SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:2953-1)

critical Nessus Plugin ID 95423

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for java-1_7_0-openjdk fixes the following issues :

- Update to 2.6.8 - OpenJDK 7u121

- Security fixes

+ S8151921: Improved page resolution

+ S8155968: Update command line options

+ S8155973, CVE-2016-5542: Tighten jar checks (bsc#1005522)

+ S8157176: Improved classfile parsing

+ S8157739, CVE-2016-5554: Classloader Consistency Checking (bsc#1005523)

+ S8157749: Improve handling of DNS error replies

+ S8157753: Audio replay enhancement

+ S8157759: LCMS Transform Sampling Enhancement

+ S8157764: Better handling of interpolation plugins

+ S8158302: Handle contextual glyph substitutions

+ S8158993, CVE-2016-5568: Service Menu services (bsc#1005525)

+ S8159495: Fix index offsets

+ S8159503: Amend Annotation Actions

+ S8159511: Stack map validation

+ S8159515: Improve indy validation

+ S8159519, CVE-2016-5573: Reformat JDWP messages (bsc#1005526)

+ S8160090: Better signature handling in pack200

+ S8160094: Improve pack200 layout

+ S8160098: Clean up color profiles

+ S8160591, CVE-2016-5582: Improve internal array handling (bsc#1005527)

+ S8160838, CVE-2016-5597: Better HTTP service (bsc#1005528)

+ PR3207, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read()

+ CVE-2016-5556 (bsc#1005524)

- Import of OpenJDK 7 u121 build 0

+ S6624200: Regression test fails:
test/closed/javax/swing/JMenuItem/4654927/bug4654927.jav a

+ S6882559: new JEditorPane('text/plain','') fails for null context class loader

+ S7090158: Networking Libraries don't build with javac
-Werror

+ S7125055: ContentHandler.getContent API changed in error

+ S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing on windows

+ S7187051: ShortRSAKeynnn.sh tests should do cleanup before start test

+ S8000626: Implement dead key detection for KeyEvent on Linux

+ S8003890: corelibs test scripts should pass TESTVMOPTS

+ S8005629: javac warnings compiling java.awt.EventDispatchThread and sun.awt.X11.XIconWindow

+ S8010297: Missing isLoggable() checks in logging code

+ S8010782: clean up source files containing carriage return characters

+ S8014431: cleanup warnings indicated by the
-Wunused-value compiler option on linux

+ S8015265: revise the fix for 8007037

+ S8016747: Replace deprecated PlatformLogger isLoggable(int) with isLoggable(Level)

+ S8020708: NLS mnemonics missing in SwingSet2/JInternalFrame demo

+ S8024756: method grouping tabs are not selectable

+ S8026741: jdk8 l10n resource file translation update 5

+ S8048147: Privilege tests with JAAS Subject.doAs

+ S8048357: PKCS basic tests

+ S8049171: Additional tests for jarsigner's warnings

+ S8059177: jdk8u40 l10n resource file translation update 1

+ S8075584: test for 8067364 depends on hardwired text advance

+ S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given

+ S8077953: [TEST_BUG] com/sun/management/OperatingSystemMXBean/TestTotalSwap.j ava Compilation failed after JDK-8077387

+ S8080628: No mnemonics on Open and Save buttons in JFileChooser

+ S8083601: jdk8u60 l10n resource file translation update 2

+ S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString

+ S8142926: OutputAnalyzer's shouldXXX() calls return this

+ S8143134: L10n resource file translation update

+ S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener al

+ S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener al in opengl pipeline

+ S8150611: Security problem on sun.misc.resources.Messages*

+ S8157653: [Parfait] Uninitialised variable in awt_Font.cpp

+ S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559

+ S8159684: (tz) Support tzdata2016f

+ S8160934: isnan() is not available on older MSVC compilers

+ S8162411: Service Menu services 2

+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968

+ S8162511: 8u111 L10n resource file updates

+ S8162792: Remove constraint DSA keySize jdk.jar.disabledAlgorithms in jdk8

+ S8164452: 8u111 L10n resource file update - msgdrop 20

+ S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm

+ S8166381: Back out changes to the java.security file to not disable MD5

- Backports

+ S6604109, PR3162:
javax.print.PrintServiceLookup.lookupPrintServices fails SOMETIMES for Cups

+ S6907252, PR3162: ZipFileInputStream Not Thread-Safe

+ S8024046, PR3162: Test sun/security/krb5/runNameEquals.sh failed on 7u45 Embedded linux-ppc*

+ S8028479, PR3162: runNameEquals still cannot precisely detect if a usable native krb5 is available

+ S8034057, PR3162: Files.getFileStore and Files.isWritable do not work with SUBST'ed drives (win)

+ S8038491, PR3162: Improve synchronization in ZipFile.read()

+ S8038502, PR3162: Deflater.needsInput() should use synchronization

+ S8059411, PR3162: RowSetWarning does not correctly chain warnings

+ S8062198, PR3162: Add RowSetMetaDataImpl Tests and add column range validation to isdefinitlyWritable

+ S8066188, PR3162: BaseRowSet returns the wrong default value for escape processing

+ S8072466, PR3162: Deadlock when initializing MulticastSocket and DatagramSocket

+ S8075118, PR3162: JVM stuck in infinite loop during verification

+ S8076579, PR3162: Popping a stack frame after exception breakpoint sets last method param to exception

+ S8078495, PR3162: End time checking for native TGT is wrong

+ S8078668, PR3162: jar usage string mentions unsupported option '-n'

+ S8080115, PR3162: (fs) Crash in libgio when calling Files.probeContentType(path) from parallel threads

+ S8081794, PR3162: ParsePosition getErrorIndex returns 0 for TimeZone parsing problem

+ S8129957, PR3162: Deadlock in JNDI LDAP implementation when closing the LDAP context

+ S8130136, PR3162: Swing window sometimes fails to repaint partially when it becomes exposed

+ S8130274, PR3162: java/nio/file/FileStore/Basic.java fails when two successive stores in an iteration are determined to be equal

+ S8132551, PR3162: Initialize local variables before returning them in p11_convert.c

+ S8133207, PR3162: [TEST_BUG] ParallelProbes.java test fails after changes for JDK-8080115

+ S8133666, PR3162: OperatingSystemMXBean reports abnormally high machine CPU consumption on Linux

+ S8135002, PR3162: Fix or remove broken links in objectMonitor.cpp comments

+ S8137121, PR3162: (fc) Infinite loop FileChannel.truncate

+ S8137230, PR3162: TEST_BUG:
java/nio/channels/FileChannel/LoopingTruncate.java timed out

+ S8139373, PR3162: [TEST_BUG] java/net/MulticastSocket/MultiDead.java failed with timeout

+ S8140249, PR3162: JVM Crashing During startUp If Flight Recording is enabled

+ S8141491, PR3160, G592292: Unaligned memory access in Bits.c

+ S8144483, PR3162: One long Safepoint pause directly after each GC log rotation

+ S8149611, PR3160, G592292: Add tests for Unsafe.copySwapMemory

- Bug fixes

+ S8078628, PR3151: Zero build fails with pre-compiled headers disabled

+ PR3128: pax-mark-vm script calls 'exit -1' which is invalid in dash

+ PR3131: PaX marking fails on filesystems which don't support extended attributes

+ PR3135: Makefile.am rule stamps/add/tzdata-support-debug.stamp has a typo in add-tzdata dependency

+ PR3141: Pass $(CC) and $(CXX) to OpenJDK build

+ PR3166: invalid zip timestamp handling leads to error building bootstrap-javac

+ PR3202: Update infinality configure test

+ PR3212: Disable ARM32 JIT by default

- CACAO

+ PR3136: CACAO is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260)

- JamVM

+ PR3134: JamVM is broken due to 2 new native methods in sun.misc.Unsafe (from S8158260)

- AArch64 port

+ S8167200, PR3204: AArch64: Broken stack pointer adjustment in interpreter

+ S8168888: Port 8160591: Improve internal array handling to AArch64.

+ PR3211: AArch64 build fails with pre-compiled headers disabled

- Changed patch :

- java-1_7_0-openjdk-gcc6.patch

+ Rediff to changed context

- Disable arm32 JIT, since its build broken (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2 942)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1727=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1727=1

SUSE Linux Enterprise Server 12-SP1:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1727=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1727=1

SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1727=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2942

https://bugzilla.suse.com/show_bug.cgi?id=1005522

https://bugzilla.suse.com/show_bug.cgi?id=1005523

https://bugzilla.suse.com/show_bug.cgi?id=1005524

https://bugzilla.suse.com/show_bug.cgi?id=1005525

https://bugzilla.suse.com/show_bug.cgi?id=1005526

https://bugzilla.suse.com/show_bug.cgi?id=1005527

https://bugzilla.suse.com/show_bug.cgi?id=1005528

https://www.suse.com/security/cve/CVE-2016-5542/

https://www.suse.com/security/cve/CVE-2016-5554/

https://www.suse.com/security/cve/CVE-2016-5556/

https://www.suse.com/security/cve/CVE-2016-5568/

https://www.suse.com/security/cve/CVE-2016-5573/

https://www.suse.com/security/cve/CVE-2016-5582/

https://www.suse.com/security/cve/CVE-2016-5597/

http://www.nessus.org/u?c3b8ae9c

Plugin Details

Severity: Critical

ID: 95423

File Name: suse_SU-2016-2953-1.nasl

Version: 3.7

Type: local

Agent: unix

Published: 12/1/2016

Updated: 1/6/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2016

Vulnerability Publication Date: 10/25/2016

Reference Information

CVE: CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597