Bug 1639442 (CVE-2018-3139)
| Summary: | CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahughes, dbhole, jvanek, security-response-team, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-18 21:49:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1633820, 1633821, 1633822, 1639728, 1639729, 1639730, 1639731, 1639732, 1639733, 1639734, 1639736, 1639737, 1639780, 1640178, 1640179, 1640180, 1646173, 1646174, 1646175, 1649854, 1649855, 1649856, 1652094, 1652099, 1652100 | ||
| Bug Blocks: | 1633819 | ||
|
Description
Tomas Hoger
2018-10-15 18:07:49 UTC
A related entry in the Oracle JDK 11.0.1, 8u191, 7u201, and 6u211: core-libs Better HTTP Redirection Support In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request. JDK-8196902 (not public) https://www.oracle.com/technetwork/java/javase/11-0-1-relnotes-5032023.html https://www.oracle.com/technetwork/java/javase/8u191-relnotes-5032181.html https://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_201 https://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_211 Public now via Oracle CPU October 2018: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA The issue was fixed in Oracle JDK 11.0.1, 8u191, 7u201, and 6u211. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/791a21c79ab0 OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/11c8538d53a7 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002 This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672 This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779 This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852 |