Security update for java-1_7_0-openjdk

Announcement ID: SUSE-SU-2017:1400-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2017-3289 ( NVD ): 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3509 ( NVD ): 4.2 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CVE-2017-3511 ( NVD ): 7.7 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3512 ( NVD ): 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3514 ( NVD ): 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
  • CVE-2017-3526 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2017-3533 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2017-3539 ( NVD ): 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
  • CVE-2017-3544 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP1
  • SUSE Linux Enterprise Desktop 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2

An update that solves nine vulnerabilities can now be installed.

Description:

This update for java-1_7_0-openjdk fixes the following issues:

  • Update to 2.6.10 - OpenJDK 7u141 (bsc#1034849)
  • Security fixes
    • S8163520, CVE-2017-3509: Reuse cache entries
    • S8163528, CVE-2017-3511: Better library loading
    • S8165626, CVE-2017-3512: Improved window framing
    • S8167110, CVE-2017-3514: Windows peering issue
    • S8169011, CVE-2017-3526: Resizing XML parse trees
    • S8170222, CVE-2017-3533: Better transfers of files
    • S8171121, CVE-2017-3539: Enhancing jar checking
    • S8171533, CVE-2017-3544: Better email transfer
    • S8172299: Improve class processing
  • New features
    • PR3347: jstack.stp should support AArch64
  • Import of OpenJDK 7 u141 build 0
    • S4717864: setFont() does not update Fonts of Menus already on screen
    • S6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException
    • S6518907: cleanup IA64 specific code in Hotspot
    • S6869327: Add new C2 flag to keep safepoints in counted loops.
    • S7112912: Message "Error occurred during initialization of VM" on boxes with lots of RAM
    • S7124213: [macosx] pack() does ignore size of a component; doesn't on the other platforms
    • S7124219: [macosx] Unable to draw images to fullscreen
    • S7124552: [macosx] NullPointerException in getBufferStrategy()
    • S7148275: [macosx] setIconImages() not working correctly (distorted icon when minimized)
    • S7154841: [macosx] Popups appear behind taskbar
    • S7155957: closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.java hangs on win 64 bit with jdk8
    • S7160627: [macosx] TextArea has wrong initial size
    • S7167293: FtpURLConnection connection leak on FileNotFoundException
    • S7168851: [macosx] Netbeans crashes in CImage.nativeCreateNSImageFromArray
    • S7197203: sun/misc/URLClassPath/ClassnameCharTest.sh failed, compile error
    • S8005255: [macosx] Cleanup warnings in sun.lwawt
    • S8006088: Incompatible heap size flags accepted by VM
    • S8007295: Reduce number of warnings in awt classes
    • S8010722: assert: failed: heap size is too big for compressed oops
    • S8011059: [macosx] Support automatic @2x images loading on Mac OS X
    • S8014058: Regression tests for 8006088
    • S8014489: tests/gc/arguments/Test(Serial|CMS|Parallel|G1)HeapSizeFlags jtreg tests invoke wrong class
    • S8016302: Change type of the number of GC workers to unsigned int (2)
    • S8024662: gc/arguments/TestUseCompressedOopsErgo.java does not compile.
    • S8024669: Native OOME when allocating after changes to maximum heap supporting Coops sizing on sparcv9
    • S8024926: [macosx] AquaIcon HiDPI support
    • S8025974: l10n for policytool
    • S8027025: [macosx] getLocationOnScreen returns 0 if parent invisible
    • S8028212: Custom cursor HiDPI support
    • S8028471: PPC64 (part 215): opto: Extend ImplicitNullCheck optimization.
    • S8031573: [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina
    • S8033534: [macosx] Get MultiResolution image from native system
    • S8033786: White flashing when opening Dialogs and Menus using Nimbus with dark background
    • S8035568: [macosx] Cursor management unification
    • S8041734: JFrame in full screen mode leaves empty workspace after close
    • S8059803: Update use of GetVersionEx to get correct Windows version in hs_err files
    • S8066504: GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version 0
    • S8079595: Resizing dialog which is JWindow parent makes JVM crash
    • S8080729: [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus
    • S8130769: The new menu can't be shown on the menubar after clicking the "Add" button.
    • S8133357: 8u65 l10n resource file translation update
    • S8146602: jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException
    • S8147842: IME Composition Window is displayed at incorrect location
    • S8147910: Cache initial active_processor_count
    • S8150490: Update OS detection code to recognize Windows Server 2016
    • S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled
    • S8161195: Regression: closed/javax/swing/text/FlowView/LayoutTest.java
    • S8161993: G1 crashes if active_processor_count changes during startup
    • S8162603: Unrecognized VM option 'UseCountedLoopSafepoints'
    • S8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently
    • S8164533: sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with "Error while cleaning up threads after test"
    • S8167179: Make XSL generated namespace prefixes local to transformation process
    • S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections
    • S8169589: [macosx] Activating a JDialog puts to back another dialog
    • S8170307: Stack size option -Xss is ignored
    • S8170316: (tz) Support tzdata2016j
    • S8170814: Reuse cache entries (part II)
    • S8171388: Update JNDI Thread contexts
    • S8171949: [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state
    • S8171952: [macosx] AWT_Modality/Automated/ModalExclusion/NoExclusion/ModelessDialog test fails as DummyButton on Dialog did not gain focus when clicked.
    • S8173931: 8u131 L10n resource file update
    • S8174844: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
    • S8175087: [bsd] Fix build after "8024900: PPC64: Enable new build on AIX (jdk part)"
    • S8175163: [bsd] Fix build after "8005629: javac warnings compiling java.awt.EventDispatchThread..."
    • S8176044: (tz) Support tzdata2017a
  • Import of OpenJDK 7 u141 build 1
    • S8043723: max_heap_for_compressed_oops() declared with size_t, but defined with uintx
  • Import of OpenJDK 7 u141 build 2
    • S8011123: serialVersionUID of java.awt.dnd.InvalidDnDOperationException changed in JDK8-b82
  • Backports
    • S6515172, PR3362: Runtime.availableProcessors() ignores Linux taskset command
    • S8022284, PR3209: Hide internal data structure in PhaseCFG
    • S8023003, PR3209: Cleanup the public interface to PhaseCFG
    • S8023691, PR3209: Create interface for nodes in class Block
    • S8023988, PR3209: Move local scheduling of nodes to the CFG creation and code motion phase (PhaseCFG)
    • S8043780, PR3369: Use open(O_CLOEXEC) instead of fcntl(FD_CLOEXEC)
    • S8157306, PR3209: Random infrequent null pointer exceptions in javac
    • S8173783, PR3329: IllegalArgumentException: jdk.tls.namedGroups
    • S8173941, PR3330: SA does not work if executable is DSO
    • S8174729, PR3361: Race Condition in java.lang.reflect.WeakCache
  • Bug fixes
    • PR3349: Architectures unsupported by SystemTap tapsets throw a parse error
    • PR3370: Disable ARM32 JIT by default in jdk_generic_profile.sh
    • PR3379: Perl should be mandatory
    • PR3390: javac.in and javah.in should use @PERL@ rather than a hardcoded path
  • CACAO
    • PR2732: Raise javadoc memory limits for CACAO again!
  • AArch64 port

    • S8177661, PR3367: Correct ad rule output register types from iRegX to iRegXNoSp
  • Get ecj.jar path from gcj, use the gcc variant that provides Java to build C code to make sure jni.h is available.

    • S8167104, CVE-2017-3289: Additional class construction
    • S6253144: Long narrowing conversion should describe the
    • S6328537: Improve javadocs for Socket class by adding
    • S6978886: javadoc shows stacktrace after print error
    • S6995421: Eliminate the static dependency to
    • S7027045: (doc) java/awt/Window.java has several typos in
    • S7054969: Null-check-in-finally pattern in java/security
    • S7072353: JNDI libraries do not build with javac -Xlint:all
    • S7092447: Clarify the default locale used in each locale
    • S7103570: AtomicIntegerFieldUpdater does not work when
    • S7187144: JavaDoc for ScriptEngineFactory.getProgram()
    • S8000418: javadoc should used a standard "generated by
    • S8000666: javadoc should write directly to Writer instead of
    • S8000970: break out auxiliary classes that will prevent
    • S8001669: javadoc internal DocletAbortException should set
    • S8011402: Move blacklisting certificate logic from hard code
    • S8011547: Update XML Signature implementation to Apache
    • S8012288: XML DSig API allows wrong tag names and extra
    • S8017325: Cleanup of the javadoc <code> tag in
    • S8017326: Cleanup of the javadoc <code> tag in
    • S8019772: Fix doclint issues in javax.crypto and
    • S8020688: Broken links in documentation at
    • S8021108: Clean up doclint warnings and errors in java.text
    • S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMethods
    • S8025409: Fix javadoc comments errors and warning reported by
    • S8026021: more fix of javadoc errors and warnings reported by
    • S8037099: [macosx] Remove all references to GC from native
    • S8038184: XMLSignature throws StringIndexOutOfBoundsException
    • S8038349: Signing XML with DSA throws Exception when key is
    • S8049244: XML Signature performance issue caused by
    • S8050893: (smartcardio) Invert reset argument in tests in
    • S8059212: Modify sun/security/smartcardio manual regression
    • S8068279: (typo in the spec)
    • S8068491: Update the protocol for references of
    • S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs
    • S8076369: Introduce the jdk.tls.client.protocols system
    • S8139565: Restrict certificates with DSA keys less than 1024
    • S8140422: Add mechanism to allow non default root CAs to be
    • S8140587: Atomic*FieldUpdaters should use Class.isInstance
    • S8149029: Secure validation of XML based digital signature
    • S8151893: Add security property to configure XML Signature
    • S8161228: URL objects with custom protocol handlers have port
    • S8163304: jarsigner -verbose -verify should print the
    • S8164908: ReflectionFactory support for IIOP and custom
    • S8165230: RMIConnection addNotificationListeners failing with
    • S8166393: disabledAlgorithms property should not be strictly
    • S8166591: [macos 10.12] Trackpad scrolling of text on OS X
    • S8166739: Improve extensibility of ObjectInputFilter
    • S8167356: Follow up fix for jdk8 backport of 8164143. Changes
    • S8167459: Add debug output for indicating if a chosen
    • S8168861: AnchorCertificates uses hardcoded password for
    • S8169688: Backout (remove) MD5 from
    • S8169911: Enhanced tests for jarsigner -verbose -verify after
    • S8170131: Certificates not being blocked by
    • S8173854: [TEST] Update DHEKeySizing test case following
    • S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on
    • S8000351, PR3316, RH1390708: Tenuring threshold should be
    • S8153711, PR3315, RH1284948: [REDO] JDWP: Memory Leak:
    • S8170888, PR3316, RH1390708: [linux] Experimental support for
    • PR3318: Replace 'infinality' with 'improved font rendering'
    • PR3324: Fix NSS_LIBDIR substitution in
    • S8165673, PR3320: AArch64: Fix JNI floating point argument
    • S6604109, PR3162:
    • Add -fno-delete-null-pointer-checks -fno-lifetime-dse to try to directory to be specified versions of IcedTea

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP1
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-864=1
  • SUSE Linux Enterprise Desktop 12 SP2
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-864=1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
    zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-864=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-864=1
  • SUSE Linux Enterprise Server 12 SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-864=1
  • SUSE Linux Enterprise High Performance Computing 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-864=1
  • SUSE Linux Enterprise Server 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-864=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-864=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
    • java-1_7_0-openjdk-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-1.7.0.141-42.1
    • java-1_7_0-openjdk-debugsource-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-headless-1.7.0.141-42.1
    • java-1_7_0-openjdk-demo-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-debuginfo-1.7.0.141-42.1
    • java-1_7_0-openjdk-devel-1.7.0.141-42.1
    • java-1_7_0-openjdk-1.7.0.141-42.1

References: