openSUSE Security Update: java-1_7_0-openjdk: update to 2.3.6
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0377-1
Rating:             critical
References:         #803379 
Cross-References:   CVE-2013-0424 CVE-2013-0425 CVE-2013-0426
                    CVE-2013-0427 CVE-2013-0428 CVE-2013-0429
                    CVE-2013-0431 CVE-2013-0432 CVE-2013-0433
                    CVE-2013-0434 CVE-2013-0435 CVE-2013-0440
                    CVE-2013-0441 CVE-2013-0442 CVE-2013-0443
                    CVE-2013-0444 CVE-2013-0450 CVE-2013-1475
                    CVE-2013-1476 CVE-2013-1478 CVE-2013-1480
                   
Affected Products:
                    openSUSE 12.2
______________________________________________________________________________

   An update that fixes 21 vulnerabilities is now available.

Description:


   java-1_7_0-openjdk was updated to icedtea-2.3.6
   (bnc#803379) containing various security and bugfixes:

   * Security fixes
   - S6563318, CVE-2013-0424: RMI data sanitization
   - S6664509, CVE-2013-0425: Add logging context
   - S6664528, CVE-2013-0426: Find log level matching its
   name or value given at construction time
   - S6776941: CVE-2013-0427: Improve thread pool shutdown
   - S7141694, CVE-2013-0429: Improving CORBA internals
   - S7173145: Improve in-memory representation of
   splashscreens
   - S7186945: Unpack200 improvement
   - S7186946: Refine unpacker resource usage
   - S7186948: Improve Swing data validation
   - S7186952, CVE-2013-0432: Improve clipboard access
   - S7186954: Improve connection performance
   - S7186957: Improve Pack200 data validation
   - S7192392, CVE-2013-0443: Better validation of client
   keys
   - S7192393, CVE-2013-0440: Better Checking of order of
   TLS Messages
   - S7192977, CVE-2013-0442: Issue in toolkit thread
   - S7197546, CVE-2013-0428: (proxy) Reflect about creating
   reflective proxies
   - S7200491: Tighten up JTable layout code
   - S7200493, CVE-2013-0444: Improve cache handling
   - S7200499: Better data validation for options
   - S7200500: Launcher better input validation
   - S7201064: Better dialogue checking
   - S7201066, CVE-2013-0441: Change modifiers on unused
   fields
   - S7201068, CVE-2013-0435: Better handling of UI elements
   - S7201070: Serialization to conform to protocol
   - S7201071, CVE-2013-0433: InetSocketAddress
   serialization issue
   - S8000210: Improve JarFile code quality
   - S8000537, CVE-2013-0450: Contextualize
   RequiredModelMBean class
   - S8000539, CVE-2013-0431: Introspect JMX data handling
   - S8000540, CVE-2013-1475: Improve IIOP type reuse
   management
   - S8000631, CVE-2013-1476: Restrict access to class
   constructor
   - S8001235, CVE-2013-0434: Improve JAXP HTTP handling
   - S8001242: Improve RMI HTTP conformance
   - S8001307: Modify ACC_SUPER behavior
   - S8001972, CVE-2013-1478: Improve image processing
   - S8002325, CVE-2013-1480: Improve management of images
   * Backports
   - S7057320:
   test/java/util/concurrent/Executors/AutoShutdown.java
   failing intermittently
   - S7083664: TEST_BUG: test hard code of using c:/temp but
   this dir might not exist
   - S7107613: scalability blocker in
   javax.crypto.CryptoPermissions
   - S7107616: scalability blocker in
   javax.crypto.JceSecurityManager
   - S7146424: Wildcard expansion for single entry classpath
   - S7160609: [macosx] JDK crash in libjvm.dylib ( C
   [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)
   - S7160951: [macosx] ActionListener called twice for
   JMenuItem using ScreenMenuBar
   - S7162488: VM not printing unknown -XX options
   - S7169395: Exception throws due to the changes in JDK 7
   object tranversal and break backward compatibility
   - S7175616: Port fix for TimeZone from JDK 8 to JDK 7
   - S7176485: (bf) Allow temporary buffer cache to grow to
   IOV_MAX
   - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and
   reinitialize build number
   - S7184326: TEST_BUG:
   java/awt/Frame/7024749/bug7024749.java has a typo
   - S7185245: Licensee source bundle tries to compile JFR
   - S7185471: Avoid key expansion when AES cipher is
   re-init w/ the same key
   - S7186371: [macosx] Main menu shortcuts not displayed
   (7u6 regression)
   - S7187834: [macosx] Usage of private API in macosx 2d
   implementation causes Apple Store rejection
   - S7188114: (launcher) need an alternate command line
   parser for Windows
   - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and
   reinitialize build number
   - S7189350: Fix failed for CR 7162144
   - S7190550: REGRESSION: Some closed/com/oracle/jfr/api
   tests fail to compile becuse of fix 7185245
   - S7193219: JComboBox serialization fails in JDK 1.7
   - S7193977: REGRESSION:Java 7's JavaBeans persistence
   ignoring the "transient" flag on properties
   - S7195106: REGRESSION : There is no way to get Icon inf,
   once Softreference is released
   - S7195301: XML Signature DOM implementation should not
   use instanceof to determine type of Node
   - S7195931: UnsatisfiedLinkError on
   PKCS11.C_GetOperationState while using NSS from jre7u6+
   - S7197071: Makefiles for various security providers   aren't including the default manifest.
   - S7197652: Impossible to run any signed JNLP
   applications or applets, OCSP off by default
   - S7198146: Another new regression test does not compile
   on windows-amd64
   - S7198570: (tz) Support tzdata2012f
   - S7198640: new hotspot build - hs23.6-b04
   - S7199488: [TEST] runtime/7158800/InternTest.java failed
   due to false-positive on PID match.
   - S7199645: Increment build # of hs23.5 to b02
   - S7199669: Update tags in .hgtags file for CPU release
   rename
   - S7200720: crash in net.dll during NTLM authentication
   - S7200742: (se) Selector.select does not block when
   starting Coherence (sol11u1)
   - S7200762: [macosx] Stuck in
   sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native
   Method)
   - S8000285: Deadlock between PostEventQueue.noEvents,
   EventQueue.isDispatchThread and
   SwingUtilities.invokeLater
   - S8000286: [macosx] Views keep scrolling back to the
   drag position after DnD
   - S8000297: REGRESSION:
   closed/java/awt/EventQueue/PostEventOrderingTest.java
   fails
   - S8000307: Jre7cert: focusgained does not get called for
   all focus req when do alt + tab
   - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and
   reinitialize build number
   - S8001124: jdk7u ProblemList.txt updates (10/2012)
   - S8001242: Improve RMI HTTP conformance
   - S8001808: Create a test for 8000327
   - S8001876: Create regtest for 8000283
   - S8002068: Build broken: corba code changes unable to
   use new JDK 7 classes
   - S8002091: tools/launcher/ToolsOpts.java test started to
   fail since 7u11 b01 on Windows
   - S8002114: fix failed for JDK-7160951: [macosx]
   ActionListener called twice for JMenuItem using
   ScreenMenuBar
   - S8002225: (tz) Support tzdata2012i
   - S8003402: (dc)
   test/java/nio/channels/DatagramChannel/SendToUnresovled.java
   failing after 7u11 cleanup issues
   - S8003403: Test ShortRSAKeyWithinTLS and
   ClientJSSEServerJSSE failing after 7u11 cleanup
   - S8003948: NTLM/Negotiate authentication problem
   - S8004175: Restricted packages added in java.security
   are missing in java.security-{macosx, solaris, windows}
   - S8004302: javax/xml/soap/Test7013971.java fails since
   jdk6u39b01
   - S8004341: Two JCK tests fails with 7u11 b06
   - S8005615: Java Logger fails to load tomcat logger
   implementation (JULI)
   * Bug fixes
   - Fix build using Zero's HotSpot so all patches apply
   again.
   - PR1295: jamvm parallel unpack failure
   * removed
   icedtea-2.3.2-fix-extract-jamvm-dependency.patch
   - removed
   icedtea-2.3.3-refresh-6924259-string_offset.patch

   - few missing /openjdk/%{origin}/ changes


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.2:

      zypper in -t patch openSUSE-2013-165

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.2 (i586 x86_64):

      java-1_7_0-openjdk-1.7.0.6-3.26.1
      java-1_7_0-openjdk-debuginfo-1.7.0.6-3.26.1
      java-1_7_0-openjdk-debugsource-1.7.0.6-3.26.1
      java-1_7_0-openjdk-demo-1.7.0.6-3.26.1
      java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.26.1
      java-1_7_0-openjdk-devel-1.7.0.6-3.26.1
      java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.26.1
      java-1_7_0-openjdk-javadoc-1.7.0.6-3.26.1
      java-1_7_0-openjdk-src-1.7.0.6-3.26.1


References:

   https://www.suse.com/security/cve/CVE-2013-0424.html
   https://www.suse.com/security/cve/CVE-2013-0425.html
   https://www.suse.com/security/cve/CVE-2013-0426.html
   https://www.suse.com/security/cve/CVE-2013-0427.html
   https://www.suse.com/security/cve/CVE-2013-0428.html
   https://www.suse.com/security/cve/CVE-2013-0429.html
   https://www.suse.com/security/cve/CVE-2013-0431.html
   https://www.suse.com/security/cve/CVE-2013-0432.html
   https://www.suse.com/security/cve/CVE-2013-0433.html
   https://www.suse.com/security/cve/CVE-2013-0434.html
   https://www.suse.com/security/cve/CVE-2013-0435.html
   https://www.suse.com/security/cve/CVE-2013-0440.html
   https://www.suse.com/security/cve/CVE-2013-0441.html
   https://www.suse.com/security/cve/CVE-2013-0442.html
   https://www.suse.com/security/cve/CVE-2013-0443.html
   https://www.suse.com/security/cve/CVE-2013-0444.html
   https://www.suse.com/security/cve/CVE-2013-0450.html
   https://www.suse.com/security/cve/CVE-2013-1475.html
   https://www.suse.com/security/cve/CVE-2013-1476.html
   https://www.suse.com/security/cve/CVE-2013-1478.html
   https://www.suse.com/security/cve/CVE-2013-1480.html
   https://bugzilla.novell.com/803379

--

openSUSE: 2013:0377-1: critical: java-1_7_0-openjdk

March 1, 2013
An update that fixes 21 vulnerabilities is now available.

Description

java-1_7_0-openjdk was updated to icedtea-2.3.6 (bnc#803379) containing various security and bugfixes: * Security fixes - S6563318, CVE-2013-0424: RMI data sanitization - S6664509, CVE-2013-0425: Add logging context - S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time - S6776941: CVE-2013-0427: Improve thread pool shutdown - S7141694, CVE-2013-0429: Improving CORBA internals - S7173145: Improve in-memory representation of splashscreens - S7186945: Unpack200 improvement - S7186946: Refine unpacker resource usage - S7186948: Improve Swing data validation - S7186952, CVE-2013-0432: Improve clipboard access - S7186954: Improve connection performance - S7186957: Improve Pack200 data validation - S7192392, CVE-2013-0443: Better validation of client keys - S7192393, CVE-2013-0440: Better Checking of order of TLS Messages - S7192977, CVE-2013-0442: Issue in toolkit thread - S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies - S7200491: Tighten up JTable layout code - S7200493, CVE-2013-0444: Improve cache handling - S7200499: Better data validation for options - S7200500: Launcher better input validation - S7201064: Better dialogue checking - S7201066, CVE-2013-0441: Change modifiers on unused fields - S7201068, CVE-2013-0435: Better handling of UI elements - S7201070: Serialization to conform to protocol - S7201071, CVE-2013-0433: InetSocketAddress serialization issue - S8000210: Improve JarFile code quality - S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class - S8000539, CVE-2013-0431: Introspect JMX data handling - S8000540, CVE-2013-1475: Improve IIOP type reuse management - S8000631, CVE-2013-1476: Restrict access to class constructor - S8001235, CVE-2013-0434: Improve JAXP HTTP handling - S8001242: Improve RMI HTTP conformance - S8001307: Modify ACC_SUPER behavior - S8001972, CVE-2013-1478: Improve image processing - S8002325, CVE-2013-1480: Improve management of images * Backports - S7057320: test/java/util/concurrent/Executors/AutoShutdown.java failing intermittently - S7083664: TEST_BUG: test hard code of using c:/temp but this dir might not exist - S7107613: scalability blocker in javax.crypto.CryptoPermissions - S7107616: scalability blocker in javax.crypto.JceSecurityManager - S7146424: Wildcard expansion for single entry classpath - S7160609: [macosx] JDK crash in libjvm.dylib ( C [GeForceGLDriver+0x675a] gldAttachDrawable+0x941) - S7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar - S7162488: VM not printing unknown -XX options - S7169395: Exception throws due to the changes in JDK 7 object tranversal and break backward compatibility - S7175616: Port fix for TimeZone from JDK 8 to JDK 7 - S7176485: (bf) Allow temporary buffer cache to grow to IOV_MAX - S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and reinitialize build number - S7184326: TEST_BUG: java/awt/Frame/7024749/bug7024749.java has a typo - S7185245: Licensee source bundle tries to compile JFR - S7185471: Avoid key expansion when AES cipher is re-init w/ the same key - S7186371: [macosx] Main menu shortcuts not displayed (7u6 regression) - S7187834: [macosx] Usage of private API in macosx 2d implementation causes Apple Store rejection - S7188114: (launcher) need an alternate command line parser for Windows - S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and reinitialize build number - S7189350: Fix failed for CR 7162144 - S7190550: REGRESSION: Some closed/com/oracle/jfr/api tests fail to compile becuse of fix 7185245 - S7193219: JComboBox serialization fails in JDK 1.7 - S7193977: REGRESSION:Java 7's JavaBeans persistence ignoring the "transient" flag on properties - S7195106: REGRESSION : There is no way to get Icon inf, once Softreference is released - S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node - S7195931: UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6+ - S7197071: Makefiles for various security providers aren't including the default manifest. - S7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default - S7198146: Another new regression test does not compile on windows-amd64 - S7198570: (tz) Support tzdata2012f - S7198640: new hotspot build - hs23.6-b04 - S7199488: [TEST] runtime/7158800/InternTest.java failed due to false-positive on PID match. - S7199645: Increment build # of hs23.5 to b02 - S7199669: Update tags in .hgtags file for CPU release rename - S7200720: crash in net.dll during NTLM authentication - S7200742: (se) Selector.select does not block when starting Coherence (sol11u1) - S7200762: [macosx] Stuck in sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native Method) - S8000285: Deadlock between PostEventQueue.noEvents, EventQueue.isDispatchThread and SwingUtilities.invokeLater - S8000286: [macosx] Views keep scrolling back to the drag position after DnD - S8000297: REGRESSION: closed/java/awt/EventQueue/PostEventOrderingTest.java fails - S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab - S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number - S8001124: jdk7u ProblemList.txt updates (10/2012) - S8001242: Improve RMI HTTP conformance - S8001808: Create a test for 8000327 - S8001876: Create regtest for 8000283 - S8002068: Build broken: corba code changes unable to use new JDK 7 classes - S8002091: tools/launcher/ToolsOpts.java test started to fail since 7u11 b01 on Windows - S8002114: fix failed for JDK-7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar - S8002225: (tz) Support tzdata2012i - S8003402: (dc) test/java/nio/channels/DatagramChannel/SendToUnresovled.java failing after 7u11 cleanup issues - S8003403: Test ShortRSAKeyWithinTLS and ClientJSSEServerJSSE failing after 7u11 cleanup - S8003948: NTLM/Negotiate authentication problem - S8004175: Restricted packages added in java.security are missing in java.security-{macosx, solaris, windows} - S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01 - S8004341: Two JCK tests fails with 7u11 b06 - S8005615: Java Logger fails to load tomcat logger implementation (JULI) * Bug fixes - Fix build using Zero's HotSpot so all patches apply again. - PR1295: jamvm parallel unpack failure * removed icedtea-2.3.2-fix-extract-jamvm-dependency.patch - removed icedtea-2.3.3-refresh-6924259-string_offset.patch - few missing /openjdk/%{origin}/ changes

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2013-165 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 12.2 (i586 x86_64): java-1_7_0-openjdk-1.7.0.6-3.26.1 java-1_7_0-openjdk-debuginfo-1.7.0.6-3.26.1 java-1_7_0-openjdk-debugsource-1.7.0.6-3.26.1 java-1_7_0-openjdk-demo-1.7.0.6-3.26.1 java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.26.1 java-1_7_0-openjdk-devel-1.7.0.6-3.26.1 java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.26.1 java-1_7_0-openjdk-javadoc-1.7.0.6-3.26.1 java-1_7_0-openjdk-src-1.7.0.6-3.26.1


References

https://www.suse.com/security/cve/CVE-2013-0424.html https://www.suse.com/security/cve/CVE-2013-0425.html https://www.suse.com/security/cve/CVE-2013-0426.html https://www.suse.com/security/cve/CVE-2013-0427.html https://www.suse.com/security/cve/CVE-2013-0428.html https://www.suse.com/security/cve/CVE-2013-0429.html https://www.suse.com/security/cve/CVE-2013-0431.html https://www.suse.com/security/cve/CVE-2013-0432.html https://www.suse.com/security/cve/CVE-2013-0433.html https://www.suse.com/security/cve/CVE-2013-0434.html https://www.suse.com/security/cve/CVE-2013-0435.html https://www.suse.com/security/cve/CVE-2013-0440.html https://www.suse.com/security/cve/CVE-2013-0441.html https://www.suse.com/security/cve/CVE-2013-0442.html https://www.suse.com/security/cve/CVE-2013-0443.html https://www.suse.com/security/cve/CVE-2013-0444.html https://www.suse.com/security/cve/CVE-2013-0450.html https://www.suse.com/security/cve/CVE-2013-1475.html https://www.suse.com/security/cve/CVE-2013-1476.html https://www.suse.com/security/cve/CVE-2013-1478.html https://www.suse.com/security/cve/CVE-2013-1480.html https://bugzilla.novell.com/803379--


Severity
Announcement ID: openSUSE-SU-2013:0377-1
Rating: critical
Affected Products: openSUSE 12.2

Related News

Linux Mint 22: Elevating Security and Usability for Admins
3 - 5 min read
Linux Mint has has long been recognized as a versatile and user-friendly distribution and has earned great popularity among administrators and
Exim 4.98 Addresses Critical Vulnerabilities, Bolsters Email Server Security
2 - 4 min read
Exim is one of Unix-like systems' most widely used mail transfer agents. It's essential for email delivery and handling and is a significant part of
Recent OpenSSH RCE Bug Explained: Impact & Mitigations
2 - 4 min read
In an era where cybersecurity threats loom larger than ever, the discovery of a Remote Code Execution (RCE) vulnerability in OpenSSH by Qualys’
CVE-2024-4577: A Swiftly Weaponized Vulnerability for Ransomware Distribution
2 - 4 min read
Security researchers recently issued an update detailing how attackers are exploiting a PHP code execution vulnerability to spread TellYouThePass
Play Ransomware Group Unleashes New Threat on ESXi Environments: Analysis & Mitigation Strategies
3 - 5 min read
The Play ransomware group, well-known for its double-extortion tactics, recently unveiled a Linux variant targeting ESXi environments. This
Critical Linux Kernel Vulnerabilities Patched in Ubuntu Azure Systems
2 - 4 min read
Canonical has fixed several recently identified critical Linux kernel vulnerabilities in July 2024. These vulnerabilities primarily affect Microsoft
The Urgent Need for Secure Software Development: New Report Serves as a Wake-Up Call for the Industry
3 - 5 min read
The Linux Foundation and Open Source Security Foundation recently published a report entitled "Secure Software Development Education 2024
Severe Linux Kernel Privilege Escalation Bugs Could Compromise Entire Systems
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved