Security update for java-1_7_0-openjdk
SUSE Security Update: Security update for java-1_7_0-openjdk
OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues
and bugs.
* Security:
- S8015256: Better class accessibility
- S8022783, CVE-2014-6504: Optimize C2 optimizations
- S8035162: Service printing service
- S8035781: Improve equality for annotations
- S8036805: Correct linker method lookup.
- S8036810: Correct linker field lookup
- S8036936: Use local locales
- S8037066, CVE-2014-6457: Secure transport layer
- S8037846, CVE-2014-6558: Ensure streaming of input cipher streams
- S8038364: Use certificate exceptions correctly
- S8038899: Safer safepoints
- S8038903: More native monitor monitoring
- S8038908: Make Signature more robust
- S8038913: Bolster XML support
- S8039509, CVE-2014-6512: Wrap sockets more thoroughly
- S8039533, CVE-2014-6517: Higher resolution resolvers
- S8041540, CVE-2014-6511: Better use of pages in font processing
- S8041529: Better parameterization of parameter lists
- S8041545: Better validation of generated rasters
- S8041564, CVE-2014-6506: Improved management of logger resources
- S8041717, CVE-2014-6519: Issue with class file parser
- S8042609, CVE-2014-6513: Limit splashiness of splash images
- S8042797, CVE-2014-6502: Avoid strawberries in LogRecord
- S8044274, CVE-2014-6531: Proper property processing
* Backports:
- S4963723: Implement SHA-224
- S7044060: Need to support NSA Suite B Cryptography algorithms
- S7122142: (ann) Race condition between isAnnotationPresent and
getAnnotations
- S7160837: DigestOutputStream does not turn off digest calculation when
"close()" is called
- S8006935: Need to take care of long secret keys in HMAC/PRF computation
- S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode
- S8028192: Use of PKCS11-NSS provider in FIPS mode broken
- S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride
- S8039396: NPE when writing a class descriptor object to a custom
ObjectOutputStream
- S8042603: 'SafepointPollOffset' was not declared in static member
function 'static bool Arguments::check_vm_args_consistency()'
- S8042850: Extra unused entries in ICU ScriptCodes enum
- S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since
7u71 b01
- S8053963: (dc) Use DatagramChannel.receive() instead of read() in
connect()
- S8055176: 7u71 l10n resource file translation update
* Bugfixes:
- PR1988: C++ Interpreter should no longer be used on ppc64
- PR1989: Make jdk_generic_profile.sh handle missing programs better and
be more verbose
- PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2
- PR2000: Synchronise HEAD tarball paths with release branch paths
- PR2002: Fix references to hotspot.map following PR2000
- PR2003: --disable-system-gtk option broken by refactoring in PR1736
- PR2009: Checksum of policy JAR files changes on every build
- PR2014: Use version from hotspot.map to create tarball filename
- PR2015: Update hotspot.map documentation in INSTALL
- PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used unless SYSTEM_LCMS
is enabled
- RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError
(revised comprehensive fix)
* CACAO
- PR2030, G453612, CA172: ARM hardfloat support for CACAO
* AArch64 port
- AArch64 C2 instruct for smull
- Add frame anchor fences.
- Add MacroAssembler::maybe_isb()
- Add missing instruction synchronization barriers and cache flushes.
- Add support for a few simple intrinsics
- Add support for builtin crc32 instructions
- Add support for Neon implementation of CRC32
- All address constants are 48 bits in size.
- array load must only read 32 bits
- Define uabs(). Use it everywhere an absolute value is wanted.
- Fast string comparison
- Fast String.equals()
- Fix register usage in generate_verify_oop().
- Fix thinko in Atomic::xchg_ptr.
- Fix typo in fsqrts
- Improve C1 performance improvements in ic_cache checks
- Performance improvement and ease of use changes pulled from upstream
- Remove obsolete C1 patching code.
- Replace hotspot jtreg test suite with tests from jdk7u
- S8024648: 7141246 breaks Zero port
- Save intermediate state before removing C1 patching code.
- Unwind native AArch64 frames.
- Use 2- and 3-instruction immediate form of movoop and mov_metadata in
C2-generated code.
- Various concurrency fixes.
| Announcement ID: | SUSE-SU-2014:1422-1 |
| Rating: | important |
| References: | #901242 |
| Affected Products: |
An update that fixes 11 vulnerabilities is now available.
Description:
OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues
and bugs.
* Security:
- S8015256: Better class accessibility
- S8022783, CVE-2014-6504: Optimize C2 optimizations
- S8035162: Service printing service
- S8035781: Improve equality for annotations
- S8036805: Correct linker method lookup.
