Security update for java-1_7_0-openjdk

Announcement ID: SUSE-SU-2017:0490-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-2183 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2016-2183 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVE-2016-5546 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2016-5547 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2016-5548 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2016-5549 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  • CVE-2016-5552 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-3231 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CVE-2017-3241 ( NVD ): 9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CVE-2017-3252 ( NVD ): 5.8 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N
  • CVE-2017-3253 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3259 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2017-3260 ( NVD ): 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3261 ( NVD ): 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CVE-2017-3272 ( NVD ): 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3289 ( NVD ): 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2

An update that solves 15 vulnerabilities can now be installed.

Description:

This update for java-1_7_0-openjdk fixes the following issues:

  • Oracle Critical Patch Update of January 2017 to OpenJDK 7u131 (bsc#1020905):
  • Security Fixes
    • S8138725: Add options for Javadoc generation
    • S8140353: Improve signature checking
    • S8151934, CVE-2017-3231: Resolve class resolution
    • S8156804, CVE-2017-3241: Better constraint checking
    • S8158406: Limited Parameter Processing
    • S8158997: JNDI Protocols Switch
    • S8159507: RuntimeVisibleAnnotation validation
    • S8161218: Better bytecode loading
    • S8161743, CVE-2017-3252: Provide proper login context
    • S8162577: Standardize logging levels
    • S8162973: Better component components
    • S8164143, CVE-2017-3260: Improve components for menu items
    • S8164147, CVE-2017-3261: Improve streaming socket output
    • S8165071, CVE-2016-2183: Expand TLS support
    • S8165344, CVE-2017-3272: Update concurrency support
    • S8166988, CVE-2017-3253: Improve image processing performance
    • S8167104, CVE-2017-3289: Additional class construction refinements
    • S8167223, CVE-2016-5552: URL handling improvements
    • S8168705, CVE-2016-5547: Better ObjectIdentifier validation
    • S8168714, CVE-2016-5546: Tighten ECDSA validation
    • S8168728, CVE-2016-5548: DSA signing improvments
    • S8168724, CVE-2016-5549: ECDSA signing improvments
    • S6253144: Long narrowing conversion should describe the algorithm used and implied "risks"
    • S6328537: Improve javadocs for Socket class by adding references to SocketOptions
    • S6978886: javadoc shows stacktrace after print error resulting from disk full
    • S6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory
    • S6996372: synchronizing handshaking hash
    • S7027045: (doc) java/awt/Window.java has several typos in javadoc
    • S7054969: Null-check-in-finally pattern in java/security documentation
    • S7072353: JNDI libraries do not build with javac -Xlint:all -Werror
    • S7075563: Broken link in "javax.swing.SwingWorker"
    • S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11
    • S7088502: Security libraries don't build with javac -Werror
    • S7092447: Clarify the default locale used in each locale sensitive operation
    • S7093640: Enable client-side TLS 1.2 by default
    • S7103570: AtomicIntegerFieldUpdater does not work when SecurityManager is installed
    • S7117360: Warnings in java.util.concurrent.atomic package
    • S7117465: Warning cleanup for IMF classes
    • S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error
    • S8000418: javadoc should used a standard "generated by javadoc" string
    • S8000666: javadoc should write directly to Writer instead of composing strings
    • S8000673: remove dead code from HtmlWriter and subtypes
    • S8000970: break out auxiliary classes that will prevent multi-core compilation of the JDK
    • S8001669: javadoc internal DocletAbortException should set cause when appropriate
    • S8008949: javadoc stopped copying doc-files
    • S8011402: Move blacklisting certificate logic from hard code to data
    • S8011547: Update XML Signature implementation to Apache Santuario 1.5.4
    • S8012288: XML DSig API allows wrong tag names and extra elements in SignedInfo
    • S8016217: More javadoc warnings
    • S8017325: Cleanup of the javadoc <code> tag in java.security.cert
    • S8017326: Cleanup of the javadoc <code> tag in java.security.spec
    • S8019772: Fix doclint issues in javax.crypto and javax.security subpackages
    • S8020557: javadoc cleanup in javax.security
    • S8020688: Broken links in documentation at http://docs.oracle.com/javase/6/docs/api/index.
    • S8021108: Clean up doclint warnings and errors in java.text package
    • S8021417: Fix doclint issues in java.util.concurrent
    • S8021833: javadoc cleanup in java.net
    • S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails
    • S8022175: Fix doclint warnings in javax.print
    • S8022406: Fix doclint issues in java.beans
    • S8022746: List of spelling errors in API doc
    • S8024779: [macosx] SwingNode crashes on exit
    • S8025085: [javadoc] some errors in javax/swing
    • S8025218: [javadoc] some errors in java/awt classes
    • S8025249: [javadoc] fix some javadoc errors in javax/swing/
