Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2017:0490-1: important: Security update for java-1_7_0-openjdk

Recommended Posts

SUSE Security Update: Security update for java-1_7_0-openjdk

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2017:0490-1

Rating: important

References: #1020905

Cross-References: CVE-2016-2183 CVE-2016-5546 CVE-2016-5547

CVE-2016-5548 CVE-2016-5549 CVE-2016-5552

CVE-2017-3231 CVE-2017-3241 CVE-2017-3252

CVE-2017-3253 CVE-2017-3259 CVE-2017-3260

CVE-2017-3261 CVE-2017-3272 CVE-2017-3289

 

Affected Products:

SUSE Linux Enterprise Server for SAP 12

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2

SUSE Linux Enterprise Server 12-SP2

SUSE Linux Enterprise Server 12-SP1

SUSE Linux Enterprise Server 12-LTSS

SUSE Linux Enterprise Desktop 12-SP2

SUSE Linux Enterprise Desktop 12-SP1

______________________________________________________________________________

 

An update that fixes 15 vulnerabilities is now available.

 

Description:

 

 

This update for java-1_7_0-openjdk fixes the following issues:

 

- Oracle Critical Patch Update of January 2017 to OpenJDK 7u131

(bsc#1020905):

* Security Fixes

- S8138725: Add options for Javadoc generation

- S8140353: Improve signature checking

- S8151934, CVE-2017-3231: Resolve class resolution

- S8156804, CVE-2017-3241: Better constraint checking

- S8158406: Limited Parameter Processing

- S8158997: JNDI Protocols Switch

- S8159507: RuntimeVisibleAnnotation validation

- S8161218: Better bytecode loading

- S8161743, CVE-2017-3252: Provide proper login context

- S8162577: Standardize logging levels

- S8162973: Better component components

- S8164143, CVE-2017-3260: Improve components for menu items

- S8164147, CVE-2017-3261: Improve streaming socket output

- S8165071, CVE-2016-2183: Expand TLS support

- S8165344, CVE-2017-3272: Update concurrency support

- S8166988, CVE-2017-3253: Improve image processing performance

- S8167104, CVE-2017-3289: Additional class construction refinements

- S8167223, CVE-2016-5552: URL handling improvements

- S8168705, CVE-2016-5547: Better ObjectIdentifier validation

- S8168714, CVE-2016-5546: Tighten ECDSA validation

- S8168728, CVE-2016-5548: DSA signing improvments

- S8168724, CVE-2016-5549: ECDSA signing improvments

- S6253144: Long narrowing conversion should describe the algorithm

used and implied "risks"

- S6328537: Improve javadocs for Socket class by adding references to

SocketOptions

- S6978886: javadoc shows stacktrace after print error resulting from

disk full

- S6995421: Eliminate the static dependency to

sun.security.ec.ECKeyFactory

- S6996372: synchronizing handshaking hash

- S7027045: (doc) java/awt/Window.java has several typos in javadoc

- S7054969: Null-check-in-finally pattern in java/security

documentation

- S7072353: JNDI libraries do not build with javac -Xlint:all -Werror

- S7075563: Broken link in "javax.swing.SwingWorker"

- S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11

- S7088502: Security libraries don't build with javac -Werror

- S7092447: Clarify the default locale used in each locale sensitive

operation

- S7093640: Enable client-side TLS 1.2 by default

- S7103570: AtomicIntegerFieldUpdater does not work when

SecurityManager is installed

- S7117360: Warnings in java.util.concurrent.atomic package

- S7117465: Warning cleanup for IMF classes

- S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an

error

- S8000418: javadoc should used a standard "generated by javadoc"

string

- S8000666: javadoc should write directly to Writer instead of

composing strings

- S8000673: remove dead code from HtmlWriter and subtypes

- S8000970: break out auxiliary classes that will prevent multi-core

compilation of the JDK

- S8001669: javadoc internal DocletAbortException should set cause

when appropriate

- S8008949: javadoc stopped copying doc-files

- S8011402: Move blacklisting certificate logic from hard code to data

- S8011547: Update XML Signature implementation to Apache Santuario

1.5.4

- S8012288: XML DSig API allows wrong tag names and extra elements in

SignedInfo

- S8016217: More javadoc warnings

- S8017325: Cleanup of the javadoc tag in java.security.cert

- S8017326: Cleanup of the javadoc tag in java.security.spec

- S8019772: Fix doclint issues in javax.crypto and javax.security

subpackages

- S8020557: javadoc cleanup in javax.security

- S8020688: Broken links in documentation at

http://docs.oracle.com/javase/6/docs/api/index.

- S8021108: Clean up doclint warnings and errors in java.text package

- S8021417: Fix doclint issues in java.util.concurrent

- S8021833: javadoc cleanup in java.net

- S8022120: JCK test

api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails

- S8022175: Fix doclint warnings in javax.print

- S8022406: Fix doclint issues in java.beans

- S8022746: List of spelling errors in API doc

- S8024779: [macosx] SwingNode crashes on exit

- S8025085: [javadoc] some errors in javax/swing

- S8025218: [javadoc] some errors in java/awt classes

- S8025249: [javadoc] fix some javadoc errors in javax/swing/

- S8025409: Fix javadoc comments errors and warning reported by

doclint report

- S8026021: more fix of javadoc errors and warnings reported by

doclint, see the description

- S8037099: [macosx] Remove all references to GC from native OBJ-C code

- S8038184: XMLSignature throws StringIndexOutOfBound[censored]ception if ID

attribute value is empty String

- S8038349: Signing XML with DSA throws Exception when key is larger

than 1024 bits

- S8049244: XML Signature performance issue caused by unbuffered

signature data

- S8049432: New tests for TLS property jdk.tls.client.protocols

- S8050893: (smartcardio) Invert reset argument in tests in

sun/security/smartcardio

- S8059212: Modify regression tests so that they do not just fail if

no cardreader found

- S8068279: (typo in the spec)

javax.script.ScriptEngineFactory.getLanguageName

- S8068491: Update the protocol for references of docs.oracle.com to

HTTPS.

- S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be

updated for JDK-8061210

- S8076369: Introduce the jdk.tls.client.protocols system property for

JDK 7u

- S8139565: Restrict certificates with DSA keys less than 1024 bits

- S8140422: Add mechanism to allow non default root CAs to be not

subject to algorithm restrictions

- S8140587: Atomic*FieldUpdaters should use Class.isInstance instead

of direct class check

- S8143959: Certificates requiring blacklisting

- S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks

- S8148516: Improve the default strength of EC in JDK

- S8149029: Secure validation of XML based digital signature always

enabled when checking wrapping attacks

- S8151893: Add security property to configure XML Signature secure

validation mode

- S8155760: Implement Serialization Filtering

- S8156802: Better constraint checking

- S8161228: URL objects with custom protocol handlers have port

changed after deserializing

- S8161571: Verifying ECDSA signatures permits trailing bytes

- S8163304: jarsigner -verbose -verify should print the algorithms

used to sign the jar

- S8164908: ReflectionFactory support for IIOP and custom serialization

- S8165230: RMIConnection addNotificationListeners failing with

specific inputs

- S8166393: disabledAlgorithms property should not be strictly parsed

- S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12

Sierra is very fast (Trackpad, Retina only)

- S8166739: Improve extensibility of ObjectInputFilter information

passed to the filter

- S8166875: (tz) Support tzdata2016g

- S8166878: Connection reset during TLS handshake

- S8167356: Follow up fix for jdk8 backport of 8164143. Changes for

CMenuComponent.m were missed

- S8167459: Add debug output for indicating if a chosen ciphersuite

was legacy

- S8167472: Chrome interop regression with JDK-8148516

- S8167591: Add MD5 to signed JAR restrictions

- S8168861: AnchorCertificates uses hardcoded password for cacerts

keystore

- S8168993: JDK8u121 L10n resource file update

- S8169191: (tz) Support tzdata2016i

- S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for

January CPU

- S8169911: Enhanced tests for jarsigner -verbose -verify after

JDK-8163304

- S8170131: Certificates not being blocked by

jdk.tls.disabledAlgorithms property

- S8170268: 8u121 L10n resource file update - msgdrop 20

- S8173622: Backport of 7180907 is incomplete

- S8173849: Fix use of java.util.Base64 in test cases

- S8173854: [TEST] Update DHEKeySizing test case following 8076328 &

8081760

- CVE-2017-3259 Vulnerability allows unauthenticated attacker with

network access via multiple protocols to compromise Java SE.

* Backports

- S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on

__APPLE__and _LLP64 systems.

- S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned

- S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when

processing invokeMethod command

- S8170888, PR3316, RH1390708: [linux] support for cgroup memory

limits in container (ie Docker) environments

* Bug fixes

- PR3318: Replace 'infinality' with 'improved font rendering'

(--enable-improved-font-rendering)

- PR3318: Fix compatibility with vanilla Fontconfig

- PR3318: Fix glyph y advance

- PR3318: Always round glyph advance in 26.6 space

- PR3318: Simplify glyph advance handling

- PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh

broken by PR1989

* AArch64 port

- S8165673, PR3320: AArch64: Fix JNI floating point argument handling

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server for SAP 12:

 

zypper in -t patch SUSE-SLE-SAP-12-2017-255=1

 

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

 

zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-255=1

 

- SUSE Linux Enterprise Server 12-SP2:

 

zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-255=1

 

- SUSE Linux Enterprise Server 12-SP1:

 

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-255=1

 

- SUSE Linux Enterprise Server 12-LTSS:

 

zypper in -t patch SUSE-SLE-SERVER-12-2017-255=1

 

- SUSE Linux Enterprise Desktop 12-SP2:

 

zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-255=1

 

- SUSE Linux Enterprise Desktop 12-SP1:

 

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-255=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server for SAP 12 (x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-demo-1.7.0.131-39.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-devel-1.7.0.131-39.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-demo-1.7.0.131-39.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-devel-1.7.0.131-39.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-demo-1.7.0.131-39.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-devel-1.7.0.131-39.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-demo-1.7.0.131-39.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-devel-1.7.0.131-39.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-demo-1.7.0.131-39.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-devel-1.7.0.131-39.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

- SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

 

java-1_7_0-openjdk-1.7.0.131-39.1

java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1

java-1_7_0-openjdk-debugsource-1.7.0.131-39.1

java-1_7_0-openjdk-headless-1.7.0.131-39.1

java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2016-2183.html

https://www.suse.com/security/cve/CVE-2016-5546.html

https://www.suse.com/security/cve/CVE-2016-5547.html

https://www.suse.com/security/cve/CVE-2016-5548.html

https://www.suse.com/security/cve/CVE-2016-5549.html

https://www.suse.com/security/cve/CVE-2016-5552.html

https://www.suse.com/security/cve/CVE-2017-3231.html

https://www.suse.com/security/cve/CVE-2017-3241.html

https://www.suse.com/security/cve/CVE-2017-3252.html

https://www.suse.com/security/cve/CVE-2017-3253.html

https://www.suse.com/security/cve/CVE-2017-3259.html

https://www.suse.com/security/cve/CVE-2017-3260.html

https://www.suse.com/security/cve/CVE-2017-3261.html

https://www.suse.com/security/cve/CVE-2017-3272.html

https://www.suse.com/security/cve/CVE-2017-3289.html

https://bugzilla.suse.com/1020905

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×