You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa java-1_7_0-openjdk

Sigurnosni nedostaci programskog paketa java-1_7_0-openjdk

openSUSE Security Update: Security update for java-1_7_0-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:0513-1
Rating: important
References: #1020905
Cross-References: CVE-2016-2183 CVE-2016-5546 CVE-2016-5547
CVE-2016-5548 CVE-2016-5549 CVE-2016-5552
CVE-2017-3231 CVE-2017-3241 CVE-2017-3252
CVE-2017-3253 CVE-2017-3259 CVE-2017-3260
CVE-2017-3261 CVE-2017-3272 CVE-2017-3289

Affected Products:
openSUSE Leap 42.2
openSUSE Leap 42.1
______________________________________________________________________________

An update that fixes 15 vulnerabilities is now available.

Description:

This update for java-1_7_0-openjdk fixes the following issues:

– Oracle Critical Patch Update of January 2017 to OpenJDK 7u131
(bsc#1020905):
* Security Fixes
– S8138725: Add options for Javadoc generation
– S8140353: Improve signature checking
– S8151934, CVE-2017-3231: Resolve class resolution
– S8156804, CVE-2017-3241: Better constraint checking
– S8158406: Limited Parameter Processing
– S8158997: JNDI Protocols Switch
– S8159507: RuntimeVisibleAnnotation validation
– S8161218: Better bytecode loading
– S8161743, CVE-2017-3252: Provide proper login context
– S8162577: Standardize logging levels
– S8162973: Better component components
– S8164143, CVE-2017-3260: Improve components for menu items
– S8164147, CVE-2017-3261: Improve streaming socket output
– S8165071, CVE-2016-2183: Expand TLS support
– S8165344, CVE-2017-3272: Update concurrency support
– S8166988, CVE-2017-3253: Improve image processing performance
– S8167104, CVE-2017-3289: Additional class construction refinements
– S8167223, CVE-2016-5552: URL handling improvements
– S8168705, CVE-2016-5547: Better ObjectIdentifier validation
– S8168714, CVE-2016-5546: Tighten ECDSA validation
– S8168728, CVE-2016-5548: DSA signing improvments
– S8168724, CVE-2016-5549: ECDSA signing improvments
– S6253144: Long narrowing conversion should describe the algorithm
used and implied “risks”
– S6328537: Improve javadocs for Socket class by adding references to
SocketOptions
– S6978886: javadoc shows stacktrace after print error resulting from
disk full
– S6995421: Eliminate the static dependency to
sun.security.ec.ECKeyFactory
– S6996372: synchronizing handshaking hash
– S7027045: (doc) java/awt/Window.java has several typos in javadoc
– S7054969: Null-check-in-finally pattern in java/security
documentation
– S7072353: JNDI libraries do not build with javac -Xlint:all -Werror
– S7075563: Broken link in “javax.swing.SwingWorker”
– S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11
– S7088502: Security libraries don’t build with javac -Werror
– S7092447: Clarify the default locale used in each locale sensitive
operation
– S7093640: Enable client-side TLS 1.2 by default
– S7103570: AtomicIntegerFieldUpdater does not work when
SecurityManager is installed
– S7117360: Warnings in java.util.concurrent.atomic package
– S7117465: Warning cleanup for IMF classes
– S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an
error
– S8000418: javadoc should used a standard “generated by javadoc”
string
– S8000666: javadoc should write directly to Writer instead of
composing strings
– S8000673: remove dead code from HtmlWriter and subtypes
– S8000970: break out auxiliary classes that will prevent multi-core
compilation of the JDK
– S8001669: javadoc internal DocletAbortException should set cause
when appropriate
– S8008949: javadoc stopped copying doc-files
– S8011402: Move blacklisting certificate logic from hard code to data
– S8011547: Update XML Signature implementation to Apache Santuario
1.5.4
– S8012288: XML DSig API allows wrong tag names and extra elements in
SignedInfo
– S8016217: More javadoc warnings
– S8017325: Cleanup of the javadoc <code> tag in java.security.cert
– S8017326: Cleanup of the javadoc <code> tag in java.security.spec
– S8019772: Fix doclint issues in javax.crypto and javax.security
subpackages
– S8020557: javadoc cleanup in javax.security
– S8020688: Broken links in documentation at
http://docs.oracle.com/javase/6/docs/api/index.
– S8021108: Clean up doclint warnings and errors in java.text package
– S8021417: Fix doclint issues in java.util.concurrent
– S8021833: javadoc cleanup in java.net
– S8022120: JCK test
api/javax_xml/crypto/dsig/TransformService/index_ParamMethods fails
– S8022175: Fix doclint warnings in javax.print
– S8022406: Fix doclint issues in java.beans
– S8022746: List of spelling errors in API doc
– S8024779: [macosx] SwingNode crashes on exit
– S8025085: [javadoc] some errors in javax/swing
– S8025218: [javadoc] some errors in java/awt classes
– S8025249: [javadoc] fix some javadoc errors in javax/swing/
– S8025409: Fix javadoc comments errors and warning reported by
doclint report
– S8026021: more fix of javadoc errors and warnings reported by
doclint, see the description
– S8037099: [macosx] Remove all references to GC from native OBJ-C code
– S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID
attribute value is empty String
– S8038349: Signing XML with DSA throws Exception when key is larger
than 1024 bits
– S8049244: XML Signature performance issue caused by unbuffered
signature data
– S8049432: New tests for TLS property jdk.tls.client.protocols
– S8050893: (smartcardio) Invert reset argument in tests in
sun/security/smartcardio
– S8059212: Modify regression tests so that they do not just fail if
no cardreader found
– S8068279: (typo in the spec)
javax.script.ScriptEngineFactory.getLanguageName
– S8068491: Update the protocol for references of docs.oracle.com to
HTTPS.
– S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be
updated for JDK-8061210
– S8076369: Introduce the jdk.tls.client.protocols system property for
JDK 7u
– S8139565: Restrict certificates with DSA keys less than 1024 bits
– S8140422: Add mechanism to allow non default root CAs to be not
subject to algorithm restrictions
– S8140587: Atomic*FieldUpdaters should use Class.isInstance instead
of direct class check
– S8143959: Certificates requiring blacklisting
– S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks
– S8148516: Improve the default strength of EC in JDK
– S8149029: Secure validation of XML based digital signature always
enabled when checking wrapping attacks
– S8151893: Add security property to configure XML Signature secure
validation mode
– S8155760: Implement Serialization Filtering
– S8156802: Better constraint checking
– S8161228: URL objects with custom protocol handlers have port
changed after deserializing
– S8161571: Verifying ECDSA signatures permits trailing bytes
– S8163304: jarsigner -verbose -verify should print the algorithms
used to sign the jar
– S8164908: ReflectionFactory support for IIOP and custom serialization
– S8165230: RMIConnection addNotificationListeners failing with
specific inputs
– S8166393: disabledAlgorithms property should not be strictly parsed
– S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12
Sierra is very fast (Trackpad, Retina only)
– S8166739: Improve extensibility of ObjectInputFilter information
passed to the filter
– S8166875: (tz) Support tzdata2016g
– S8166878: Connection reset during TLS handshake
– S8167356: Follow up fix for jdk8 backport of 8164143. Changes for
CMenuComponent.m were missed
– S8167459: Add debug output for indicating if a chosen ciphersuite
was legacy
– S8167472: Chrome interop regression with JDK-8148516
– S8167591: Add MD5 to signed JAR restrictions
– S8168861: AnchorCertificates uses hardcoded password for cacerts
keystore
– S8168993: JDK8u121 L10n resource file update
– S8169191: (tz) Support tzdata2016i
– S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for
January CPU
– S8169911: Enhanced tests for jarsigner -verbose -verify after
JDK-8163304
– S8170131: Certificates not being blocked by
jdk.tls.disabledAlgorithms property
– S8170268: 8u121 L10n resource file update – msgdrop 20
– S8173622: Backport of 7180907 is incomplete
– S8173849: Fix use of java.util.Base64 in test cases
– S8173854: [TEST] Update DHEKeySizing test case following 8076328 &
8081760
– CVE-2017-3259 Vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE.
* Backports
– S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on
__APPLE__and _LLP64 systems.
– S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned
– S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when
processing invokeMethod command
– S8170888, PR3316, RH1390708: [linux] support for cgroup memory
limits in container (ie Docker) environments
* Bug fixes
– PR3318: Replace ‘infinality’ with ‘improved font rendering’
(–enable-improved-font-rendering)
– PR3318: Fix compatibility with vanilla Fontconfig
– PR3318: Fix glyph y advance
– PR3318: Always round glyph advance in 26.6 space
– PR3318: Simplify glyph advance handling
– PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh
broken by PR1989
* AArch64 port
– S8165673, PR3320: AArch64: Fix JNI floating point argument handling

This update was imported from the SUSE:SLE-12:Update update project.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.2:

zypper in -t patch openSUSE-2017-278=1

– openSUSE Leap 42.1:

zypper in -t patch openSUSE-2017-278=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.2 (i586 x86_64):

java-1_7_0-openjdk-1.7.0.131-40.1
java-1_7_0-openjdk-accessibility-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-devel-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-headless-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-debugsource-1.7.0.131-40.1
java-1_7_0-openjdk-demo-1.7.0.131-40.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-devel-1.7.0.131-40.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-headless-1.7.0.131-40.1
java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-src-1.7.0.131-40.1

– openSUSE Leap 42.2 (noarch):

java-1_7_0-openjdk-javadoc-1.7.0.131-40.1

– openSUSE Leap 42.1 (i586 x86_64):

java-1_7_0-openjdk-1.7.0.131-40.1
java-1_7_0-openjdk-accessibility-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-devel-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-headless-1.7.0.131-40.1
java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-debugsource-1.7.0.131-40.1
java-1_7_0-openjdk-demo-1.7.0.131-40.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-devel-1.7.0.131-40.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-headless-1.7.0.131-40.1
java-1_7_0-openjdk-headless-debuginfo-1.7.0.131-40.1
java-1_7_0-openjdk-src-1.7.0.131-40.1

– openSUSE Leap 42.1 (noarch):

java-1_7_0-openjdk-javadoc-1.7.0.131-40.1

References:

https://www.suse.com/security/cve/CVE-2016-2183.html
https://www.suse.com/security/cve/CVE-2016-5546.html
https://www.suse.com/security/cve/CVE-2016-5547.html
https://www.suse.com/security/cve/CVE-2016-5548.html
https://www.suse.com/security/cve/CVE-2016-5549.html
https://www.suse.com/security/cve/CVE-2016-5552.html
https://www.suse.com/security/cve/CVE-2017-3231.html
https://www.suse.com/security/cve/CVE-2017-3241.html
https://www.suse.com/security/cve/CVE-2017-3252.html
https://www.suse.com/security/cve/CVE-2017-3253.html
https://www.suse.com/security/cve/CVE-2017-3259.html
https://www.suse.com/security/cve/CVE-2017-3260.html
https://www.suse.com/security/cve/CVE-2017-3261.html
https://www.suse.com/security/cve/CVE-2017-3272.html
https://www.suse.com/security/cve/CVE-2017-3289.html
https://bugzilla.suse.com/1020905


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa openssl

Otkriveni su sigurnosni nedostaci u programskom paketu openssl za RHEL 6 i 7. Otkriveni nedostaci posljedica su cjelobrojnog podljeva te...

Close