    • S8025409: Fix javadoc comments errors and warning reported by doclint report
    • S8026021: more fix of javadoc errors and warnings reported by doclint, see the description
    • S8037099: [macosx] Remove all references to GC from native OBJ-C code
    • S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String
    • S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits
    • S8049244: XML Signature performance issue caused by unbuffered signature data
    • S8049432: New tests for TLS property jdk.tls.client.protocols
    • S8050893: (smartcardio) Invert reset argument in tests in sun/security/smartcardio
    • S8059212: Modify regression tests so that they do not just fail if no cardreader found
    • S8068279: (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName
    • S8068491: Update the protocol for references of docs.oracle.com to HTTPS.
    • S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210
    • S8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u
    • S8139565: Restrict certificates with DSA keys less than 1024 bits
    • S8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
    • S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check
    • S8143959: Certificates requiring blacklisting
    • S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks
    • S8148516: Improve the default strength of EC in JDK
    • S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks
    • S8151893: Add security property to configure XML Signature secure validation mode
    • S8155760: Implement Serialization Filtering
    • S8156802: Better constraint checking
    • S8161228: URL objects with custom protocol handlers have port changed after deserializing
    • S8161571: Verifying ECDSA signatures permits trailing bytes
    • S8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar
    • S8164908: ReflectionFactory support for IIOP and custom serialization
    • S8165230: RMIConnection addNotificationListeners failing with specific inputs
    • S8166393: disabledAlgorithms property should not be strictly parsed
    • S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is very fast (Trackpad, Retina only)
    • S8166739: Improve extensibility of ObjectInputFilter information passed to the filter
    • S8166875: (tz) Support tzdata2016g
    • S8166878: Connection reset during TLS handshake
    • S8167356: Follow up fix for jdk8 backport of 8164143. Changes for CMenuComponent.m were missed
    • S8167459: Add debug output for indicating if a chosen ciphersuite was legacy
    • S8167472: Chrome interop regression with JDK-8148516
    • S8167591: Add MD5 to signed JAR restrictions
    • S8168861: AnchorCertificates uses hardcoded password for cacerts keystore
    • S8168993: JDK8u121 L10n resource file update
    • S8169191: (tz) Support tzdata2016i
    • S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU
    • S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304
    • S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property
    • S8170268: 8u121 L10n resource file update - msgdrop 20
    • S8173622: Backport of 7180907 is incomplete
    • S8173849: Fix use of java.util.Base64 in test cases
    • S8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760
    • CVE-2017-3259 Vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.
  • Backports
    • S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on __APPLE__and _LLP64 systems.
    • S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned
    • S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when processing invokeMethod command
    • S8170888, PR3316, RH1390708: [linux] support for cgroup memory limits in container (ie Docker) environments
  • Bug fixes
    • PR3318: Replace 'infinality' with 'improved font rendering' (--enable-improved-font-rendering)
    • PR3318: Fix compatibility with vanilla Fontconfig
    • PR3318: Fix glyph y advance
    • PR3318: Always round glyph advance in 26.6 space
    • PR3318: Simplify glyph advance handling
    • PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh broken by PR1989
  • AArch64 port
    • S8165673, PR3320: AArch64: Fix JNI floating point argument handling

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-255=1
  • SUSE Linux Enterprise Desktop 12 SP2
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-255=1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
    zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-255=1
  • SUSE Linux Enterprise Server for SAP Applications 12
    zypper in -t patch SUSE-SLE-SAP-12-2017-255=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2017-255=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-255=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-255=1
  • SUSE Linux Enterprise High Performance Computing 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-255=1
  • SUSE Linux Enterprise Server 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-255=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-255=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
  • SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • java-1_7_0-openjdk-debugsource-1.7.0.131-39.1
    • java-1_7_0-openjdk-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-39.1
    • java-1_7_0-openjdk-devel-1.7.0.131-39.1
    • java-1_7_0-openjdk-headless-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-1.7.0.131-39.1
    • java-1_7_0-openjdk-1.7.0.131-39.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-39.1

References: