SUSE Security Update: Security update for OpenJDK ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0639-1 Rating: important References: #873873 Cross-References: CVE-2013-6629 CVE-2013-6954 CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0454 CVE-2014-0455 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2402 CVE-2014-2403 CVE-2014-2412 CVE-2014-2413 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes 26 vulnerabilities is now available. Description: This java-1_7_0-openjdk update to version 2.4.7 fixes the following security and non-security issues: * Security fixes o S8023046: Enhance splashscreen support o S8025005: Enhance CORBA initializations o S8025010, CVE-2014-2412: Enhance AWT contexts o S8025030, CVE-2014-2414: Enhance stream handling o S8025152, CVE-2014-0458: Enhance activation set up o S8026067: Enhance signed jar verification o S8026163, CVE-2014-2427: Enhance media provisioning o S8026188, CVE-2014-2423: Enhance envelope factory o S8026200: Enhance RowSet Factory o S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling o S8026736, CVE-2014-2398: Enhance Javadoc pages o S8026797, CVE-2014-0451: Enhance data transfers o S8026801, CVE-2014-0452: Enhance endpoint addressing o S8027766, CVE-2014-0453: Enhance RSA processing o S8027775: Enhance ICU code. o S8027841, CVE-2014-0429: Enhance pixel manipulations o S8028385: Enhance RowSet Factory o S8029282, CVE-2014-2403: Enhance CharInfo set up o S8029286: Enhance subject delegation o S8029699: Update Poller demo o S8029730: Improve audio device additions o S8029735: Enhance service mgmt natives o S8029740, CVE-2014-0446: Enhance handling of loggers o S8029745, CVE-2014-0454: Enhance algorithm checking o S8029750: Enhance LCMS color processing (in-tree LCMS) o S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree libjpeg) o S8029844, CVE-2014-0455: Enhance argument validation o S8029854, CVE-2014-2421: Enhance JPEG decodings o S8029858, CVE-2014-0456: Enhance array copies o S8030731, CVE-2014-0460: Improve name service robustness o S8031330: Refactor ObjectFactory o S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS) o S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng) o S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader o S8031395: Enhance LDAP processing o S8032686, CVE-2014-2413: Issues with method invoke o S8033618, CVE-2014-1876: Correct logging output o S8034926, CVE-2014-2397: Attribute classes properly o S8036794, CVE-2014-0461: Manage JavaScript instances * Backports o S8004145: New improved hgforest.sh, ctrl-c now properly terminates mercurial processes. o S8007625: race with nested repos in /common/bin/hgforest.sh o S8011178: improve common/bin/hgforest.sh python detection (MacOS) o S8011342: hgforest.sh : 'python --version' not supported on older python o S8011350: hgforest.sh uses non-POSIX sh features that may fail with some shells o S8024200: handle hg wrapper with space after #! o S8025796: hgforest.sh could trigger unbuffered output from hg without complicated machinations o S8028388: 9 jaxws tests failed in nightly build with java.lang.ClassCastException o S8031477: [macosx] Loading AWT native library fails o S8032370: No "Truncated file" warning from IIOReadWarningListener on JPEGImageReader o S8035834: InetAddress.getLocalHost() can hang after JDK-8030731 was fixed * Bug fixes o PR1393: JPEG support in build is broken on non-system-libjpeg builds o PR1726: configure fails looking for ecj.jar before even trying to find javac o Red Hat local: Fix for repo with path statting with / . o Remove unused hgforest script Security Issue references: * CVE-2014-2412 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412> * CVE-2014-2414 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414> * CVE-2014-0458 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458> * CVE-2014-2427 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427> * CVE-2014-2423 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423> * CVE-2014-2402 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2402> * CVE-2014-2398 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398> * CVE-2014-0451 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451> * CVE-2014-0452 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452> * CVE-2014-0453 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453> * CVE-2014-0429 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429> * CVE-2014-2403 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2403> * CVE-2014-0446 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446> * CVE-2014-0454 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0454> * CVE-2013-6629 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629> * CVE-2014-0455 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0455> * CVE-2014-2421 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421> * CVE-2014-0456 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456> * CVE-2014-0460 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460> * CVE-2014-0459 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0459> * CVE-2013-6954 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6954> * CVE-2014-0457 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457> * CVE-2014-2413 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2413> * CVE-2014-1876 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876> * CVE-2014-2397 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2397> * CVE-2014-0461 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-java-1_7_0-openjdk-9209 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64): java-1_7_0-openjdk-1.7.0.6-0.27.1 java-1_7_0-openjdk-demo-1.7.0.6-0.27.1 java-1_7_0-openjdk-devel-1.7.0.6-0.27.1 References: http://support.novell.com/security/cve/CVE-2013-6629.html http://support.novell.com/security/cve/CVE-2013-6954.html http://support.novell.com/security/cve/CVE-2014-0429.html http://support.novell.com/security/cve/CVE-2014-0446.html http://support.novell.com/security/cve/CVE-2014-0451.html http://support.novell.com/security/cve/CVE-2014-0452.html http://support.novell.com/security/cve/CVE-2014-0453.html http://support.novell.com/security/cve/CVE-2014-0454.html http://support.novell.com/security/cve/CVE-2014-0455.html http://support.novell.com/security/cve/CVE-2014-0456.html http://support.novell.com/security/cve/CVE-2014-0457.html http://support.novell.com/security/cve/CVE-2014-0458.html http://support.novell.com/security/cve/CVE-2014-0459.html http://support.novell.com/security/cve/CVE-2014-0460.html http://support.novell.com/security/cve/CVE-2014-0461.html http://support.novell.com/security/cve/CVE-2014-1876.html http://support.novell.com/security/cve/CVE-2014-2397.html http://support.novell.com/security/cve/CVE-2014-2398.html http://support.novell.com/security/cve/CVE-2014-2402.html http://support.novell.com/security/cve/CVE-2014-2403.html http://support.novell.com/security/cve/CVE-2014-2412.html http://support.novell.com/security/cve/CVE-2014-2413.html http://support.novell.com/security/cve/CVE-2014-2414.html http://support.novell.com/security/cve/CVE-2014-2421.html http://support.novell.com/security/cve/CVE-2014-2423.html http://support.novell.com/security/cve/CVE-2014-2427.html https://bugzilla.novell.com/873873 http://download.suse.com/patch/finder/?keywords=9e107d0028325fe6789728abca9f... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org