Debian has released security update for openjdk-7 and openjdk-8 packages.

This release fixes three vulnerabilities against openjdk-7 and openjdk-8 packages.

Date Reported: 29-May-2019

Fix Released On: N/A

Severity Level: Medium

Affected Packages: openjdk-7 and openjdk-8

Affected Operating System & Version:

• Debian 8 (Jessie)
• Debian 9 (Stretch)

Details:

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in denial of service or sandbox bypass..

It’s recommended to update the OpenJDK package ASAP.

For more details about the security issues, and other related information, refer to the CVE pages.

Debian Security Advisory References:

• DSA-4453-1
• DLA-1782-1

Security Database References (CVE):

• CVE-2019-2602
• CVE-2019-2684
• CVE-2019-2698

Solution:

• These issue have been fixed on Debian 9 (Stretch) in version 8u212-b03-2~deb9u1.
• These issue have been fixed on Debian 8 (Jessie) in version 7u221-2.6.18-1~deb8u1.

Run the following command to install the above updates.

$ sudo apt install --only-upgrade openjdk-8-jre-headless

The installed security fixes can be verified in the package change log using the following methods.

Using manual method.

$ zgrep -i "CVE-2019-2602\|CVE-2019-2684\|CVE-2019-2698" /usr/share/doc/openjdk-8-jre-headless/changelog.Debian.gz

    - S8211936, CVE-2019-2602: Better String parsing.
    - S8218453, CVE-2019-2684: More dynamic RMI interactions.
    - S8219066, CVE-2019-2698: Fuzzing TrueType fonts: setCurrGlyphID().

Using debsecan command.

$ debsecan | grep openjdk-8

CVE-2018-12438 openjdk-8-jre-headless (low urgency)
CVE-2019-2602 openjdk-8-jre-headless (remotely exploitable, medium urgency)
CVE-2019-2684 openjdk-8-jre-headless (remotely exploitable, medium urgency)
CVE-2019-2698 openjdk-8-jre-headless (remotely exploitable, medium urgency)