-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenJDK 11.0.19 Security Update for Windows Builds Advisory ID: RHSA-2023:1883-01 Product: OpenJDK Advisory URL: https://access.redhat.com/errata/RHSA-2023:1883 Issue date: 2023-04-19 CVE Names: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 ===================================================================== 1. Summary: An update is now available for OpenJDK. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Security Fix(es): * OpenJDK: improper connection handling during TLS handshake (8294474) (CVE-2023-21930) * OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939) * OpenJDK: incorrect enqueue of references in garbage collector (8298191) (CVE-2023-21954) * OpenJDK: certificate validation issue in TLS session negotiation (8298310) (CVE-2023-21967) * OpenJDK: missing string checks for NULL characters (8296622) (CVE-2023-21937) * OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304) (CVE-2023-21938) * OpenJDK: missing check for slash characters in URI-to-path conversion (8298667) (CVE-2023-21968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474) 2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191) 2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310) 2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832) 2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304) 2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622) 2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667) 5. References: https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZEgr4NzjgjWX9erEAQidDg//UTMMVK03J99yfq2IH44mq1ajTlK4b1x/ xfRLNqOBaglnD56fQRcjcSv3cmpDIyOzKyDUJJdWcujQEQhX/hwXVCoEcN4FrdY9 jBBZqso9eYYUTIQH0BdHDDuNtCbJBfd3yoT6OHGNYBz4xWdzy43PekvwhBi13CpT jz/OyPSzoT86s+UL51+98esieVWRxCn/opJ0TLu9xDORbas2WD6MesvwzQQPv1Ip wLiHpHkiOhJ7McUbPPx3P17v403alLtwJXAEt0W+ZRya0Rz/XRdG8nebWZ5iWg7D JUzh4Sh+9BHQC2P5aSLs4jMLDlqsJKr2UNp07jYQqzgalivExWZ1h0qhVm015/M+ KhqwNpTr8VeWBailGixttANnlO464rwkB9Jo2JsgNVhAp8L3NRTv2e4fJHBV8iq6 vvM7Vtj4DsVlyL2hKb6Sz9MYncfM1g5bIniaFPY6+CwGudhRILIUMMw513Ts+y/g RGfV1XAXdhIKPFsFVrKw9nRU7ITa35u40JQMANn7vdu9NUB9FTj5vKwpeRO40SWQ F24x3T8euvgfkjOZ21mNjVG1YUEzepX+aa+EXahyPBXNwmWO4SNfPBbCHpMvDEDq Xu2Vg1vqSLozvmF3rptGtCUMX/f32pOP5VgkHvIdM9voDGhvsBLhRnvMUcxB9B33 GElYjV9GF6w= =pcgF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce