==========================================================================
Ubuntu Security Notice USN-4453-1
August 05, 2020

openjdk-8 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 20.04 LTS
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in OpenJDK 8.

Software Description:
– openjdk-8: Open Source Java implementation

Details:

Johannes Kuhn discovered that OpenJDK 8 incorrectly handled access control
contexts. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2020-14556)

Philippe Arteau discovered that OpenJDK 8 incorrectly verified names in
TLS server’s X.509 certificates. An attacker could possibly use this
issue to obtain sensitive information. (CVE-2020-14577)

It was discovered that OpenJDK 8 incorrectly handled exceptions in
DerInputStream class and in the DerValue.equals() method. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2020-14578, CVE-2020-14579)

It was discovered that OpenJDK 8 incorrectly handled image files. An
attacker could possibly use this issue to obtain sensitive information.
(CVE-2020-14581)

Markus Loewe discovered that OpenJDK 8 incorrectly handled concurrent
access in java.nio.Buffer class. An attacker could use this issue to
bypass sandbox restrictions.
(CVE-2020-14583)

It was discovered that OpenJDK 8 incorrectly handled transformation of
images. An attacker could possibly use this issue to bypass sandbox
restrictions and insert, edit or obtain sensitive information.
(CVE-2020-14593)

Roman Shemyakin discovered that OpenJDK 8 incorrectly handled XML files.
An attacker could possibly use this issue to insert, edit or obtain
sensitive information. (CVE-2020-14621)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
openjdk-8-jdk 8u265-b01-0ubuntu2~20.04
openjdk-8-jre 8u265-b01-0ubuntu2~20.04
openjdk-8-jre-headless 8u265-b01-0ubuntu2~20.04
openjdk-8-jre-zero 8u265-b01-0ubuntu2~20.04

Ubuntu 18.04 LTS:
openjdk-8-jdk 8u265-b01-0ubuntu2~18.04
openjdk-8-jre 8u265-b01-0ubuntu2~18.04
openjdk-8-jre-headless 8u265-b01-0ubuntu2~18.04
openjdk-8-jre-zero 8u265-b01-0ubuntu2~18.04

Ubuntu 16.04 LTS:
openjdk-8-jdk 8u265-b01-0ubuntu2~16.04
openjdk-8-jre 8u265-b01-0ubuntu2~16.04
openjdk-8-jre-headless 8u265-b01-0ubuntu2~16.04
openjdk-8-jre-jamvm 8u265-b01-0ubuntu2~16.04
openjdk-8-jre-zero 8u265-b01-0ubuntu2~16.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/4453-1
CVE-2020-14556, CVE-2020-14577, CVE-2020-14578, CVE-2020-14579,
CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-8/8u265-b01-0ubuntu2~20.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u265-b01-0ubuntu2~18.04
https://launchpad.net/ubuntu/+source/openjdk-8/8u265-b01-0ubuntu2~16.04
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEECtyyz6azUy6AZBzSkGeI6zGnN/8FAl8q+mEACgkQkGeI6zGn
N/+OIw//fylhpTKlS1SZ05hZv5YS6+ZCJDxsVoLwGeg8Pv7FG+8JErbNZRxxh3nr
FM/uMwKu3qHdcNpxavG8BpO0/xhCllf705ZHz3m+hFJXfS4CgiFhD+EHWXbdlQPx
Zo4yXsLI4llD2z68xz4LIFM9EaLA4+FHKKxIjdaqvc5dA71JyjqN7cgUwgYsrXjx
4ocotJcF2FvBApS5SxTetl7J+EBfHyU+gBQlcV4WnqrmIwzdUyu8RZP97lihbVb3
2Fm601PbJEoEeuOUt/n7GEwOelMWV5x1kiVlusTLiLYiw3H3zqvqcyH0aHXX0Uab
OKFK/OddWX4okQZrSA/Kx92+QavcWCRsZSRYa1z6rzZ+gyOt1Np1yZMdt3SMIEs5
ligJIhi2+/vyCG6P9Uhksl2tND1TndC3JcSu2gEnQfSU7M6Y/PueOMB1V6MHMFx/
/I/uUWCy3uIn2+dkr/bUPqOJx7nEEUwAHqrVRk1vBANcVEVEaxDH3p6seJ8BC1Wa
G1wPOzFBvqwf3zXWbHPNdcwDTcwOD+vnv7C6Y9kaw9KcwqqDt++oN1i7sF8+Yixs
uG5vIBr1kstmOkpWZYzaphY55YEUNhOGqsOMcpTsaPvydGPK2s+BohqxsiVZMbfC
3qdrPKvikaxUszSWWvNgtvmV88CGiUga/9P10gRLBlSkWp4B53s=
=awBN
—–END PGP SIGNATURE—–
—