openSUSE Security Update: Security update for java-1_8_0-openjdk
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0374-1
Rating:             moderate
References:         #1181239 
Cross-References:   CVE-2020-14803
CVSS scores:
                    CVE-2020-14803 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2020-14803 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for java-1_8_0-openjdk fixes the following issues:

   - Update to version jdk8u282 (icedtea 3.18.0)
     * January 2021 CPU (bsc#1181239)
     * Security fixes
       + JDK-8247619: Improve Direct Buffering of Characters (CVE-2020-14803)
     * Import of OpenJDK 8 u282 build 01
       + JDK-6962725: Regtest javax/swing/JFileChooser/6738668/
         /bug6738668.java fails under Linux
       + JDK-8025936: Windows .pdb and .map files does not have proper
         dependencies setup
       + JDK-8030350: Enable additional compiler warnings for GCC
       + JDK-8031423: Test java/awt/dnd/DisposeFrameOnDragCrash/
         /DisposeFrameOnDragTest.java fails by Timeout on Windows
       + JDK-8036122: Fix warning 'format not a string literal'
       + JDK-8051853: new URI("x/").resolve("..").getSchemeSpecificPart()
         returns null!
       + JDK-8132664: closed/javax/swing/DataTransfer/DefaultNoDrop/
         /DefaultNoDrop.java locks on Windows
       + JDK-8134632: Mark javax/sound/midi/Devices/ /InitializationHang.java
         as headful
       + JDK-8148854: Class names "SomeClass" and "LSomeClass;" treated by
         JVM as an equivalent
       + JDK-8148916: Mark bug6400879.java as intermittently failing
       + JDK-8148983: Fix extra comma in changes for JDK-8148916
       + JDK-8160438: javax/swing/plaf/nimbus/8057791/bug8057791.java fails
       + JDK-8165808: Add release barriers when allocating objects with
         concurrent collection
       + JDK-8185003: JMX: Add a version of ThreadMXBean.dumpAllThreads with
         a maxDepth argument
       + JDK-8202076: test/jdk/java/io/File/WinSpecialFiles.java on windows
         with VS2017
       + JDK-8207766: [testbug] Adapt tests for Aix.
       + JDK-8212070: Introduce diagnostic flag to abort VM on failed JIT
         compilation
       + JDK-8213448: [TESTBUG] enhance jfr/jvm/TestDumpOnCrash
       + JDK-8215727: Restore JFR thread sampler loop to old / previous
         behavior
       + JDK-8220657: JFR.dump does not work when filename is set
       + JDK-8221342: [TESTBUG] Generate Dockerfile for docker testing
       + JDK-8224502: [TESTBUG] JDK docker test TestSystemMetrics.java fails
         with access issues and OOM
       + JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be
         quicker for self thread
       + JDK-8231968: getCurrentThreadAllocatedBytes default implementation
         s/b getThreadAllocatedBytes
       + JDK-8232114: JVM crashed at imjpapi.dll in native code
       + JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers
         for Compiler area
       + JDK-8234339: replace JLI_StrTok in java_md_solinux.c
       + JDK-8238448: RSASSA-PSS signature verification fail when using
         certain odd key sizes
       + JDK-8242335: Additional Tests for RSASSA-PSS
       + JDK-8244225: stringop-overflow warning on strncpy call from
         compile_the_world_in
       + JDK-8245400: Upgrade to LittleCMS 2.11
       + JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing
         cache contention
       + JDK-8249176: Update GlobalSignR6CA test certificates
       + JDK-8250665: Wrong translation for the month name of May in
         ar_JO,LB,SY
       + JDK-8250928: JFR: Improve hash algorithm for stack traces
       + JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java
       + JDK-8251840: Java_sun_awt_X11_XToolkit_getDefaultScreenData should
         not be in make/mapfiles/libawt_xawt/mapfile-vers
       + JDK-8252384: [TESTBUG] Some tests refer to COMPAT provider rather
         than JRE
       + JDK-8252395: [8u] --with-native-debug-symbols=external doesn't
         include debuginfo files for binaries
       + JDK-8252497: Incorrect numeric currency code for ROL
       + JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent
       + JDK-8252904: VM crashes when JFR is used and JFR event class is
         transformed
       + JDK-8252975: [8u] JDK-8252395 breaks the build for
         --with-native-debug-symbols=internal
       + JDK-8253284: Zero OrderAccess barrier mappings are incorrect
       + JDK-8253550: [8u] JDK-8252395 breaks the build for make
         STRIP_POLICY=no_strip
       + JDK-8253752: test/sun/management/jmxremote/bootstrap/
         /RmiBootstrapTest.java fails randomly
       + JDK-8254081: java/security/cert/PolicyNode/
         /GetPolicyQualifiers.java fails due to an expired certificate
       + JDK-8254144: Non-x86 Zero builds fail with return-type warning in
         os_linux_zero.cpp
       + JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp
       + JDK-8254683: [TEST_BUG] jdk/test/sun/tools/jconsole/
         /WorkerDeadlockTest.java fails
       + JDK-8255003: Build failures on Solaris

   This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-374=1



Package List:

   - openSUSE Leap 15.2 (i586 x86_64):

      java-1_8_0-openjdk-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-accessibility-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-debuginfo-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-debugsource-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-demo-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-devel-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-headless-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.282-lp152.2.9.1
      java-1_8_0-openjdk-src-1.8.0.282-lp152.2.9.1

   - openSUSE Leap 15.2 (noarch):

      java-1_8_0-openjdk-javadoc-1.8.0.282-lp152.2.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-14803.html
   https://bugzilla.suse.com/1181239