[FOLIO-3464] Rebuild/upgrade jenkins-slave-docker for OpenJDK 11.0.15 Created: 30/Mar/22  Updated: 04/May/22  Resolved: 04/May/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: David Crossley
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3463 Rebuild/upgrade folioci/alpine-jre-op... Closed
Sprint: DevOps Sprint 137, DevOps Sprint 138
Development Team: FOLIO DevOps
RCA Group: TBD

 Description   

Rebuild/upgrade https://github.com/folio-org/folio-tools/blob/master/jenkins-slave-docker/Dockerfile.focal-java-11 so that folioci/jenkins-slave-all ships with openjdk 11.0.15 that contains multiple security fixes:

Fixed in 11.0.14: https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2022-January/011643.html :

  • JDK-8217375: jarsigner breaks old signature with long lines in manifest
  • JDK-8251329: (zipfs) Files.walkFileTree walks infinitely if zip has dir named "." inside
  • JDK-8264934, CVE-2022-21248: Enhance cross VM serialization
  • JDK-8268488: More valuable DerValues
  • JDK-8268494: Better inlining of inlined interfaces
  • JDK-8268512: More content for ContentInfo
  • JDK-8268795: Enhance digests of Jar files
  • JDK-8268801: Improve PKCS attribute handling
  • JDK-8268813, CVE-2022-21283: Better String matching
  • JDK-8269151: Better construction of EncryptedPrivateKeyInfo
  • JDK-8269944: Better HTTP transport redux
  • JDK-8270386, CVE-2022-21291: Better verification of scan methods
  • JDK-8270392, CVE-2022-21293: Improve String constructions
  • JDK-8270416, CVE-2022-21294: Enhance construction of Identity maps
  • JDK-8270492, CVE-2022-21282: Better resolution of URIs
  • JDK-8270498, CVE-2022-21296: Improve SAX Parser configuration management
  • JDK-8270646, CVE-2022-21299: Improved scanning of XML entities
  • JDK-8270952, CVE-2022-21277: Improve TIFF file handling
  • JDK-8271962: Better TrueType font loading
  • JDK-8271968: Better canonical naming
  • JDK-8271987: Manifest improved manifest entries
  • JDK-8272014, CVE-2022-21305: Better array indexing
  • JDK-8272026, CVE-2022-21340: Verify Jar Verification
  • JDK-8272236, CVE-2022-21341: Improve serial forms for transport
  • JDK-8272272: Enhance jcmd communication
  • JDK-8272462: Enhance image handling
  • JDK-8273290: Enhance sound handling
  • JDK-8273756, CVE-2022-21360: Enhance BMP image support
  • JDK-8273838, CVE-2022-21365: Enhanced BMP processing
  • JDK-8274096, CVE-2022-21366: Improve decoding of image files
  • JDK-8279541: Improve HarfBuzz

Fixed in 11.0.15: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE: https://nvd.nist.gov/vuln/detail/CVE-2022-21496 , https://nvd.nist.gov/vuln/detail/CVE-2022-21434 , https://nvd.nist.gov/vuln/detail/CVE-2022-21476 - https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19



 Comments   
Comment by Craig McNally [ 31/Mar/22 ]

the security team has reviewed this and assigned a priority.  Attn: Jakub Skoczen

Comment by David Crossley [ 04/May/22 ]

Done in folio-tools/pull/219.
Built, tested on various module builds, and refenv and platform.
Published as 2.9.5 and latest.

Generated at Thu Feb 08 23:28:20 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.