Mailinglist Archive: opensuse-security-announce (43 mails)

< Previous Next >
[security-announce] openSUSE-SU-2013:0377-1: critical: java-1_7_0-openjdk: update to 2.3.6
openSUSE Security Update: java-1_7_0-openjdk: update to 2.3.6
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:0377-1
Rating: critical
References: #803379
Cross-References: CVE-2013-0424 CVE-2013-0425 CVE-2013-0426
CVE-2013-0427 CVE-2013-0428 CVE-2013-0429
CVE-2013-0431 CVE-2013-0432 CVE-2013-0433
CVE-2013-0434 CVE-2013-0435 CVE-2013-0440
CVE-2013-0441 CVE-2013-0442 CVE-2013-0443
CVE-2013-0444 CVE-2013-0450 CVE-2013-1475
CVE-2013-1476 CVE-2013-1478 CVE-2013-1480

Affected Products:
openSUSE 12.2
______________________________________________________________________________

An update that fixes 21 vulnerabilities is now available.

Description:


java-1_7_0-openjdk was updated to icedtea-2.3.6
(bnc#803379) containing various security and bugfixes:

* Security fixes
- S6563318, CVE-2013-0424: RMI data sanitization
- S6664509, CVE-2013-0425: Add logging context
- S6664528, CVE-2013-0426: Find log level matching its
name or value given at construction time
- S6776941: CVE-2013-0427: Improve thread pool shutdown
- S7141694, CVE-2013-0429: Improving CORBA internals
- S7173145: Improve in-memory representation of
splashscreens
- S7186945: Unpack200 improvement
- S7186946: Refine unpacker resource usage
- S7186948: Improve Swing data validation
- S7186952, CVE-2013-0432: Improve clipboard access
- S7186954: Improve connection performance
- S7186957: Improve Pack200 data validation
- S7192392, CVE-2013-0443: Better validation of client
keys
- S7192393, CVE-2013-0440: Better Checking of order of
TLS Messages
- S7192977, CVE-2013-0442: Issue in toolkit thread
- S7197546, CVE-2013-0428: (proxy) Reflect about creating
reflective proxies
- S7200491: Tighten up JTable layout code
- S7200493, CVE-2013-0444: Improve cache handling
- S7200499: Better data validation for options
- S7200500: Launcher better input validation
- S7201064: Better dialogue checking
- S7201066, CVE-2013-0441: Change modifiers on unused
fields
- S7201068, CVE-2013-0435: Better handling of UI elements
- S7201070: Serialization to conform to protocol
- S7201071, CVE-2013-0433: InetSocketAddress
serialization issue
- S8000210: Improve JarFile code quality
- S8000537, CVE-2013-0450: Contextualize
RequiredModelMBean class
- S8000539, CVE-2013-0431: Introspect JMX data handling
- S8000540, CVE-2013-1475: Improve IIOP type reuse
management
- S8000631, CVE-2013-1476: Restrict access to class
constructor
- S8001235, CVE-2013-0434: Improve JAXP HTTP handling
- S8001242: Improve RMI HTTP conformance
- S8001307: Modify ACC_SUPER behavior
- S8001972, CVE-2013-1478: Improve image processing
- S8002325, CVE-2013-1480: Improve management of images
* Backports
- S7057320:
test/java/util/concurrent/Executors/AutoShutdown.java
failing intermittently
- S7083664: TEST_BUG: test hard code of using c:/temp but
this dir might not exist
- S7107613: scalability blocker in
javax.crypto.CryptoPermissions
- S7107616: scalability blocker in
javax.crypto.JceSecurityManager
- S7146424: Wildcard expansion for single entry classpath
- S7160609: [macosx] JDK crash in libjvm.dylib ( C
[GeForceGLDriver+0x675a] gldAttachDrawable+0x941)
- S7160951: [macosx] ActionListener called twice for
JMenuItem using ScreenMenuBar
- S7162488: VM not printing unknown -XX options
- S7169395: Exception throws due to the changes in JDK 7
object tranversal and break backward compatibility
- S7175616: Port fix for TimeZone from JDK 8 to JDK 7
- S7176485: (bf) Allow temporary buffer cache to grow to
IOV_MAX
- S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and
reinitialize build number
- S7184326: TEST_BUG:
java/awt/Frame/7024749/bug7024749.java has a typo
- S7185245: Licensee source bundle tries to compile JFR
- S7185471: Avoid key expansion when AES cipher is
re-init w/ the same key
- S7186371: [macosx] Main menu shortcuts not displayed
(7u6 regression)
- S7187834: [macosx] Usage of private API in macosx 2d
implementation causes Apple Store rejection
- S7188114: (launcher) need an alternate command line
parser for Windows
- S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and
reinitialize build number
- S7189350: Fix failed for CR 7162144
- S7190550: REGRESSION: Some closed/com/oracle/jfr/api
tests fail to compile becuse of fix 7185245
- S7193219: JComboBox serialization fails in JDK 1.7
- S7193977: REGRESSION:Java 7's JavaBeans persistence
ignoring the "transient" flag on properties
- S7195106: REGRESSION : There is no way to get Icon inf,
once Softreference is released
- S7195301: XML Signature DOM implementation should not
use instanceof to determine type of Node
- S7195931: UnsatisfiedLinkError on
PKCS11.C_GetOperationState while using NSS from jre7u6+
- S7197071: Makefiles for various security providers
aren't including the default manifest.
- S7197652: Impossible to run any signed JNLP
applications or applets, OCSP off by default
- S7198146: Another new regression test does not compile
on windows-amd64
- S7198570: (tz) Support tzdata2012f
- S7198640: new hotspot build - hs23.6-b04
- S7199488: [TEST] runtime/7158800/InternTest.java failed
due to false-positive on PID match.
- S7199645: Increment build # of hs23.5 to b02
- S7199669: Update tags in .hgtags file for CPU release
rename
- S7200720: crash in net.dll during NTLM authentication
- S7200742: (se) Selector.select does not block when
starting Coherence (sol11u1)
- S7200762: [macosx] Stuck in
sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native
Method)
- S8000285: Deadlock between PostEventQueue.noEvents,
EventQueue.isDispatchThread and
SwingUtilities.invokeLater
- S8000286: [macosx] Views keep scrolling back to the
drag position after DnD
- S8000297: REGRESSION:
closed/java/awt/EventQueue/PostEventOrderingTest.java
fails
- S8000307: Jre7cert: focusgained does not get called for
all focus req when do alt + tab
- S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and
reinitialize build number
- S8001124: jdk7u ProblemList.txt updates (10/2012)
- S8001242: Improve RMI HTTP conformance
- S8001808: Create a test for 8000327
- S8001876: Create regtest for 8000283
- S8002068: Build broken: corba code changes unable to
use new JDK 7 classes
- S8002091: tools/launcher/ToolsOpts.java test started to
fail since 7u11 b01 on Windows
- S8002114: fix failed for JDK-7160951: [macosx]
ActionListener called twice for JMenuItem using
ScreenMenuBar
- S8002225: (tz) Support tzdata2012i
- S8003402: (dc)
test/java/nio/channels/DatagramChannel/SendToUnresovled.java
failing after 7u11 cleanup issues
- S8003403: Test ShortRSAKeyWithinTLS and
ClientJSSEServerJSSE failing after 7u11 cleanup
- S8003948: NTLM/Negotiate authentication problem
- S8004175: Restricted packages added in java.security
are missing in java.security-{macosx, solaris, windows}
- S8004302: javax/xml/soap/Test7013971.java fails since
jdk6u39b01
- S8004341: Two JCK tests fails with 7u11 b06
- S8005615: Java Logger fails to load tomcat logger
implementation (JULI)
* Bug fixes
- Fix build using Zero's HotSpot so all patches apply
again.
- PR1295: jamvm parallel unpack failure
* removed
icedtea-2.3.2-fix-extract-jamvm-dependency.patch
- removed
icedtea-2.3.3-refresh-6924259-string_offset.patch

- few missing /openjdk/%{origin}/ changes


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.2:

zypper in -t patch openSUSE-2013-165

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.2 (i586 x86_64):

java-1_7_0-openjdk-1.7.0.6-3.26.1
java-1_7_0-openjdk-debuginfo-1.7.0.6-3.26.1
java-1_7_0-openjdk-debugsource-1.7.0.6-3.26.1
java-1_7_0-openjdk-demo-1.7.0.6-3.26.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.26.1
java-1_7_0-openjdk-devel-1.7.0.6-3.26.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.26.1
java-1_7_0-openjdk-javadoc-1.7.0.6-3.26.1
java-1_7_0-openjdk-src-1.7.0.6-3.26.1


References:

http://support.novell.com/security/cve/CVE-2013-0424.html
http://support.novell.com/security/cve/CVE-2013-0425.html
http://support.novell.com/security/cve/CVE-2013-0426.html
http://support.novell.com/security/cve/CVE-2013-0427.html
http://support.novell.com/security/cve/CVE-2013-0428.html
http://support.novell.com/security/cve/CVE-2013-0429.html
http://support.novell.com/security/cve/CVE-2013-0431.html
http://support.novell.com/security/cve/CVE-2013-0432.html
http://support.novell.com/security/cve/CVE-2013-0433.html
http://support.novell.com/security/cve/CVE-2013-0434.html
http://support.novell.com/security/cve/CVE-2013-0435.html
http://support.novell.com/security/cve/CVE-2013-0440.html
http://support.novell.com/security/cve/CVE-2013-0441.html
http://support.novell.com/security/cve/CVE-2013-0442.html
http://support.novell.com/security/cve/CVE-2013-0443.html
http://support.novell.com/security/cve/CVE-2013-0444.html
http://support.novell.com/security/cve/CVE-2013-0450.html
http://support.novell.com/security/cve/CVE-2013-1475.html
http://support.novell.com/security/cve/CVE-2013-1476.html
http://support.novell.com/security/cve/CVE-2013-1478.html
http://support.novell.com/security/cve/CVE-2013-1480.html
https://bugzilla.novell.com/803379

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages