Amazon Linux 2 Security Advisory: ALAS-2019-1246
Advisory Release Date: 2019-07-18 17:37 Pacific
Advisory Updated Date: 2019-07-22 16:27 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)
libpng: png_image_free in png.c in libpng has a use-after-free because png_image_free_function is called under png_safe_execute. (CVE-2019-7317)
OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)
OpenJDK: Insufficient permission checks for file:// URLs on Windows (Networking, 8213431) (CVE-2019-2766)
OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (
CVE-2019-2818)
OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)
OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)
OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)
Affected Packages:
java-11-amazon-corretto
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update java-11-amazon-corretto to update your system.
aarch64:
java-11-amazon-corretto-11.0.4+11-1.amzn2.aarch64
java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.aarch64
java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.aarch64
src:
java-11-amazon-corretto-11.0.4+11-1.amzn2.src
x86_64:
java-11-amazon-corretto-11.0.4+11-1.amzn2.x86_64
java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.x86_64
java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.x86_64