8288508: Enhance ECDSA usage
JDK-8289366: Improve HTTP/2 client usage
JDK-8289853: Update HarfBuzz to 4.4.1
JDK-8290334: Update FreeType to 2.12.1

Major Changes

JDK-8292654: G1 Remembered set memory footprint regression after JDK-8286115

JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of G1RemSetArrayOfCardsEntries as printed by running the application with -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions to your application.

E.g. pass -XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128 if a previous run showed a value of 64 for G1RemSetArrayOfCardsEntries in the output of -XX:+PrintFlagsFinal.

JDK-8292579: Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b

Read More

java-latest-openjdk-19.0.1.0.10-2.rolling.fc35

Read Time:1 Minute, 56 Second

FEDORA-2022-ec7de69ceb

Packages in this update:

java-latest-openjdk-19.0.1.0.10-2.rolling.fc35

Update description:

New in release OpenJDK 19.0.1 (2022-10-18)

Full release notes
This update depends on FEDORA-2022-10bb6f119e

CVEs Fixed

CVE-2022-21618
CVE-2022-21619
CVE-2022-21624
CVE-2022-21628
CVE-2022-39399

Security Fixes

JDK-8282252: Improve BigInteger/Decimal validation
JDK-8285662: Better permission resolution
JDK-8286077: Wider MultiByte conversions
JDK-8286511: Improve macro allocation
JDK-8286519: Better memory handling
JDK-8286526: Improve NTLM support
JDK-8286910: Improve JNDI lookups
JDK-8286918: Better HttpServer service
JDK-8287446: Enhance icon presentations
JDK-8288508: Enhance ECDSA usage
JDK-8289366: Improve HTTP/2 client usage
JDK-8289853: Update HarfBuzz to 4.4.1
JDK-8290334: Update FreeType to 2.12.1

Major Changes

JDK-8292654: G1 Remembered set memory footprint regression after JDK-8286115

JDK-8286115 changed ergonomic sizing of a component of the remembered sets in G1. This change causes increased native memory usage of the Hotspot VM for applications that create large remembered sets with the G1 collector.

In an internal benchmark total GC component native memory usage rose by almost 10% (from 1.2GB to 1.3GB).

This issue can be worked around by passing double the value of G1RemSetArrayOfCardsEntries as printed by running the application with -XX:+PrintFlagsFinal -XX:+UnlockExperimentalVMOptions to your application.

E.g. pass -XX:+UnlockExperimentalVMOptions -XX:G1RemSetArrayOfCardsEntries=128 if a previous run showed a value of 64 for G1RemSetArrayOfCardsEntries in the output of -XX:+PrintFlagsFinal.

JDK-8292579: Update Timezone Data to 2022c

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone database. All time zone IDs remain the same but the merged time zones will point to a shared zone database.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b

Read More

CVE-2021-36206

Read Time:10 Second

All versions of CEVAS prior to 1.01.46 do not sufficiently validate user-controllable input and could allow a user to bypass authentication and retrieve data with specially crafted SQL queries.

Read More

CVE-2021-38395

Read Time:11 Second

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Read More

CVE-2021-38397

Read Time:10 Second

Honeywell Experion PKS C200, C200E, C300, and ACE controllers are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

Read More

USN-5705-1: LibTIFF vulnerabilities

Read Time:25 Second

Chintan Shah discovered that LibTIFF incorrectly handled memory in
certain conditions. An attacker could trick a user into processing a specially
crafted image file and potentially use this issue to allow for information
disclosure or to cause the application to crash. (CVE-2022-3570)

It was discovered that LibTIFF incorrectly handled memory in certain
conditions. An attacker could trick a user into processing a specially
crafted tiff file and potentially use this issue to cause a denial of service.
(CVE-2022-3598)

Read More