Bugzilla – Bug 1219843
VUL-0: java-1_8_0-ibm: IBM Security Update February 2024 and Oracle January 16 2024 CPU
Last modified: 2024-04-19 09:15:07 UTC
CVE list and info: * https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities IBM Security Update February 2024: * CVE-2023-33850 Oracle January 16 2024 CPU: * CVE-2024-20932 * CVE-2024-20952 * CVE-2024-20918 * CVE-2024-20921 * CVE-2024-20919 * CVE-2024-20926 * CVE-2024-20945 Full description of the fixes in version 8.0 Service Refresh 8 Fix Pack 20: * https://www.ibm.com/support/pages/java-sdk-fixes-version-80
I'm adding IBM and Mark Cowley in CC.
Hello, @IBM. The *.bin files that we have been using in previous version updates are not available for the newly released 8.0-8.20 version, see [0]. Since our spec file relies on these files, do you plan on making them available? TIA [0] https://public.dhe.ibm.com/ibmdl/export/pub/systems/cloud/runtimes/java/8.0.8.20/linux/x86_64/
I'll mirror the bug to IBM for the Java team to check.
------- Comment From chavez@us.ibm.com 2024-02-13 12:13 EDT------- Opened Java L3 ticket TS015446458 to report the missing bin files issue.
------- Comment From chavez@us.ibm.com 2024-02-14 10:35 EDT------- Here is the reply I got from Java L3: Starting in the first quarter of 2024 (Service Refresh 8 Fix Pack 20 and 11.0.22.0), the InstallAnywhere archive (.archive.bin) and installable (.bin) packages of IBM? SDK, Java? Technology Edition, and IBM Semeru Runtime? Certified Edition will be discontinued. For reference: https://www.ibm.com/support/pages/node/7070052/ Instructions to install an rpm can be found here : https://www.ibm.com/docs/en/sdk-java-technology/8?topic=installing-rpm-packages-linux-only https://community.ibm.com/community/user/wasdevops/blogs/surya-narkedimilli/2024/02/13/ibm-sdk-java-technology-edition-v80-sr8-fp15-80820
(In reply to LTC BugProxy from comment #5) > ------- Comment From chavez@us.ibm.com 2024-02-14 10:35 EDT------- > Here is the reply I got from Java L3: > > Starting in the first quarter of 2024 (Service Refresh 8 Fix Pack 20 and > 11.0.22.0), the InstallAnywhere archive (.archive.bin) and installable > (.bin) packages of IBM? SDK, Java? Technology Edition, and IBM Semeru > Runtime? Certified Edition will be discontinued. > > For reference: > > https://www.ibm.com/support/pages/node/7070052/ > > Instructions to install an rpm can be found here : > https://www.ibm.com/docs/en/sdk-java-technology/8?topic=installing-rpm- > packages-linux-only > > https://community.ibm.com/community/user/wasdevops/blogs/surya-narkedimilli/ > 2024/02/13/ibm-sdk-java-technology-edition-v80-sr8-fp15-80820 OK, thanks for pointing us to that information. This is quite unfortunate as we now need to rewrite all our scripts we use for the version updates and QA which rely on the binary files. We have been using the sdk archive.bin files since version 1_5_0, with filenames like: ibm-java-sdk-8.0-%{buildver}-x86_64-archive.bin We will discuss internally how to proceed.
(In reply to LTC BugProxy from comment #5) > ------- Comment From chavez@us.ibm.com 2024-02-14 10:35 EDT------- > Here is the reply I got from Java L3: > > Starting in the first quarter of 2024 (Service Refresh 8 Fix Pack 20 and > 11.0.22.0), the InstallAnywhere archive (.archive.bin) and installable > (.bin) packages of IBM? SDK, Java? Technology Edition, and IBM Semeru > Runtime? Certified Edition will be discontinued. > > For reference: > > https://www.ibm.com/support/pages/node/7070052/ > > Instructions to install an rpm can be found here : > https://www.ibm.com/docs/en/sdk-java-technology/8?topic=installing-rpm- > packages-linux-only Thanks for your answer. We cannot install the rpm provided by IBM per our agreement. We have moved from the sdk archive bin files to use the sdk linux tgz files provided by IBM. > https://community.ibm.com/community/user/wasdevops/blogs/surya-narkedimilli/ > 2024/02/13/ibm-sdk-java-technology-edition-v80-sr8-fp15-80820
All submitted. Assigning back to security-team.
SUSE-SU-2024:0605-1: An update that solves eight vulnerabilities can now be installed. Category: security (important) Bug References: 1218903, 1218905, 1218906, 1218907, 1218908, 1218909, 1218911, 1219843 CVE References: CVE-2023-33850, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:0619-1: An update that solves eight vulnerabilities can now be installed. Category: security (important) Bug References: 1218903, 1218905, 1218906, 1218907, 1218908, 1218909, 1218911, 1219843 CVE References: CVE-2023-33850, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.