- S8036810: Correct linker field lookup
- S8036936: Use local locales
- S8037066, CVE-2014-6457: Secure transport layer
- S8037846, CVE-2014-6558: Ensure streaming of input cipher streams
- S8038364: Use certificate exceptions correctly
- S8038899: Safer safepoints
- S8038903: More native monitor monitoring
- S8038908: Make Signature more robust
- S8038913: Bolster XML support
- S8039509, CVE-2014-6512: Wrap sockets more thoroughly
- S8039533, CVE-2014-6517: Higher resolution resolvers
- S8041540, CVE-2014-6511: Better use of pages in font processing
- S8041529: Better parameterization of parameter lists
- S8041545: Better validation of generated rasters
- S8041564, CVE-2014-6506: Improved management of logger resources
- S8041717, CVE-2014-6519: Issue with class file parser
- S8042609, CVE-2014-6513: Limit splashiness of splash images
- S8042797, CVE-2014-6502: Avoid strawberries in LogRecord
- S8044274, CVE-2014-6531: Proper property processing
* Backports:
- S4963723: Implement SHA-224
- S7044060: Need to support NSA Suite B Cryptography algorithms
- S7122142: (ann) Race condition between isAnnotationPresent and
getAnnotations
- S7160837: DigestOutputStream does not turn off digest calculation when
"close()" is called
- S8006935: Need to take care of long secret keys in HMAC/PRF computation
- S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode
- S8028192: Use of PKCS11-NSS provider in FIPS mode broken
- S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride
- S8039396: NPE when writing a class descriptor object to a custom
ObjectOutputStream
- S8042603: 'SafepointPollOffset' was not declared in static member
function 'static bool Arguments::check_vm_args_consistency()'
- S8042850: Extra unused entries in ICU ScriptCodes enum
- S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since
7u71 b01
- S8053963: (dc) Use DatagramChannel.receive() instead of read() in
connect()
- S8055176: 7u71 l10n resource file translation update
* Bugfixes:
- PR1988: C++ Interpreter should no longer be used on ppc64
- PR1989: Make jdk_generic_profile.sh handle missing programs better and
be more verbose
- PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2
- PR2000: Synchronise HEAD tarball paths with release branch paths
- PR2002: Fix references to hotspot.map following PR2000
- PR2003: --disable-system-gtk option broken by refactoring in PR1736
- PR2009: Checksum of policy JAR files changes on every build
- PR2014: Use version from hotspot.map to create tarball filename
- PR2015: Update hotspot.map documentation in INSTALL
- PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used unless SYSTEM_LCMS
is enabled
- RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError
(revised comprehensive fix)
* CACAO
- PR2030, G453612, CA172: ARM hardfloat support for CACAO
* AArch64 port
- AArch64 C2 instruct for smull
- Add frame anchor fences.
- Add MacroAssembler::maybe_isb()
- Add missing instruction synchronization barriers and cache flushes.
- Add support for a few simple intrinsics
- Add support for builtin crc32 instructions
- Add support for Neon implementation of CRC32
- All address constants are 48 bits in size.
- array load must only read 32 bits
- Define uabs(). Use it everywhere an absolute value is wanted.
- Fast string comparison
- Fast String.equals()
- Fix register usage in generate_verify_oop().
- Fix thinko in Atomic::xchg_ptr.
- Fix typo in fsqrts
- Improve C1 performance improvements in ic_cache checks
- Performance improvement and ease of use changes pulled from upstream
- Remove obsolete C1 patching code.
- Replace hotspot jtreg test suite with tests from jdk7u
- S8024648: 7141246 breaks Zero port
- Save intermediate state before removing C1 patching code.
- Unwind native AArch64 frames.
- Use 2- and 3-instruction immediate form of movoop and mov_metadata in
C2-generated code.
- Various concurrency fixes.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2014-68 - SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2014-68
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
- java-1_7_0-openjdk-1.7.0.71-6.2
- java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2
- java-1_7_0-openjdk-debugsource-1.7.0.71-6.2
- java-1_7_0-openjdk-demo-1.7.0.71-6.2
- java-1_7_0-openjdk-demo-debuginfo-1.7.0.71-6.2
- java-1_7_0-openjdk-devel-1.7.0.71-6.2
- java-1_7_0-openjdk-devel-debuginfo-1.7.0.71-6.2
- java-1_7_0-openjdk-headless-1.7.0.71-6.2
- java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2
- SUSE Linux Enterprise Desktop 12 (x86_64):
- java-1_7_0-openjdk-1.7.0.71-6.2
- java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2
- java-1_7_0-openjdk-debugsource-1.7.0.71-6.2
- java-1_7_0-openjdk-headless-1.7.0.71-6.2
- java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2
References:
- http://support.novell.com/security/cve/CVE-2014-6457.html
- http://support.novell.com/security/cve/CVE-2014-6502.html
- http://support.novell.com/security/cve/CVE-2014-6504.html
- http://support.novell.com/security/cve/CVE-2014-6506.html
- http://support.novell.com/security/cve/CVE-2014-6511.html
- http://support.novell.com/security/cve/CVE-2014-6512.html
- http://support.novell.com/security/cve/CVE-2014-6513.html
- http://support.novell.com/security/cve/CVE-2014-6517.html
- http://support.novell.com/security/cve/CVE-2014-6519.html
- http://support.novell.com/security/cve/CVE-2014-6531.html
- http://support.novell.com/security/cve/CVE-2014-6558.html
- https://bugzilla.suse.com/show_bug.cgi?id=901242