Security update for java-11-openjdk

SUSE Security Update: Security update for java-11-openjdk
Announcement ID: SUSE-SU-2019:0221-1
Rating: important
References: #1120431 #1122293 #1122299
Cross-References:CVE-2018-11212 CVE-2019-2422 CVE-2019-2426
Affected Products:
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15

An update that fixes three vulnerabilities is now available.


This update for java-11-openjdk to version 11.0.2+7 fixes the following issues:
Security issues fixed:

  • CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
  • CVE-2019-2426: Improve web server connections
  • CVE-2018-11212: Improve JPEG processing (bsc#1122299)
  • Better route routing
  • Better interface enumeration
  • Better interface lists
  • Improve BigDecimal support
  • Improve robot support
  • Better icon support
  • Choose printer defaults
  • Proper allocation handling
  • Initial class initialization
  • More reliable p11 transactions
  • Improve NIO stability
  • Better loading of classloader classes
  • Strengthen Windows Access Bridge Support
  • Improved data set handling
  • Improved LSA authentication
  • Libsunmscapi improved interactions

Non-security issues fix:
  • Do not resolve by default the added JavaEE modules (bsc#1120431)
  • ~2.5% regression on compression benchmark starting with 12-b11
  • hangs on 204 reply without Content-length 0
  • Add additional TeliaSonera root certificate
  • Add more ld preloading related info to hs_error file on Linux
  • Add test to exercise server-side client hello processing
  • AES encrypt performance regression in jdk11b11
  • AIX: ProcessBuilder: Piping between created processes does not work.
  • AIX: Some class library files are missing the Classpath exception
  • AppCDS crashes for some uses with JRuby
  • Automate vtable/itable stub size calculation
  • BarrierSetC1::generate_referent_check() confuses register allocator
  • Better HTTP Redirection
  • Catastrophic size_t underflow in BitMap::*_large methods
  • Clip.isRunning() may return true after Clip.stop() was called
  • Compiler thread creation should be bounded by available space in memory and Code Cache
  • returns Content-length header for 204 response code
  • Default mask register for avx512 instructions
  • Delayed starting of debugging via jcmd
  • Disable all DES cipher suites
  • Disable anon and NULL cipher suites
  • Disable unsupported GCs for Zero
  • Epsilon alignment adjustments can overflow max TLAB size
  • Epsilon elastic TLAB sizing may cause misalignment
  • HotSpot update for vm_version.cpp to recognise updated VS2017
  • HttpClient does not retrieve files with large sizes over HTTP/1.1
  • IIOException "tEXt chunk length is not proper" on opening png file
  • Improve TLS connection stability again
  • InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
  • Inspect stack during error reporting
  • Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
  • Introduce diagnostic flag to abort VM on failed JIT compilation
  • Invalid assert(HeapBaseMinAddress > 0) in ReservedHeapSpace::initialize_compressed_heap
  • jar has issues with UNC-path arguments for the jar -C parameter [windows]
  • HTTP client should allow specifying Origin and Referer headers
  • java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
  • JDK 11.0.1 l10n resource file update
  • JDWP Transport Listener: dt_socket thread crash
  • JVMTI ResourceExhausted should not be posted in CompilerThread
  • LDAPS communication failure with jdk 1.8.0_181
  • linux: Poor StrictMath performance due to non-optimized compilation
  • Missing synchronization when reading counters for live threads and peak thread count
  • NPE in SupportedGroupsExtension
  • OpenDataException thrown when constructing CompositeData for StackTraceElement
  • Parent class loader may not have a referred ClassLoaderData instance when obtained in Klass::class_in_module_of_loader
  • Populate handlers while holding streamHandlerLock
  • ppc64: Enable POWER9 CPU detection
  • print_location is not reliable enough (printing register info)
  • Reconsider default option for ClassPathURLCheck change done in JDK-8195874
  • Register to register spill may use AVX 512 move instruction on unsupported platform.
  • s390: Use of shift operators not covered by cpp standard
  • serviceability/sa/ intermittently fails with assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
  • SIGBUS in CodeHeapState::print_names()
  • SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
  • Soft reference reclamation race in
  • Swing apps are slow if displaying from a remote source to many local displays
  • switch jtreg to 4.2b13
  • Test library OSInfo.getSolarisVersion cannot determine Solaris version
  • is very slow
  • of '-XX:TLABSize=2147483648' fails intermittently
  • The Japanese message of FileNotFoundException garbled
  • The "supported_groups" extension in ServerHellos
  • ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to CompositeData
  • TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
  • TLS 1.2 Support algorithm in SunPKCS11 provider
  • TLS 1.3 handshake server name indication is missing on a session resume
  • TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
  • TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
  • tz: Upgrade time-zone data to tzdata2018g
  • Undefined behaviour in ADLC
  • Update avx512 implementation
  • URLStreamHandler initialization race
  • UseCompressedOops requirement check fails fails on 32-bit system
  • windows: Update OS detection code to recognize Windows Server 2019
  • x86: assert on unbound assembler Labels used as branch targets
  • x86: jck tests for ldc2_w bytecode fail
  • x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
  • "-XX:OnOutOfMemoryError" uses fork instead of vfork

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-221=1

Package List:

  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (aarch64 ppc64le s390x x86_64):
    • java-11-openjdk-
    • java-11-openjdk-accessibility-
    • java-11-openjdk-accessibility-debuginfo-
    • java-11-openjdk-debuginfo-
    • java-11-openjdk-debugsource-
    • java-11-openjdk-demo-
    • java-11-openjdk-devel-
    • java-11-openjdk-headless-
    • java-11-openjdk-jmods-
    • java-11-openjdk-src-
  • SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (noarch):
    • java-11-openjdk-javadoc-