Security update for java-1_8_0-openjdk

Announcement ID: SUSE-SU-2018:1690-2
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2018-2790 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
  • CVE-2018-2790 ( NVD ): 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
  • CVE-2018-2794 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-2794 ( NVD ): 7.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2018-2794 ( NVD ): 7.7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2018-2795 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2795 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2795 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2796 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2796 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2796 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2797 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2797 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2797 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2798 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2798 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2798 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2799 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2799 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2799 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2800 ( SUSE ): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2018-2800 ( NVD ): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2018-2814 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2018-2814 ( NVD ): 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2018-2814 ( NVD ): 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2018-2815 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2815 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-2815 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2

An update that solves 10 vulnerabilities and has one security fix can now be installed.

Description:

This update for java-1_8_0-openjdk to version 8u171 fixes the following issues:

These security issues were fixed:

  • S8180881: Better packaging of deserialization
  • S8182362: Update CipherOutputStream Usage
  • S8183032: Upgrade to LittleCMS 2.9
  • S8189123: More consistent classloading
  • S8189969, CVE-2018-2790, bsc#1090023: Manifest better manifest entries
  • S8189977, CVE-2018-2795, bsc#1090025: Improve permission portability
  • S8189981, CVE-2018-2796, bsc#1090026: Improve queuing portability
  • S8189985, CVE-2018-2797, bsc#1090027: Improve tabular data portability
  • S8189989, CVE-2018-2798, bsc#1090028: Improve container portability
  • S8189993, CVE-2018-2799, bsc#1090029: Improve document portability
  • S8189997, CVE-2018-2794, bsc#1090024: Enhance keystore mechanisms
  • S8190478: Improved interface method selection
  • S8190877: Better handling of abstract classes
  • S8191696: Better mouse positioning
  • S8192025, CVE-2018-2814, bsc#1090032: Less referential references
  • S8192030: Better MTSchema support
  • S8192757, CVE-2018-2815, bsc#1090033: Improve stub classes implementation
  • S8193409: Improve AES supporting classes
  • S8193414: Improvements in MethodType lookups
  • S8193833, CVE-2018-2800, bsc#1090030: Better RMI connection support

For other changes please consult the changelog.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-1134=1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-ESPOS-2018-1134=1

Package List:

  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
    • java-1_8_0-openjdk-debugsource-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-devel-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-demo-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-demo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-headless-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-headless-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-devel-debuginfo-1.8.0.171-27.19.1
  • SUSE Linux Enterprise Server 12 SP2 ESPOS 12-SP2 (x86_64)
    • java-1_8_0-openjdk-debugsource-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-devel-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-demo-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-demo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-headless-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-headless-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-debuginfo-1.8.0.171-27.19.1
    • java-1_8_0-openjdk-devel-debuginfo-1.8.0.171-27.19.1

References: