Detections
Analytics

openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2017-278)

critical Nessus Plugin ID 97287

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for java-1_7_0-openjdk fixes the following issues :

 - Oracle Critical Patch Update of January 2017 to OpenJDK 7u131 (bsc#1020905) :

 - Security Fixes

 - S8138725: Add options for Javadoc generation

 - S8140353: Improve signature checking

 - S8151934, CVE-2017-3231: Resolve class resolution

 - S8156804, CVE-2017-3241: Better constraint checking

 - S8158406: Limited Parameter Processing

 - S8158997: JNDI Protocols Switch

 - S8159507: RuntimeVisibleAnnotation validation

 - S8161218: Better bytecode loading

 - S8161743, CVE-2017-3252: Provide proper login context

 - S8162577: Standardize logging levels

 - S8162973: Better component components

 - S8164143, CVE-2017-3260: Improve components for menu items

 - S8164147, CVE-2017-3261: Improve streaming socket output

 - S8165071, CVE-2016-2183: Expand TLS support

 - S8165344, CVE-2017-3272: Update concurrency support

 - S8166988, CVE-2017-3253: Improve image processing performance

 - S8167104, CVE-2017-3289: Additional class construction refinements

 - S8167223, CVE-2016-5552: URL handling improvements

 - S8168705, CVE-2016-5547: Better ObjectIdentifier validation

 - S8168714, CVE-2016-5546: Tighten ECDSA validation

 - S8168728, CVE-2016-5548: DSA signing improvments

 - S8168724, CVE-2016-5549: ECDSA signing improvments

 - S6253144: Long narrowing conversion should describe the algorithm used and implied 'risks'

 - S6328537: Improve javadocs for Socket class by adding references to SocketOptions

 - S6978886: javadoc shows stacktrace after print error resulting from disk full

 - S6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory

 - S6996372: synchronizing handshaking hash

 - S7027045: (doc) java/awt/Window.java has several typos in javadoc

 - S7054969: Null-check-in-finally pattern in java/security documentation

 - S7072353: JNDI libraries do not build with javac
 -Xlint:all -Werror

 - S7075563: Broken link in 'javax.swing.SwingWorker'

 - S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11

 - S7088502: Security libraries don't build with javac
 -Werror

 - S7092447: Clarify the default locale used in each locale sensitive operation

 - S7093640: Enable client-side TLS 1.2 by default

 - S7103570: AtomicIntegerFieldUpdater does not work when SecurityManager is installed

 - S7117360: Warnings in java.util.concurrent.atomic package

 - S7117465: Warning cleanup for IMF classes

 - S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error

 - S8000418: javadoc should used a standard 'generated by javadoc' string

 - S8000666: javadoc should write directly to Writer instead of composing strings

 - S8000673: remove dead code from HtmlWriter and subtypes

 - S8000970: break out auxiliary classes that will prevent multi-core compilation of the JDK

 - S8001669: javadoc internal DocletAbortException should set cause when appropriate

 - S8008949: javadoc stopped copying doc-files

 - S8011402: Move blacklisting certificate logic from hard code to data

 - S8011547: Update XML Signature implementation to Apache Santuario 1.5.4

 - S8012288: XML DSig API allows wrong tag names and extra elements in SignedInfo

 - S8016217: More javadoc warnings

 - S8017325: Cleanup of the javadoc <code> tag in java.security.cert

 - S8017326: Cleanup of the javadoc <code> tag in java.security.spec

 - S8019772: Fix doclint issues in javax.crypto and javax.security subpackages

 - S8020557: javadoc cleanup in javax.security

 - S8020688: Broken links in documentation at http://docs.oracle.com/javase/6/docs/api/index.

 - S8021108: Clean up doclint warnings and errors in java.text package

 - S8021417: Fix doclint issues in java.util.concurrent

 - S8021833: javadoc cleanup in java.net

 - S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMe thods fails

 - S8022175: Fix doclint warnings in javax.print

 - S8022406: Fix doclint issues in java.beans

 - S8022746: List of spelling errors in API doc

 - S8024779: [macosx] SwingNode crashes on exit

 - S8025085: [javadoc] some errors in javax/swing

 - S8025218: [javadoc] some errors in java/awt classes

 - S8025249: [javadoc] fix some javadoc errors in javax/swing/

 - S8025409: Fix javadoc comments errors and warning reported by doclint report

 - S8026021: more fix of javadoc errors and warnings reported by doclint, see the description

 - S8037099: [macosx] Remove all references to GC from native OBJ-C code

 - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String

 - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits

 - S8049244: XML Signature performance issue caused by unbuffered signature data

 - S8049432: New tests for TLS property jdk.tls.client.protocols

 - S8050893: (smartcardio) Invert reset argument in tests in sun/security/smartcardio

 - S8059212: Modify regression tests so that they do not just fail if no cardreader found

 - S8068279: (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName

 - S8068491: Update the protocol for references of docs.oracle.com to HTTPS.

 - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210

 - S8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u

 - S8139565: Restrict certificates with DSA keys less than 1024 bits

 - S8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions

 - S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check

 - S8143959: Certificates requiring blacklisting

 - S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks

 - S8148516: Improve the default strength of EC in JDK

 - S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks

 - S8151893: Add security property to configure XML Signature secure validation mode

 - S8155760: Implement Serialization Filtering

 - S8156802: Better constraint checking

 - S8161228: URL objects with custom protocol handlers have port changed after deserializing

 - S8161571: Verifying ECDSA signatures permits trailing bytes

 - S8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar

 - S8164908: ReflectionFactory support for IIOP and custom serialization

 - S8165230: RMIConnection addNotificationListeners failing with specific inputs

 - S8166393: disabledAlgorithms property should not be strictly parsed

 - S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is very fast (Trackpad, Retina only)

 - S8166739: Improve extensibility of ObjectInputFilter information passed to the filter

 - S8166875: (tz) Support tzdata2016g

 - S8166878: Connection reset during TLS handshake

 - S8167356: Follow up fix for jdk8 backport of 8164143.
 Changes for CMenuComponent.m were missed

 - S8167459: Add debug output for indicating if a chosen ciphersuite was legacy

 - S8167472: Chrome interop regression with JDK-8148516

 - S8167591: Add MD5 to signed JAR restrictions

 - S8168861: AnchorCertificates uses hardcoded password for cacerts keystore

 - S8168993: JDK8u121 L10n resource file update

 - S8169191: (tz) Support tzdata2016i

 - S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU

 - S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304

 - S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property

 - S8170268: 8u121 L10n resource file update - msgdrop 20

 - S8173622: Backport of 7180907 is incomplete

 - S8173849: Fix use of java.util.Base64 in test cases

 - S8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760

 - CVE-2017-3259 Vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE.

 - Backports

 - S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on __APPLE__and _LLP64 systems.

 - S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned

 - S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when processing invokeMethod command

 - S8170888, PR3316, RH1390708: [linux] support for cgroup memory limits in container (ie Docker) environments

 - Bug fixes

 - PR3318: Replace 'infinality' with 'improved font rendering' (--enable-improved-font-rendering)

 - PR3318: Fix compatibility with vanilla Fontconfig

 - PR3318: Fix glyph y advance

 - PR3318: Always round glyph advance in 26.6 space

 - PR3318: Simplify glyph advance handling

 - PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh broken by PR1989

 - AArch64 port

 - S8165673, PR3320: AArch64: Fix JNI floating point argument handling

This update was imported from the SUSE:SLE-12:Update update project.

Solution

Update the affected java-1_7_0-openjdk packages.

See Also

http://www.nessus.org/u?2c4f4829

https://bugzilla.opensuse.org/show_bug.cgi?id=1020905

Plugin Details

Severity: Critical

ID: 97287

File Name: openSUSE-2017-278.nasl

Version: 3.5

Type: local

Agent: unix

Published: 2/21/2017

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-debuginfo, cpe:/o:novell:opensuse:42.1, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-bootstrap-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/19/2017

Reference Information

CVE: CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289