openSUSE Security Announce
Threads by month
- ----- 2024 -----
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
August 2016
- 1 participants
- 57 discussions
[security-announce] SUSE-SU-2016:2061-1: important: Security update for MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr and mozilla-nss
by opensuse-security@opensuse.org 12 Aug '16
by opensuse-security@opensuse.org 12 Aug '16
12 Aug '16
SUSE Security Update: Security update for MozillaFirefox, MozillaFirefox-branding-SLED, mozilla-nspr and mozilla-nss
______________________________________________________________________________
Announcement ID: SUSE-SU-2016:2061-1
Rating: important
References: #983549 #983638 #983639 #983643 #983646 #983651
#983652 #983653 #983655 #984006 #985659 #989196
#990628 #990856 #991809
Cross-References: CVE-2016-2815 CVE-2016-2818 CVE-2016-2819
CVE-2016-2821 CVE-2016-2822 CVE-2016-2824
CVE-2016-2828 CVE-2016-2830 CVE-2016-2831
CVE-2016-2834 CVE-2016-2835 CVE-2016-2836
CVE-2016-2837 CVE-2016-2838 CVE-2016-2839
CVE-2016-5252 CVE-2016-5254 CVE-2016-5258
CVE-2016-5259 CVE-2016-5262 CVE-2016-5263
CVE-2016-5264 CVE-2016-5265 CVE-2016-6354
Affected Products:
SUSE Linux Enterprise Server 11-SP2-LTSS
SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________
An update that fixes 24 vulnerabilities is now available.
Description:
MozillaFirefox, MozillaFirefox-branding-SLE, mozilla-nspr and mozilla-nss
were updated to fix nine security issues.
MozillaFirefox was updated to version 45.3.0 ESR. mozilla-nss was updated
to version 3.21.1, mozilla-nspr to version 4.12.
These security issues were fixed in 45.3.0ESR:
- CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards
(rv:48.0 / rv:45.3) (MFSA 2016-62)
- CVE-2016-2830: Favicon network connection can persist when page is
closed (MFSA 2016-63)
- CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content
(MFSA 2016-64)
- CVE-2016-2839: Cairo rendering crash due to memory allocation issue with
FFmpeg 0.10 (MFSA 2016-65)
- CVE-2016-5252: Stack underflow during 2D graphics rendering (MFSA
2016-67)
- CVE-2016-5254: Use-after-free when using alt key and toplevel menus
(MFSA 2016-70)
- CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown
(MFSA 2016-72)
- CVE-2016-5259: Use-after-free in service workers with nested sync events
(MFSA 2016-73)
- CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes
(MFSA 2016-76)
- CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module
(CDM) during video playback (MFSA 2016-77)
- CVE-2016-5263: Type confusion in display transformation (MFSA 2016-78)
- CVE-2016-5264: Use-after-free when applying SVG effects (MFSA 2016-79)
- CVE-2016-5265: Same-origin policy violation using local HTML file and
saved shortcut file (MFSA 2016-80)
- CVE-2016-6354: Fix for possible buffer overrun (bsc#990856)
Security issues fixed in 45.2.0.ESR:
- CVE-2016-2834: Memory safety bugs in NSS (MFSA 2016-61) (bsc#983639).
- CVE-2016-2824: Out-of-bounds write with WebGL shader (MFSA 2016-53)
(bsc#983651).
- CVE-2016-2822: Addressbar spoofing though the SELECT element (MFSA
2016-52) (bsc#983652).
- CVE-2016-2821: Use-after-free deleting tables from a contenteditable
document (MFSA 2016-51) (bsc#983653).
- CVE-2016-2819: Buffer overflow parsing HTML5 fragments (MFSA 2016-50)
(bsc#983655).
- CVE-2016-2828: Use-after-free when textures are used in WebGL operations
after recycle pool destruction (MFSA 2016-56) (bsc#983646).
- CVE-2016-2831: Entering fullscreen and persistent pointerlock without
user permission (MFSA 2016-58) (bsc#983643).
- CVE-2016-2815, CVE-2016-2818: Miscellaneous memory safety hazards (MFSA
2016-49) (bsc#983638)
These non-security issues were fixed:
- Fix crashes on aarch64
* Determine page size at runtime (bsc#984006)
* Allow aarch64 to work in safe mode (bsc#985659)
- Fix crashes on mainframes
- Temporarily bind Firefox to the first CPU as a hotfix for an apparent
race condition (bsc#989196, bsc#990628)
All extensions must now be signed by addons.mozilla.org. Please read
README.SUSE for more details.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 11-SP2-LTSS:
zypper in -t patch slessp2-MozillaFirefox-12690=1
- SUSE Linux Enterprise Debuginfo 11-SP2:
zypper in -t patch dbgsp2-MozillaFirefox-12690=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):
MozillaFirefox-45.3.0esr-48.1
MozillaFirefox-branding-SLED-45.0-20.38
MozillaFirefox-translations-45.3.0esr-48.1
firefox-fontconfig-2.11.0-4.2
libfreebl3-3.21.1-26.2
mozilla-nspr-4.12-25.2
mozilla-nspr-devel-4.12-25.2
mozilla-nss-3.21.1-26.2
mozilla-nss-devel-3.21.1-26.2
mozilla-nss-tools-3.21.1-26.2
- SUSE Linux Enterprise Server 11-SP2-LTSS (s390x x86_64):
libfreebl3-32bit-3.21.1-26.2
mozilla-nspr-32bit-4.12-25.2
mozilla-nss-32bit-3.21.1-26.2
- SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):
MozillaFirefox-debuginfo-45.3.0esr-48.1
MozillaFirefox-debugsource-45.3.0esr-48.1
firefox-fontconfig-debuginfo-2.11.0-4.2
mozilla-nspr-debuginfo-4.12-25.2
mozilla-nspr-debugsource-4.12-25.2
mozilla-nss-debuginfo-3.21.1-26.2
mozilla-nss-debugsource-3.21.1-26.2
- SUSE Linux Enterprise Debuginfo 11-SP2 (s390x x86_64):
firefox-fontconfig-debugsource-2.11.0-4.2
mozilla-nspr-debuginfo-32bit-4.12-25.2
mozilla-nss-debuginfo-32bit-3.21.1-26.2
References:
https://www.suse.com/security/cve/CVE-2016-2815.html
https://www.suse.com/security/cve/CVE-2016-2818.html
https://www.suse.com/security/cve/CVE-2016-2819.html
https://www.suse.com/security/cve/CVE-2016-2821.html
https://www.suse.com/security/cve/CVE-2016-2822.html
https://www.suse.com/security/cve/CVE-2016-2824.html
https://www.suse.com/security/cve/CVE-2016-2828.html
https://www.suse.com/security/cve/CVE-2016-2830.html
https://www.suse.com/security/cve/CVE-2016-2831.html
https://www.suse.com/security/cve/CVE-2016-2834.html
https://www.suse.com/security/cve/CVE-2016-2835.html
https://www.suse.com/security/cve/CVE-2016-2836.html
https://www.suse.com/security/cve/CVE-2016-2837.html
https://www.suse.com/security/cve/CVE-2016-2838.html
https://www.suse.com/security/cve/CVE-2016-2839.html
https://www.suse.com/security/cve/CVE-2016-5252.html
https://www.suse.com/security/cve/CVE-2016-5254.html
https://www.suse.com/security/cve/CVE-2016-5258.html
https://www.suse.com/security/cve/CVE-2016-5259.html
https://www.suse.com/security/cve/CVE-2016-5262.html
https://www.suse.com/security/cve/CVE-2016-5263.html
https://www.suse.com/security/cve/CVE-2016-5264.html
https://www.suse.com/security/cve/CVE-2016-5265.html
https://www.suse.com/security/cve/CVE-2016-6354.html
https://bugzilla.suse.com/983549
https://bugzilla.suse.com/983638
https://bugzilla.suse.com/983639
https://bugzilla.suse.com/983643
https://bugzilla.suse.com/983646
https://bugzilla.suse.com/983651
https://bugzilla.suse.com/983652
https://bugzilla.suse.com/983653
https://bugzilla.suse.com/983655
https://bugzilla.suse.com/984006
https://bugzilla.suse.com/985659
https://bugzilla.suse.com/989196
https://bugzilla.suse.com/990628
https://bugzilla.suse.com/990856
https://bugzilla.suse.com/991809
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2058-1: important: Security update for OpenJDK7
by opensuse-security@opensuse.org 12 Aug '16
by opensuse-security@opensuse.org 12 Aug '16
12 Aug '16
openSUSE Security Update: Security update for OpenJDK7
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2058-1
Rating: important
References: #988651 #989722 #989723 #989725 #989727 #989728
#989729 #989730 #989731 #989732 #989733 #989734
Cross-References: CVE-2016-3458 CVE-2016-3485 CVE-2016-3498
CVE-2016-3500 CVE-2016-3503 CVE-2016-3508
CVE-2016-3511 CVE-2016-3550 CVE-2016-3598
CVE-2016-3606 CVE-2016-3610
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that solves 11 vulnerabilities and has one errata
is now available.
Description:
Update to 2.6.7 - OpenJDK 7u111
* Security fixes
- S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732)
- S8145446, CVE-2016-3485: Perfect pipe placement (Windows
only) (bsc#989734)
- S8147771: Construction of static protection domains under Javax
custom policy
- S8148872, CVE-2016-3500: Complete name checking (bsc#989730)
- S8149962, CVE-2016-3508: Better delineation of XML processing
(bsc#989731)
- S8150752: Share Class Data
- S8151925: Font reference improvements
- S8152479, CVE-2016-3550: Coded byte streams (bsc#989733)
- S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722)
- S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723)
- S8158571, CVE-2016-3610: Additional method handle validation
(bsc#989725)
- CVE-2016-3511 (bsc#989727)
- CVE-2016-3503 (bsc#989728)
- CVE-2016-3498 (bsc#989729)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch 2016-982=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (i586 x86_64):
java-1_7_0-openjdk-1.7.0.111-24.39.1
java-1_7_0-openjdk-accessibility-1.7.0.111-24.39.1
java-1_7_0-openjdk-debuginfo-1.7.0.111-24.39.1
java-1_7_0-openjdk-debugsource-1.7.0.111-24.39.1
java-1_7_0-openjdk-demo-1.7.0.111-24.39.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.111-24.39.1
java-1_7_0-openjdk-devel-1.7.0.111-24.39.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.111-24.39.1
java-1_7_0-openjdk-headless-1.7.0.111-24.39.1
java-1_7_0-openjdk-headless-debuginfo-1.7.0.111-24.39.1
java-1_7_0-openjdk-src-1.7.0.111-24.39.1
- openSUSE 13.1 (noarch):
java-1_7_0-openjdk-javadoc-1.7.0.111-24.39.1
References:
https://www.suse.com/security/cve/CVE-2016-3458.html
https://www.suse.com/security/cve/CVE-2016-3485.html
https://www.suse.com/security/cve/CVE-2016-3498.html
https://www.suse.com/security/cve/CVE-2016-3500.html
https://www.suse.com/security/cve/CVE-2016-3503.html
https://www.suse.com/security/cve/CVE-2016-3508.html
https://www.suse.com/security/cve/CVE-2016-3511.html
https://www.suse.com/security/cve/CVE-2016-3550.html
https://www.suse.com/security/cve/CVE-2016-3598.html
https://www.suse.com/security/cve/CVE-2016-3606.html
https://www.suse.com/security/cve/CVE-2016-3610.html
https://bugzilla.suse.com/988651
https://bugzilla.suse.com/989722
https://bugzilla.suse.com/989723
https://bugzilla.suse.com/989725
https://bugzilla.suse.com/989727
https://bugzilla.suse.com/989728
https://bugzilla.suse.com/989729
https://bugzilla.suse.com/989730
https://bugzilla.suse.com/989731
https://bugzilla.suse.com/989732
https://bugzilla.suse.com/989733
https://bugzilla.suse.com/989734
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2052-1: important: Security update for java-1_7_0-openjdk
by opensuse-security@opensuse.org 11 Aug '16
by opensuse-security@opensuse.org 11 Aug '16
11 Aug '16
openSUSE Security Update: Security update for java-1_7_0-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2052-1
Rating: important
References: #982366 #984684 #988651 #989722 #989723 #989725
#989727 #989728 #989729 #989730 #989731 #989732
#989733 #989734
Cross-References: CVE-2016-3458 CVE-2016-3485 CVE-2016-3498
CVE-2016-3500 CVE-2016-3503 CVE-2016-3508
CVE-2016-3511 CVE-2016-3550 CVE-2016-3598
CVE-2016-3606 CVE-2016-3610
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________
An update that solves 11 vulnerabilities and has three
fixes is now available.
Description:
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.7 - OpenJDK 7u111
* Security fixes
- S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732)
- S8145446, CVE-2016-3485: Perfect pipe placement (Windows
only) (bsc#989734)
- S8147771: Construction of static protection domains under Javax
custom policy
- S8148872, CVE-2016-3500: Complete name checking (bsc#989730)
- S8149962, CVE-2016-3508: Better delineation of XML processing
(bsc#989731)
- S8150752: Share Class Data
- S8151925: Font reference improvements
- S8152479, CVE-2016-3550: Coded byte streams (bsc#989733)
- S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722)
- S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723)
- S8158571, CVE-2016-3610: Additional method handle validation
(bsc#989725)
- CVE-2016-3511 (bsc#989727)
- CVE-2016-3503 (bsc#989728)
- CVE-2016-3498 (bsc#989729)
* Import of OpenJDK 7 u111 build 0
- S6953295: Move few sun.security.{util, x509, pkcs} classes used by
keytool/jarsigner to another package
- S7060849: Eliminate pack200 build warnings
- S7064075: Security libraries don't build with javac
-Xlint:all,-deprecation -Werror
- S7069870: Parts of the JDK erroneously rely on generic array
initializers with diamond
- S7102686: Restructure timestamp code so that jars and modules can
more easily share the same code
- S7105780: Add SSLSocket client/SSLEngine server to templates
directory
- S7142339: PKCS7.java is needlessly creating SHA1PRNG SecureRandom
instances when timestamping is not done
- S7152582: PKCS11 tests should use the NSS libraries available in the
OS
- S7192202: Make sure keytool prints both unknown and unparseable
extensions
- S7194449: String resources for Key Tool and Policy Tool should be in
their respective packages
- S7196855: autotest.sh fails on ubuntu because libsoftokn.so not found
- S7200682: TEST_BUG: keytool/autotest.sh still has problems with
libsoftokn.so
- S8002306: (se) Selector.open fails if invoked with thread interrupt
status set [win]
- S8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as
defined in RFC3161
- S8019341: Update CookieHttpsClientTest to use the newer framework.
- S8022228: Intermittent test failures in
sun/security/ssl/javax/net/ssl/NewAPIs
- S8022439: Fix lint warnings in sun.security.ec
- S8022594: Potential deadlock in <clinit> of sun.nio.ch.Util/IOUtil
- S8023546: sun/security/mscapi/ShortRSAKey1024.sh fails intermittently
- S8036612: [parfait] JNI exception pending in
jdk/src/windows/native/sun/security/mscapi/security.cpp
- S8037557: test SessionCacheSizeTests.java timeout
- S8038837: Add support to jarsigner for specifying timestamp hash
algorithm
- S8079410: Hotspot version to share the same update and build version
from JDK
- S8130735: javax.swing.TimerQueue: timer fires late when another
timer starts
- S8139436: sun.security.mscapi.KeyStore might load incomplete data
- S8144313: Test SessionTimeOutTests can be timeout
- S8146387: Test SSLSession/SessionCacheSizeTests socket accept timed
out
- S8146669: Test SessionTimeOutTests fails intermittently
- S8146993: Several javax/management/remote/mandatory regression tests
fail after JDK-8138811
- S8147857: [TEST] RMIConnector logs attribute names incorrectly
- S8151841, PR3098: Build needs additional flags to compile with GCC 6
- S8151876: (tz) Support tzdata2016d
- S8157077: 8u101 L10n resource file updates
- S8161262: Fix jdk build with gcc 4.1.2: -fno-strict-overflow not
known.
* Import of OpenJDK 7 u111 build 1
- S7081817:
test/sun/security/provider/certpath/X509CertPath/IllegalCertificates.java f
ailing
- S8140344: add support for 3 digit update release numbers
- S8145017: Add support for 3 digit hotspot minor version numbers
- S8162344: The API changes made by CR 7064075 need to be reverted
* Backports
- S2178143, PR2958: JVM crashes if the number of bound CPUs changed
during runtime
- S4900206, PR3101: Include worst-case rounding tests for Math library
functions
- S6260348, PR3067: GTK+ L&F JTextComponent not respecting desktop
caret blink rate
- S6934604, PR3075: enable parts of EliminateAutoBox by default
- S7043064, PR3020: sun/java2d/cmm/ tests failed against RI b141 &
b138-nightly
- S7051394, PR3020: NullPointerException when running regression tests
LoadProfileTest by using openjdk-7-b144
- S7086015, PR3013: fix
test/tools/javac/parser/netbeans/JavacParserTest.java
- S7119487, PR3013: JavacParserTest.java test fails on Windows
platforms
- S7124245, PR3020: [lcms] ColorConvertOp to color space CS_GRAY
apparently converts orange to 244,244,0
- S7159445, PR3013: (javac) emits inaccurate diagnostics for enhanced
for-loops
- S7175845, PR1437, RH1207129: 'jar uf' changes file permissions
unexpectedly
- S8005402, PR3020: Need to provide benchmarks for color management
- S8005530, PR3020: [lcms] Improve performance of ColorConverOp for
default destinations
- S8005930, PR3020: [lcms] ColorConvertOp: Alpha channel is not
transferred from source to destination.
- S8013430, PR3020: REGRESSION:
closed/java/awt/color/ICC_Profile/LoadProfileTest/LoadProfileTest.java fail
s with java.io.StreamCorruptedException: invalid type code: EE since
8b87
- S8014286, PR3075: failed java/lang/Math/DivModTests.java after
6934604 changes
- S8014959, PR3075: assert(Compile::current()->live_nodes() <
(uint)MaxNodeLimit) failed: Live Node limit exceeded limit
- S8019247, PR3075: SIGSEGV in compiled method
c8e.e.t_.getArray(Ljava/lang/Class;)[Ljava/lang/Object
- S8024511, PR3020: Crash during color profile destruction
- S8025429, PR3020: [parfait] warnings from b107 for sun.java2d.cmm:
JNI exception pending
- S8026702, PR3020: Fix for 8025429 breaks jdk build on windows
- S8026780, PR3020, RH1142587: Crash on PPC and PPC v2 for Java_awt
test suit
- S8047066, PR3020: Test test/sun/awt/image/bug8038000.java fails with
ClassCastException
- S8069181, PR3012, RH1015612: java.lang.AssertionError when compiling
JDK 1.4 code in JDK 8
- S8158260, PR2992, RH1341258: PPC64: unaligned Unsafe.getInt can lead
to the generation of illegal instructions (bsc#988651)
- S8159244, PR3075: Partially initialized string object created by
C2's string concat optimization may escape
* Bug fixes
- PR2799, RH1195203: Files are missing from resources.jar
- PR2900: Don't use WithSeed versions of NSS functions as they don't
fully process the seed
- PR3091: SystemTap is heavily confused by multiple JDKs
- PR3102: Extend 8022594 to AixPollPort
- PR3103: Handle case in clean-fonts where
linux.fontconfig.Gentoo.properties.old has not been created
- PR3111: Provide option to disable SystemTap tests
- PR3114: Don't assume system mime.types supports text/x-java-source
- PR3115: Add check for elliptic curve cryptography implementation
- PR3116: Add tests for Java debug info and source files
- PR3118: Path to agpl-3.0.txt not updated
- PR3119: Makefile handles cacerts as a symlink, but the configure
check doesn't
* AArch64 port
- S8148328, PR3100: aarch64: redundant lsr instructions in stub code.
- S8148783, PR3100: aarch64: SEGV running SpecJBB2013
- S8148948, PR3100: aarch64: generate_copy_longs calls align()
incorrectly
- S8150045, PR3100: arraycopy causes segfaults in SATB during garbage
collection
- S8154537, PR3100: AArch64: some integer rotate instructions are
never emitted
- S8154739, PR3100: AArch64: TemplateTable::fast_xaccess loads in
wrong mode
- S8157906, PR3100: aarch64: some more integer rotate instructions are
never emitted
- Enable SunEC for SLE12 and Leap (bsc#982366)
- Fix aarch64 running with 48 bits va space (bsc#984684)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-977=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
java-1_7_0-openjdk-1.7.0.111-34.1
java-1_7_0-openjdk-accessibility-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-devel-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-headless-1.7.0.111-34.1
java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-debugsource-1.7.0.111-34.1
java-1_7_0-openjdk-demo-1.7.0.111-34.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-devel-1.7.0.111-34.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-headless-1.7.0.111-34.1
java-1_7_0-openjdk-headless-debuginfo-1.7.0.111-34.1
java-1_7_0-openjdk-src-1.7.0.111-34.1
- openSUSE Leap 42.1 (noarch):
java-1_7_0-openjdk-javadoc-1.7.0.111-34.1
References:
https://www.suse.com/security/cve/CVE-2016-3458.html
https://www.suse.com/security/cve/CVE-2016-3485.html
https://www.suse.com/security/cve/CVE-2016-3498.html
https://www.suse.com/security/cve/CVE-2016-3500.html
https://www.suse.com/security/cve/CVE-2016-3503.html
https://www.suse.com/security/cve/CVE-2016-3508.html
https://www.suse.com/security/cve/CVE-2016-3511.html
https://www.suse.com/security/cve/CVE-2016-3550.html
https://www.suse.com/security/cve/CVE-2016-3598.html
https://www.suse.com/security/cve/CVE-2016-3606.html
https://www.suse.com/security/cve/CVE-2016-3610.html
https://bugzilla.suse.com/982366
https://bugzilla.suse.com/984684
https://bugzilla.suse.com/988651
https://bugzilla.suse.com/989722
https://bugzilla.suse.com/989723
https://bugzilla.suse.com/989725
https://bugzilla.suse.com/989727
https://bugzilla.suse.com/989728
https://bugzilla.suse.com/989729
https://bugzilla.suse.com/989730
https://bugzilla.suse.com/989731
https://bugzilla.suse.com/989732
https://bugzilla.suse.com/989733
https://bugzilla.suse.com/989734
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2051-1: important: Security update for java-1_8_0-openjdk
by opensuse-security@opensuse.org 11 Aug '16
by opensuse-security@opensuse.org 11 Aug '16
11 Aug '16
openSUSE Security Update: Security update for java-1_8_0-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2051-1
Rating: important
References: #984684 #987895 #988651 #989721 #989722 #989723
#989725 #989726 #989727 #989728 #989729 #989730
#989731 #989732 #989733 #989734
Cross-References: CVE-2016-3458 CVE-2016-3485 CVE-2016-3498
CVE-2016-3500 CVE-2016-3503 CVE-2016-3508
CVE-2016-3511 CVE-2016-3550 CVE-2016-3552
CVE-2016-3587 CVE-2016-3598 CVE-2016-3606
CVE-2016-3610
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________
An update that solves 13 vulnerabilities and has three
fixes is now available.
Description:
This update for java-1_8_0-openjdk fixes the following issues:
- Upgrade to version jdk8u101 (icedtea 3.1.0)
- New in release 3.1.0 (2016-07-25):
* Security fixes
- S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732)
- S8145446, CVE-2016-3485: Perfect pipe placement (Windows
only) (bsc#989734)
- S8146514: Enforce GCM limits
- S8147771: Construction of static protection domains under Javax
custom policy
- S8148872, CVE-2016-3500: Complete name checking (bsc#989730)
- S8149070: Enforce update ordering
- S8149962, CVE-2016-3508: Better delineation of XML processing
(bsc#989731)
- S8150752: Share Class Data
- S8151925: Font reference improvements
- S8152479, CVE-2016-3550: Coded byte streams (bsc#989733)
- S8153312: Constrain AppCDS behavior
- S8154475, CVE-2016-3587: Clean up lookup visibility (bsc#989721)
- S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722)
- S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723)
- S8158571, CVE-2016-3610: Additional method handle validation
(bsc#989725)
- CVE-2016-3552 (bsc#989726)
- CVE-2016-3511 (bsc#989727)
- CVE-2016-3503 (bsc#989728)
- CVE-2016-3498 (bsc#989729)
* New features
- S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3
on Linux
- PR2821: Support building OpenJDK with --disable-headful
- PR2931, G478960: Provide Infinality Support via fontconfig
- PR3079: Provide option to build Shenandoah on x86_64
* Import of OpenJDK 8 u92 build 14
- S6869327: Add new C2 flag to keep safepoints in counted loops.
- S8022865: [TESTBUG] Compressed Oops testing needs to be revised
- S8029630: Thread id should be displayed as a hex number in error
report
- S8029726: On OS X some dtrace probe names are mismatched with Solaris
- S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV
are not fired.
- S8029728: On OS X dtrace probes SetStaticBooleanField are not fired
- S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID
attribute value is empty String
- S8038349: Signing XML with DSA throws Exception when key is larger
than 1024 bits
- S8041501: ImageIO reader is not capable of reading JPEGs without
JFIF header
- S8041900: [macosx] Java forces the use of discrete GPU
- S8044363: Remove special build options for unpack200 executable
- S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for
hotspot ARCH
- S8046611: Build errors with gcc on sparc/fastdebug
- S8047763: Recognize sparc64 as a sparc platform
- S8048232: Fix for 8046471 breaks PPC64 build
- S8052396: Catch exceptions resulting from missing font cmap
- S8058563: InstanceKlass::_dependencies list isn't cleared from empty
nmethodBucket entries
- S8061624: [TESTBUG] Some tests cannot be ran under compact profiles
and therefore shall be excluded
- S8062901: Iterators is spelled incorrectly in the Javadoc for
Spliterator
- S8064330: Remove SHA224 from the default support list if SunMSCAPI
enabled
- S8065579: WB method to start G1 concurrent mark cycle should be
introduced
- S8065986: Compiler fails to NullPointerException when calling super
with Object<>()
- S8066974: Compiler doesn't infer method's generic type information
in lambda body
- S8067800: Clarify java.time.chrono.Chronology.isLeapYear for
out of range years
- S8068033: JNI exception pending in jdk/src/share/bin/java.c
- S8068042: Check jdk/src/share/native/sun/misc/URLClassPath.c for JNI
pending
- S8068162: jvmtiRedefineClasses.cpp: guarantee(false) failed: OLD
and/or OBSOLETE method(s) found
- S8068254: Method reference uses wrong qualifying type
- S8074696: Remote debugging session hangs for several minutes when
calling findBootType
- S8074935: jdk8 keytool doesn't validate pem files for RFC 1421
correctness, as jdk7 did
- S8078423: [TESTBUG] javax/print/PrintSEUmlauts/PrintSEUmlauts.java
relies on system locale
- S8080492: [Parfait] Uninitialised variable in
jdk/src/java/desktop/windows/native/libawt/
- S8080650: Enable stubs to use frame pointers correctly
- S8122944: perfdata used is seen as too high on sparc zone with
jdk1.9 and causes a test failure
- S8129348: Debugger hangs in trace mode with TRACE_SENDS
- S8129847: Compiling methods generated by Nashorn triggers high
memory usage in C2
- S8130506: javac AssertionError when invoking MethodHandle.invoke
with lambda parameter
- S8130910: hsperfdata file is created in wrong directory and not
cleaned up if /tmp/hsperfdata_<username> has wrong permissions
- S8131129: Attempt to define a duplicate BMH$Species class
- S8131665: Bad exception message in HandshakeHash.getFinishedHash
- S8131782: C1 Class.cast optimization breaks when Class is loaded
from static final
- S8132503: [macosx] Chinese full stop symbol cannot be entered with
Pinyin IM on OS X
- S8133207: ParallelProbes.java test fails after changes for
JDK-8080115
- S8133924: NPE may be thrown when xsltc select a non-existing node
after JDK-8062518
- S8134007: Improve string folding
- S8134759: jdb: Incorrect stepping inside finally block
- S8134963: [Newtest] New stress test for changing the coarseness
level of G1 remembered set
- S8136442: Don't tie Certificate signature algorithms to ciphersuites
- S8137106: EUDC (End User Defined Characters) are not displayed
on Windows with Java 8u60+
- S8138745: Implement ExitOnOutOfMemory and CrashOnOutOfMemory in
HotSpot
- S8138764: In some cases the usage of TreeLock can be replaced by
other synchronization
- S8139373: [TEST_BUG] java/net/MulticastSocket/MultiDead.java failed
with timeout
- S8139424: SIGSEGV, Problematic frame: # V [libjvm.so+0xd0c0cc] void
InstanceKlass::oop_oop_iterate_oop_maps_specialized<true,oopDesc*,MarkAndPu
shClosure>
- S8139436: sun.security.mscapi.KeyStore might load incomplete data
- S8139751: Javac crash with -XDallowStringFolding=false
- S8139863: [TESTBUG] Need to port tests for JDK-8134903 to 8u-dev
- S8139985: JNI exception pending in
jdk/src/jdk/hprof/agent/share/native/libhprof
- S8140031: SA: Searching for a value in Threads does not work
- S8140249: JVM Crashing During startUp If Flight Recording is enabled
- S8140344: add support for 3 digit update release numbers
- S8140587: Atomic*FieldUpdaters should use Class.isInstance instead
of direct class check
- S8141260: isReachable crash in windows xp
- S8143297: Nashorn compilation time reported in nanoseconds
- S8143397: It looks like InetAddress.isReachable(timeout) works
incorrectly
- S8143855: Bad printf formatting in frame_zero.cpp
- S8143896: java.lang.Long is implicitly converted to double
- S8143963: improve ClassLoader::trace_class_path to accept an
additional outputStream* arg
- S8144020: Remove long as an internal numeric type
- S8144131: ArrayData.getInt implementations do not convert to int32
- S8144483: One long Safepoint pause directly after each GC log
rotation
- S8144487: PhaseIdealLoop::build_and_optimize() must restore
major_progress flag if skip_loop_opts is true
- S8144885: agent/src/os/linux/libproc.h needs to support Linux/SPARC
builds
- S8144935: C2: safepoint is pruned from a non-counted loop
- S8144937: [TEST_BUG] testlibrary_tests should be excluded for
compact1 and compact2 execution
- S8145017: Add support for 3 digit hotspot minor version numbers
- S8145099: Better error message when SA can't attach to a process
- S8145442: Add the facility to verify remembered sets for G1
- S8145466: javac: No line numbers in compilation error
- S8145539: (coll) AbstractMap.keySet and .values should not be
volatile
- S8145550: Megamorphic invoke should use CompiledFunction variants
without any LinkLogic
- S8145669: apply2call optimized callsite fails after becoming
megamorphic
- S8145722: NullPointerException in javadoc
- S8145754: PhaseIdealLoop::is_scaled_iv_plus_offset() does not match
AddI
- S8146147: Java linker indexed property getter does not work for
computed nashorn string
- S8146566: OpenJDK build can't handle commas in LDFLAGS
- S8146725: Issues with
SignatureAndHashAlgorithm.getSupportedAlgorithms
- S8146979: Backport of 8046471 breaks ppc64 build in jdk8u because
8072383 was badly backported before
- S8147087: Race when reusing PerRegionTable bitmaps may result in
dropped remembered set entries
- S8147630: Wrong test result pushed to 8u-dev
- S8147845: Varargs Array functions still leaking longs
- S8147857: RMIConnector logs attribute names incorrectly
- S8148353: [linux-sparc] Crash in libawt.so on Linux SPARC
- S8150791: 8u76 L10n resource file translation update
* Import of OpenJDK 8 u101 build 13
- S6483657: MSCAPI provider does not create unique alias names
- S6675699: need comprehensive fix for unconstrained ConvI2L with
narrowed type
- S8037557: test SessionCacheSizeTests.java timeout
- S8038837: Add support to jarsigner for specifying timestamp hash
algorithm
- S8081778: Use Intel x64 CPU instructions for RSA acceleration
- S8130150: Implement BigInteger.montgomeryMultiply intrinsic
- S8130735: javax.swing.TimerQueue: timer fires late when another
timer starts
- S8143913: MSCAPI keystore should accept Certificate[] in setEntry()
- S8144313: Test SessionTimeOutTests can be timeout
- S8146240: Three nashorn files contain "GNU General Public License"
header
- S8146387: Test SSLSession/SessionCacheSizeTests socket accept timed
out
- S8146669: Test SessionTimeOutTests fails intermittently
- S8146993: Several javax/management/remote/mandatory regression tests
fail after JDK-8138811
- S8147994: [macosx] JScrollPane jitters up/down during trackpad
scrolling on MacOS/Aqua
- S8151522: Disable 8130150 and 8081778 intrinsics by default
- S8151876: (tz) Support tzdata2016d
- S8152098: Fix 8151522 caused test
compiler/intrinsics/squaretolen/TestSquareToLen.java to fail
- S8157077: 8u101 L10n resource file updates
* Backports
- S6260348, PR3066: GTK+ L&F JTextComponent not respecting desktop
caret blink rate
- S6778087, PR1061: getLocationOnScreen() always returns (0, 0) for
mouse wheel events
- S6961123, PR2972: setWMClass fails to null-terminate WM_CLASS string
- S8008657, PR3077: JSpinner setComponentOrientation doesn't affect on
text orientation
- S8014212, PR2866: Robot captures black screen
- S8029339, PR1061: Custom MultiResolution image support on HiDPI
displays
- S8031145, PR3077: Re-examine closed i18n tests to see it they can be
moved to the jdk repository.
- S8034856, PR3095: gcc warnings compiling
src/solaris/native/sun/security/pkcs11
- S8034857, PR3095: gcc warnings compiling
src/solaris/native/sun/management
- S8035054, PR3095: JarFacade.c should not include ctype.h
- S8035287, PR3095: gcc warnings compiling various libraries files
- S8038631, PR3077: Create wrapper for awt.Robot with additional
functionality
- S8039279, PR3077: Move awt tests to openjdk repository
- S8041561, PR3077: Inconsistent opacity behaviour between JCheckBox
and JRadioButton
- S8041592, PR3077: [TEST_BUG] Move 42 AWT hw/lw mixing tests to jdk
- S8041915, PR3077: Move 8 awt tests to OpenJDK regression tests tree
- S8043126, PR3077: move awt automated functional tests from
AWT_Events/Lw and AWT_Events/AWT to OpenJDK repository
- S8043131, PR3077: Move ShapedAndTranslucentWindows and GC functional
AWT tests to regression tree
- S8044157, PR3077: [TEST_BUG] Improve recently submitted AWT_Mixing
tests
- S8044172, PR3077: [TEST_BUG] Move regtests for 4523758 and
AltPlusNumberKeyCombinationsTest to jdk
- S8044429, PR3077: move awt automated tests for AWT_Modality to
OpenJDK repository
- S8044762, PR2960: com/sun/jdi/OptionTest.java test time out
- S8044765, PR3077: Move functional tests AWT_SystemTray/Automated to
openjdk repository
- S8047180, PR3077: Move functional tests AWT_Headless/Automated to
OpenJDK repository
- S8047367, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 2
- S8048246, PR3077: Move AWT_DnD/Clipboard/Automated functional tests
to OpenJDK
- S8049226, PR2960: com/sun/jdi/OptionTest.java test times out again
- S8049617, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 3
- S8049694, PR3077: Migrate functional AWT_DesktopProperties/Automated
tests to OpenJDK
- S8050885, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 4
- S8051440, PR3077: move tests about maximizing undecorated to OpenJDK
- S8052012, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 5
- S8052408, PR3077: Move AWT_BAT functional tests to OpenJDK (3
of 3)
- S8053657, PR3077: [TEST_BUG] move some 5 tests related to
undecorated Frame/JFrame to JDK
- S8054143, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 6
- S8054358, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 7
- S8054359, PR3077: move awt automated tests from AWT_Modality to
OpenJDK repository - part 8
- S8055360, PR3077: Move the rest part of AWT ShapedAndTranslucent
tests to OpenJDK
- S8055664, PR3077: move 14 tests about setLocationRelativeTo to jdk
- S8055836, PR3077: move awt tests from AWT_Modality to OpenJDK
repository - part 9
- S8056911, PR3077: Remove internal API usage from ExtendedRobot class
- S8057694, PR3077: move awt tests from AWT_Modality to OpenJDK
repository - part 10
- S8058959, PR1061:
closed/java/awt/event/ComponentEvent/MovedResizedTwiceTest/MovedResizedTwic
eTest.java failed automatically
- S8062606, PR3077: Fix a typo in java.awt.Robot class
- S8063102, PR3077: Change open awt regression tests to avoid
sun.awt.SunToolkit.realSync, part 1
- S8063104, PR3077: Change open awt regression tests to avoid
sun.awt.SunToolkit.realSync, part 2
- S8063106, PR3077: Change open swing regression tests to avoid
sun.awt.SunToolkit.realSync, part 1
- S8063107, PR3077: Change open swing regression tests to avoid
sun.awt.SunToolkit.realSync, part 2
- S8064573, PR3077: [TEST_BUG]
javax/swing/text/AbstractDocument/6968363/Test6968363.java is
asocial pressing VK_LEFT and not releasing
- S8064575, PR3077: [TEST_BUG]
javax/swing/JEditorPane/6917744/bug6917744.java 100 times press keys
and never releases
- S8064809, PR3077: [TEST_BUG]
javax/swing/JComboBox/4199622/bug4199622.java contains a lot of
keyPress and not a single keyRelease
- S8067441, PR3077: Some tests fails with error: cannot find symbol
getSystemMnemonicKeyCodes()
- S8068228, PR3077: Test
closed/java/awt/Mouse/MaximizedFrameTest/MaximizedFrameTest fails
with GTKLookAndFeel
- S8069361, PR1061: SunGraphics2D.getDefaultTransform() does not
include scale factor
- S8073320, PR1061: Windows HiDPI Graphics support
- S8074807, PR3077: Fix some tests unnecessary using internal API
- S8076315, PR3077: move 4 manual functional swing tests to regression
suite
- S8078504, PR3094: Zero lacks declaration of VM_Version::initialize()
- S8129822, PR3077: Define "headful" jtreg keyword
- S8132123, PR1061: MultiResolutionCachedImage unnecessarily creates
base image to get its size
- S8133539, PR1061: [TEST_BUG] Split
java/awt/image/MultiResolutionImageTest.java in two to allow
restricted access
- S8137571, PR1061: Linux HiDPI Graphics support
- S8142406, PR1061: [TEST] MultiResolution image: need test to cover
the case when @2x image is corrupted
- S8145188, PR2945: No LocalVariableTable generated for the entire JDK
- S8150258, PR1061: [TEST] HiDPI: create a test for multiresolution
menu items icons
- S8150724, PR1061: [TEST] HiDPI: create a test for multiresolution
icons
- S8150844, PR1061: [hidpi] [macosx] -Dsun.java2d.uiScale should be
taken into account for OS X
- S8151841, PR2882: Build needs additional flags to compile with GCC 6
[plus parts of 8149647 & 8032045]
- S8155613, PR1061: [PIT] crash in
AWT_Desktop/Automated/Exceptions/BasicTest
- S8156020, PR1061: 8145547 breaks AIX and and uses RTLD_NOLOAD
incorrectly
- S8156128, PR1061: Tests for [AWT/Swing] Conditional support for GTK
3 on Linux
- S8158260, PR2991, RH1341258: PPC64: unaligned Unsafe.getInt can lead
to the generation of illegal instructions (bsc#988651)
- S8159244, PR3074: Partially initialized string object created by
C2's string concat optimization may escape
- S8159690, PR3077: [TESTBUG] Mark headful tests with @key headful.
- S8160294, PR2882, PR3095: Some client libraries cannot be built with
GCC 6
* Bug fixes
- PR1958: GTKLookAndFeel does not honor gtk-alternative-button-order
- PR2822: Feed LIBS & CFLAGS into configure rather than make to avoid
re-discovery by OpenJDK configure
- PR2932: Support ccache in a non-automagic manner
- PR2933: Support ccache 3.2 and later
- PR2964: Set system defaults based on OS
- PR2974, RH1337583: PKCS#10 certificate requests now use CRLF line
endings rather than system line endings
- PR3078: Remove duplicated line dating back to 6788347 and 6894807
- PR3083, RH1346460: Regression in SSL debug output without an ECC
provider
- PR3089: Remove old memory limits patch
- PR3090, RH1204159: SystemTap is heavily confused by multiple JDKs
- PR3095: Fix warnings in URLClassPath.c
- PR3096: Remove dead --disable-optimizations option
- PR3105: Use version from hotspot.map to create tarball filename
- PR3106: Handle both correctly-spelt property
"enableCustomValueHandler" introduced by S8079718 and typo version
- PR3108: Shenandoah patches not included in release tarball
- PR3110: Update hotspot.map documentation in INSTALL
* AArch64 port
- S8145320, PR3078: Create unsafe_arraycopy and generic_arraycopy for
AArch64
- S8148328, PR3078: aarch64: redundant lsr instructions in stub code.
- S8148783, PR3078: aarch64: SEGV running SpecJBB2013
- S8148948, PR3078: aarch64: generate_copy_longs calls align()
incorrectly
- S8149080, PR3078: AArch64: Recognise disjoint array copy in stub code
- S8149365, PR3078: aarch64: memory copy does not prefetch on
backwards copy
- S8149907, PR3078: aarch64: use load/store pair instructions in
call_stub
- S8150038, PR3078: aarch64: make use of CBZ and CBNZ when comparing
narrow pointer with zero
- S8150045, PR3078: arraycopy causes segfaults in SATB during garbage
collection
- S8150082, PR3078: aarch64: optimise small array copy
- S8150229, PR3078: aarch64: pipeline class for several instructions
is not set correctly
- S8150313, PR3078: aarch64: optimise array copy using SIMD
instructions
- S8150394, PR3078: aarch64: add support for 8.1 LSE CAS instructions
- S8151340, PR3078: aarch64: prefetch the destination word for write
prior to ldxr/stxr loops.
- S8151502, PR3078: optimize pd_disjoint_words and pd_conjoint_words
- S8151775, PR3078: aarch64: add support for 8.1 LSE atomic
operations
- S8152537, PR3078: aarch64: Make use of CBZ and CBNZ when comparing
unsigned values with zero.
- S8152840, PR3078: aarch64: improve _unsafe_arraycopy stub routine
- S8153713, PR3078: aarch64: improve short array clearing using store
pair
- S8153797, PR3078: aarch64: Add Arrays.fill stub code
- S8154537, PR3078: AArch64: some integer rotate instructions are
never emitted
- S8154739, PR3078: AArch64: TemplateTable::fast_xaccess loads in
wrong mode
- S8155015, PR3078: Aarch64: bad assert in spill generation code
- S8155100, PR3078: AArch64: Relax alignment requirement for
byte_map_base
- S8155612, PR3078: Aarch64: vector nodes need to support misaligned
offset
- S8155617, PR3078: aarch64: ClearArray does not use DC ZVA
- S8155653, PR3078: TestVectorUnalignedOffset.java not pushed with
8155612
- S8156731, PR3078: aarch64: java/util/Arrays/Correct.java fails due
to _generic_arraycopy stub routine
- S8157841, PR3078: aarch64: prefetch ignores cache line size
- S8157906, PR3078: aarch64: some more integer rotate instructions are
never emitted
- S8158913, PR3078: aarch64: SEGV running Spark terasort
- S8159052, PR3078: aarch64: optimise unaligned copies in
pd_disjoint_words and pd_conjoint_words
- S8159063, PR3078: aarch64: optimise unaligned array copy long
- PR3078: Cleanup remaining differences from aarch64/jdk8u tree
- Fix script linking /usr/share/javazi/tzdb.dat for platform where it
applies (bsc#987895)
- Fix aarch64 running with 48 bits va space (bsc#984684)
avoid some crashes
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-978=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
java-1_8_0-openjdk-1.8.0.101-15.1
java-1_8_0-openjdk-accessibility-1.8.0.101-15.1
java-1_8_0-openjdk-debuginfo-1.8.0.101-15.1
java-1_8_0-openjdk-debugsource-1.8.0.101-15.1
java-1_8_0-openjdk-demo-1.8.0.101-15.1
java-1_8_0-openjdk-demo-debuginfo-1.8.0.101-15.1
java-1_8_0-openjdk-devel-1.8.0.101-15.1
java-1_8_0-openjdk-devel-debuginfo-1.8.0.101-15.1
java-1_8_0-openjdk-headless-1.8.0.101-15.1
java-1_8_0-openjdk-headless-debuginfo-1.8.0.101-15.1
java-1_8_0-openjdk-src-1.8.0.101-15.1
- openSUSE Leap 42.1 (noarch):
java-1_8_0-openjdk-javadoc-1.8.0.101-15.1
References:
https://www.suse.com/security/cve/CVE-2016-3458.html
https://www.suse.com/security/cve/CVE-2016-3485.html
https://www.suse.com/security/cve/CVE-2016-3498.html
https://www.suse.com/security/cve/CVE-2016-3500.html
https://www.suse.com/security/cve/CVE-2016-3503.html
https://www.suse.com/security/cve/CVE-2016-3508.html
https://www.suse.com/security/cve/CVE-2016-3511.html
https://www.suse.com/security/cve/CVE-2016-3550.html
https://www.suse.com/security/cve/CVE-2016-3552.html
https://www.suse.com/security/cve/CVE-2016-3587.html
https://www.suse.com/security/cve/CVE-2016-3598.html
https://www.suse.com/security/cve/CVE-2016-3606.html
https://www.suse.com/security/cve/CVE-2016-3610.html
https://bugzilla.suse.com/984684
https://bugzilla.suse.com/987895
https://bugzilla.suse.com/988651
https://bugzilla.suse.com/989721
https://bugzilla.suse.com/989722
https://bugzilla.suse.com/989723
https://bugzilla.suse.com/989725
https://bugzilla.suse.com/989726
https://bugzilla.suse.com/989727
https://bugzilla.suse.com/989728
https://bugzilla.suse.com/989729
https://bugzilla.suse.com/989730
https://bugzilla.suse.com/989731
https://bugzilla.suse.com/989732
https://bugzilla.suse.com/989733
https://bugzilla.suse.com/989734
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2050-1: important: Security update for java-1_7_0-openjdk
by opensuse-security@opensuse.org 11 Aug '16
by opensuse-security@opensuse.org 11 Aug '16
11 Aug '16
openSUSE Security Update: Security update for java-1_7_0-openjdk
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2050-1
Rating: important
References: #988651 #989722 #989723 #989725 #989727 #989728
#989729 #989730 #989731 #989732 #989733 #989734
Cross-References: CVE-2016-3458 CVE-2016-3485 CVE-2016-3498
CVE-2016-3500 CVE-2016-3503 CVE-2016-3508
CVE-2016-3511 CVE-2016-3550 CVE-2016-3598
CVE-2016-3606 CVE-2016-3610
Affected Products:
openSUSE 13.2
______________________________________________________________________________
An update that solves 11 vulnerabilities and has one errata
is now available.
Description:
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.7 - OpenJDK 7u111
* Security fixes
- S8079718, CVE-2016-3458: IIOP Input Stream Hooking (bsc#989732)
- S8145446, CVE-2016-3485: Perfect pipe placement (Windows
only) (bsc#989734)
- S8147771: Construction of static protection domains under Javax
custom policy
- S8148872, CVE-2016-3500: Complete name checking (bsc#989730)
- S8149962, CVE-2016-3508: Better delineation of XML processing
(bsc#989731)
- S8150752: Share Class Data
- S8151925: Font reference improvements
- S8152479, CVE-2016-3550: Coded byte streams (bsc#989733)
- S8155981, CVE-2016-3606: Bolster bytecode verification (bsc#989722)
- S8155985, CVE-2016-3598: Persistent Parameter Processing (bsc#989723)
- S8158571, CVE-2016-3610: Additional method handle validation
(bsc#989725)
- CVE-2016-3511 (bsc#989727)
- CVE-2016-3503 (bsc#989728)
- CVE-2016-3498 (bsc#989729)
* Import of OpenJDK 7 u111 build 0
- S6953295: Move few sun.security.{util, x509, pkcs} classes used by
keytool/jarsigner to another package
- S7060849: Eliminate pack200 build warnings
- S7064075: Security libraries don't build with javac
-Xlint:all,-deprecation -Werror
- S7069870: Parts of the JDK erroneously rely on generic array
initializers with diamond
- S7102686: Restructure timestamp code so that jars and modules can
more easily share the same code
- S7105780: Add SSLSocket client/SSLEngine server to templates
directory
- S7142339: PKCS7.java is needlessly creating SHA1PRNG SecureRandom
instances when timestamping is not done
- S7152582: PKCS11 tests should use the NSS libraries available in the
OS
- S7192202: Make sure keytool prints both unknown and unparseable
extensions
- S7194449: String resources for Key Tool and Policy Tool should be in
their respective packages
- S7196855: autotest.sh fails on ubuntu because libsoftokn.so not found
- S7200682: TEST_BUG: keytool/autotest.sh still has problems with
libsoftokn.so
- S8002306: (se) Selector.open fails if invoked with thread interrupt
status set [win]
- S8009636: JARSigner including TimeStamp PolicyID (TSAPolicyID) as
defined in RFC3161
- S8019341: Update CookieHttpsClientTest to use the newer framework.
- S8022228: Intermittent test failures in
sun/security/ssl/javax/net/ssl/NewAPIs
- S8022439: Fix lint warnings in sun.security.ec
- S8022594: Potential deadlock in <clinit> of sun.nio.ch.Util/IOUtil
- S8023546: sun/security/mscapi/ShortRSAKey1024.sh fails intermittently
- S8036612: [parfait] JNI exception pending in
jdk/src/windows/native/sun/security/mscapi/security.cpp
- S8037557: test SessionCacheSizeTests.java timeout
- S8038837: Add support to jarsigner for specifying timestamp hash
algorithm
- S8079410: Hotspot version to share the same update and build version
from JDK
- S8130735: javax.swing.TimerQueue: timer fires late when another
timer starts
- S8139436: sun.security.mscapi.KeyStore might load incomplete data
- S8144313: Test SessionTimeOutTests can be timeout
- S8146387: Test SSLSession/SessionCacheSizeTests socket accept timed
out
- S8146669: Test SessionTimeOutTests fails intermittently
- S8146993: Several javax/management/remote/mandatory regression tests
fail after JDK-8138811
- S8147857: [TEST] RMIConnector logs attribute names incorrectly
- S8151841, PR3098: Build needs additional flags to compile with GCC 6
- S8151876: (tz) Support tzdata2016d
- S8157077: 8u101 L10n resource file updates
- S8161262: Fix jdk build with gcc 4.1.2: -fno-strict-overflow not
known.
* Import of OpenJDK 7 u111 build 1
- S7081817:
test/sun/security/provider/certpath/X509CertPath/IllegalCertificates.java f
ailing
- S8140344: add support for 3 digit update release numbers
- S8145017: Add support for 3 digit hotspot minor version numbers
- S8162344: The API changes made by CR 7064075 need to be reverted
* Backports
- S2178143, PR2958: JVM crashes if the number of bound CPUs changed
during runtime
- S4900206, PR3101: Include worst-case rounding tests for Math library
functions
- S6260348, PR3067: GTK+ L&F JTextComponent not respecting desktop
caret blink rate
- S6934604, PR3075: enable parts of EliminateAutoBox by default
- S7043064, PR3020: sun/java2d/cmm/ tests failed against RI b141 &
b138-nightly
- S7051394, PR3020: NullPointerException when running regression tests
LoadProfileTest by using openjdk-7-b144
- S7086015, PR3013: fix
test/tools/javac/parser/netbeans/JavacParserTest.java
- S7119487, PR3013: JavacParserTest.java test fails on Windows
platforms
- S7124245, PR3020: [lcms] ColorConvertOp to color space CS_GRAY
apparently converts orange to 244,244,0
- S7159445, PR3013: (javac) emits inaccurate diagnostics for enhanced
for-loops
- S7175845, PR1437, RH1207129: 'jar uf' changes file permissions
unexpectedly
- S8005402, PR3020: Need to provide benchmarks for color management
- S8005530, PR3020: [lcms] Improve performance of ColorConverOp for
default destinations
- S8005930, PR3020: [lcms] ColorConvertOp: Alpha channel is not
transferred from source to destination.
- S8013430, PR3020: REGRESSION:
closed/java/awt/color/ICC_Profile/LoadProfileTest/LoadProfileTest.java fail
s with java.io.StreamCorruptedException: invalid type code: EE since
8b87
- S8014286, PR3075: failed java/lang/Math/DivModTests.java after
6934604 changes
- S8014959, PR3075: assert(Compile::current()->live_nodes() <
(uint)MaxNodeLimit) failed: Live Node limit exceeded limit
- S8019247, PR3075: SIGSEGV in compiled method
c8e.e.t_.getArray(Ljava/lang/Class;)[Ljava/lang/Object
- S8024511, PR3020: Crash during color profile destruction
- S8025429, PR3020: [parfait] warnings from b107 for sun.java2d.cmm:
JNI exception pending
- S8026702, PR3020: Fix for 8025429 breaks jdk build on windows
- S8026780, PR3020, RH1142587: Crash on PPC and PPC v2 for Java_awt
test suit
- S8047066, PR3020: Test test/sun/awt/image/bug8038000.java fails with
ClassCastException
- S8069181, PR3012, RH1015612: java.lang.AssertionError when compiling
JDK 1.4 code in JDK 8
- S8158260, PR2992, RH1341258: PPC64: unaligned Unsafe.getInt can lead
to the generation of illegal instructions (bsc#988651)
- S8159244, PR3075: Partially initialized string object created by
C2's string concat optimization may escape
* Bug fixes
- PR2799, RH1195203: Files are missing from resources.jar
- PR2900: Don't use WithSeed versions of NSS functions as they don't
fully process the seed
- PR3091: SystemTap is heavily confused by multiple JDKs
- PR3102: Extend 8022594 to AixPollPort
- PR3103: Handle case in clean-fonts where
linux.fontconfig.Gentoo.properties.old has not been created
- PR3111: Provide option to disable SystemTap tests
- PR3114: Don't assume system mime.types supports text/x-java-source
- PR3115: Add check for elliptic curve cryptography implementation
- PR3116: Add tests for Java debug info and source files
- PR3118: Path to agpl-3.0.txt not updated
- PR3119: Makefile handles cacerts as a symlink, but the configure
check doesn't
* AArch64 port
- S8148328, PR3100: aarch64: redundant lsr instructions in stub code.
- S8148783, PR3100: aarch64: SEGV running SpecJBB2013
- S8148948, PR3100: aarch64: generate_copy_longs calls align()
incorrectly
- S8150045, PR3100: arraycopy causes segfaults in SATB during garbage
collection
- S8154537, PR3100: AArch64: some integer rotate instructions are
never emitted
- S8154739, PR3100: AArch64: TemplateTable::fast_xaccess loads in
wrong mode
- S8157906, PR3100: aarch64: some more integer rotate instructions are
never emitted
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-976=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
java-1_7_0-openjdk-1.7.0.111-25.1
java-1_7_0-openjdk-accessibility-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-devel-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-headless-1.7.0.111-25.1
java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-debugsource-1.7.0.111-25.1
java-1_7_0-openjdk-demo-1.7.0.111-25.1
java-1_7_0-openjdk-demo-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-devel-1.7.0.111-25.1
java-1_7_0-openjdk-devel-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-headless-1.7.0.111-25.1
java-1_7_0-openjdk-headless-debuginfo-1.7.0.111-25.1
java-1_7_0-openjdk-src-1.7.0.111-25.1
- openSUSE 13.2 (noarch):
java-1_7_0-openjdk-javadoc-1.7.0.111-25.1
References:
https://www.suse.com/security/cve/CVE-2016-3458.html
https://www.suse.com/security/cve/CVE-2016-3485.html
https://www.suse.com/security/cve/CVE-2016-3498.html
https://www.suse.com/security/cve/CVE-2016-3500.html
https://www.suse.com/security/cve/CVE-2016-3503.html
https://www.suse.com/security/cve/CVE-2016-3508.html
https://www.suse.com/security/cve/CVE-2016-3511.html
https://www.suse.com/security/cve/CVE-2016-3550.html
https://www.suse.com/security/cve/CVE-2016-3598.html
https://www.suse.com/security/cve/CVE-2016-3606.html
https://www.suse.com/security/cve/CVE-2016-3610.html
https://bugzilla.suse.com/988651
https://bugzilla.suse.com/989722
https://bugzilla.suse.com/989723
https://bugzilla.suse.com/989725
https://bugzilla.suse.com/989727
https://bugzilla.suse.com/989728
https://bugzilla.suse.com/989729
https://bugzilla.suse.com/989730
https://bugzilla.suse.com/989731
https://bugzilla.suse.com/989732
https://bugzilla.suse.com/989733
https://bugzilla.suse.com/989734
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2036-1: important: Security update for libarchive
by opensuse-security@opensuse.org 11 Aug '16
by opensuse-security@opensuse.org 11 Aug '16
11 Aug '16
openSUSE Security Update: Security update for libarchive
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2036-1
Rating: important
References: #984990 #985609 #985665 #985669 #985673 #985675
#985679 #985682 #985685 #985688 #985689 #985697
#985698 #985700 #985703 #985704 #985706 #985826
#985832 #985835
Cross-References: CVE-2015-8918 CVE-2015-8919 CVE-2015-8920
CVE-2015-8921 CVE-2015-8922 CVE-2015-8923
CVE-2015-8924 CVE-2015-8925 CVE-2015-8926
CVE-2015-8928 CVE-2015-8929 CVE-2015-8930
CVE-2015-8931 CVE-2015-8932 CVE-2015-8933
CVE-2015-8934 CVE-2016-4300 CVE-2016-4301
CVE-2016-4302 CVE-2016-4809
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________
An update that fixes 20 vulnerabilities is now available.
Description:
libarchive was updated to fix 20 security issues.
These security issues were fixed:
- CVE-2015-8918: Overlapping memcpy in CAB parser (bsc#985698).
- CVE-2015-8919: Heap out of bounds read in LHA/LZH parser (bsc#985697).
- CVE-2015-8920: Stack out of bounds read in ar parser (bsc#985675).
- CVE-2015-8921: Global out of bounds read in mtree parser (bsc#985682).
- CVE-2015-8922: Null pointer access in 7z parser (bsc#985685).
- CVE-2015-8923: Unclear crashes in ZIP parser (bsc#985703).
- CVE-2015-8924: Heap buffer read overflow in tar (bsc#985609).
- CVE-2015-8925: Unclear invalid memory read in mtree parser (bsc#985706).
- CVE-2015-8926: NULL pointer access in RAR parser (bsc#985704).
- CVE-2015-8928: Heap out of bounds read in mtree parser (bsc#985679).
- CVE-2015-8929: Memory leak in tar parser (bsc#985669).
- CVE-2015-8930: Endless loop in ISO parser (bsc#985700).
- CVE-2015-8931: Undefined behavior / signed integer overflow in mtree
parser (bsc#985689).
- CVE-2015-8932: Compress handler left shifting larger than int size
(bsc#985665).
- CVE-2015-8933: Undefined behavior / signed integer overflow in TAR
parser (bsc#985688).
- CVE-2015-8934: Out of bounds read in RAR (bsc#985673).
- CVE-2016-4300: Heap buffer overflow vulnerability in the 7zip
read_SubStreamsInfo (bsc#985832).
- CVE-2016-4301: Stack buffer overflow in the mtree parse_device
(bsc#985826).
- CVE-2016-4302: Heap buffer overflow in the Rar decompression
functionality (bsc#985835).
- CVE-2016-4809: Memory allocate error with symbolic links in cpio
archives (bsc#984990).
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-969=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
bsdtar-3.1.2-13.2
bsdtar-debuginfo-3.1.2-13.2
libarchive-debugsource-3.1.2-13.2
libarchive-devel-3.1.2-13.2
libarchive13-3.1.2-13.2
libarchive13-debuginfo-3.1.2-13.2
- openSUSE Leap 42.1 (x86_64):
libarchive13-32bit-3.1.2-13.2
libarchive13-debuginfo-32bit-3.1.2-13.2
References:
https://www.suse.com/security/cve/CVE-2015-8918.html
https://www.suse.com/security/cve/CVE-2015-8919.html
https://www.suse.com/security/cve/CVE-2015-8920.html
https://www.suse.com/security/cve/CVE-2015-8921.html
https://www.suse.com/security/cve/CVE-2015-8922.html
https://www.suse.com/security/cve/CVE-2015-8923.html
https://www.suse.com/security/cve/CVE-2015-8924.html
https://www.suse.com/security/cve/CVE-2015-8925.html
https://www.suse.com/security/cve/CVE-2015-8926.html
https://www.suse.com/security/cve/CVE-2015-8928.html
https://www.suse.com/security/cve/CVE-2015-8929.html
https://www.suse.com/security/cve/CVE-2015-8930.html
https://www.suse.com/security/cve/CVE-2015-8931.html
https://www.suse.com/security/cve/CVE-2015-8932.html
https://www.suse.com/security/cve/CVE-2015-8933.html
https://www.suse.com/security/cve/CVE-2015-8934.html
https://www.suse.com/security/cve/CVE-2016-4300.html
https://www.suse.com/security/cve/CVE-2016-4301.html
https://www.suse.com/security/cve/CVE-2016-4302.html
https://www.suse.com/security/cve/CVE-2016-4809.html
https://bugzilla.suse.com/984990
https://bugzilla.suse.com/985609
https://bugzilla.suse.com/985665
https://bugzilla.suse.com/985669
https://bugzilla.suse.com/985673
https://bugzilla.suse.com/985675
https://bugzilla.suse.com/985679
https://bugzilla.suse.com/985682
https://bugzilla.suse.com/985685
https://bugzilla.suse.com/985688
https://bugzilla.suse.com/985689
https://bugzilla.suse.com/985697
https://bugzilla.suse.com/985698
https://bugzilla.suse.com/985700
https://bugzilla.suse.com/985703
https://bugzilla.suse.com/985704
https://bugzilla.suse.com/985706
https://bugzilla.suse.com/985826
https://bugzilla.suse.com/985832
https://bugzilla.suse.com/985835
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2028-1: important: Security update for hawk2
by opensuse-security@opensuse.org 11 Aug '16
by opensuse-security@opensuse.org 11 Aug '16
11 Aug '16
openSUSE Security Update: Security update for hawk2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2028-1
Rating: important
References: #984619 #987696
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for hawk2 fixes one security issue and one bug.
The following security change is included:
- To prevent Clickjacking attacks, set Content-Security-Policy to
frame-ancestors 'self' (bsc#984619)
The following non-security issue was fixed:
- In the Wizards UI, prevent text display issues due to
internationalization with certain strings (bsc#987696)
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-971=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.1 (i586 x86_64):
hawk2-1.0.1+git.1456406635.49e230d-5.1
hawk2-debuginfo-1.0.1+git.1456406635.49e230d-5.1
hawk2-debugsource-1.0.1+git.1456406635.49e230d-5.1
References:
https://bugzilla.suse.com/984619
https://bugzilla.suse.com/987696
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2026-1: important: Security update for MozillaFirefox, mozilla-nss
by opensuse-security@opensuse.org 10 Aug '16
by opensuse-security@opensuse.org 10 Aug '16
10 Aug '16
openSUSE Security Update: Security update for MozillaFirefox, mozilla-nss
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2026-1
Rating: important
References: #984126 #984403 #984637 #986541 #991809
Cross-References: CVE-2016-0718 CVE-2016-2830 CVE-2016-2835
CVE-2016-2836 CVE-2016-2837 CVE-2016-2838
CVE-2016-2839 CVE-2016-5250 CVE-2016-5251
CVE-2016-5252 CVE-2016-5254 CVE-2016-5255
CVE-2016-5258 CVE-2016-5259 CVE-2016-5260
CVE-2016-5261 CVE-2016-5262 CVE-2016-5263
CVE-2016-5264 CVE-2016-5265 CVE-2016-5266
CVE-2016-5268
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that fixes 22 vulnerabilities is now available.
Description:
Mozilla Firefox was updated to 48.0 to fix security issues, bugs, and
deliver various improvements.
The following major changes are included:
- Process separation (e10s) is enabled for some users
- Add-ons that have not been verified and signed by Mozilla will not load
- WebRTC enhancements
- The media parser has been redeveloped using the Rust programming language
- better Canvas performance with speedy Skia support
- Now requires NSS 3.24
The following security issues were fixed: (boo#991809)
- CVE-2016-2835/CVE-2016-2836: Miscellaneous memory safety hazards
- CVE-2016-2830: Favicon network connection can persist when page is closed
- CVE-2016-2838: Buffer overflow rendering SVG with bidirectional content
- CVE-2016-2839: Cairo rendering crash due to memory allocation issue with
FFmpeg 0.10
- CVE-2016-5251: Location bar spoofing via data URLs with
malformed/invalid mediatypes
- CVE-2016-5252: Stack underflow during 2D graphics rendering
- CVE-2016-0718: Out-of-bounds read during XML parsing in Expat library
- CVE-2016-5254: Use-after-free when using alt key and toplevel menus
- CVE-2016-5255: Crash in incremental garbage collection in JavaScript
- CVE-2016-5258: Use-after-free in DTLS during WebRTC session shutdown
- CVE-2016-5259: Use-after-free in service workers with nested sync events
- CVE-2016-5260: Form input type change from password to text can store
plain text password in session restore file
- CVE-2016-5261: Integer overflow in WebSockets during data buffering
- CVE-2016-5262: Scripts on marquee tag can execute in sandboxed iframes
- CVE-2016-2837: Buffer overflow in ClearKey Content Decryption Module
(CDM) during video playback
- CVE-2016-5263: Type confusion in display transformation
- CVE-2016-5264: Use-after-free when applying SVG effects
- CVE-2016-5265: Same-origin policy violation using local HTML file and
saved shortcut file
- CVE-2016-5266: Information disclosure and local file manipulation
through drag and drop
- CVE-2016-5268: Spoofing attack through text injection into internal
error pages
- CVE-2016-5250: Information disclosure through Resource Timing API during
page navigation
The following non-security changes are included:
- The AppData description and screenshots were updated.
- Fix Firefox crash on startup on i586 (boo#986541)
- The Selenium WebDriver may have caused Firefox to crash at startup
- fix build issues with gcc/binutils combination used in Leap 42.2
(boo#984637)
- Fix running on 48bit va aarch64 (boo#984126)
- fix XUL dialog button order under KDE session (boo#984403)
Mozilla NSS was updated to 3.24 as a dependency.
Changes in mozilla-nss:
- NSS softoken updated with latest NIST guidance
- NSS softoken updated to allow NSS to run in FIPS Level 1 (no password)
- Various added and deprecated functions
- Remove most code related to SSL v2, including the ability to actively
send a SSLv2-compatible client hello.
- Protect against the Cachebleed attack.
- Disable support for DTLS compression.
- Improve support for TLS 1.3. This includes support for DTLS 1.3.
(experimental)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch 2016-960=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (i586 x86_64):
MozillaFirefox-48.0-119.1
MozillaFirefox-branding-upstream-48.0-119.1
MozillaFirefox-buildsymbols-48.0-119.1
MozillaFirefox-debuginfo-48.0-119.1
MozillaFirefox-debugsource-48.0-119.1
MozillaFirefox-devel-48.0-119.1
MozillaFirefox-translations-common-48.0-119.1
MozillaFirefox-translations-other-48.0-119.1
libfreebl3-3.24-83.1
libfreebl3-debuginfo-3.24-83.1
libsoftokn3-3.24-83.1
libsoftokn3-debuginfo-3.24-83.1
mozilla-nss-3.24-83.1
mozilla-nss-certs-3.24-83.1
mozilla-nss-certs-debuginfo-3.24-83.1
mozilla-nss-debuginfo-3.24-83.1
mozilla-nss-debugsource-3.24-83.1
mozilla-nss-devel-3.24-83.1
mozilla-nss-sysinit-3.24-83.1
mozilla-nss-sysinit-debuginfo-3.24-83.1
mozilla-nss-tools-3.24-83.1
mozilla-nss-tools-debuginfo-3.24-83.1
- openSUSE 13.1 (x86_64):
libfreebl3-32bit-3.24-83.1
libfreebl3-debuginfo-32bit-3.24-83.1
libsoftokn3-32bit-3.24-83.1
libsoftokn3-debuginfo-32bit-3.24-83.1
mozilla-nss-32bit-3.24-83.1
mozilla-nss-certs-32bit-3.24-83.1
mozilla-nss-certs-debuginfo-32bit-3.24-83.1
mozilla-nss-debuginfo-32bit-3.24-83.1
mozilla-nss-sysinit-32bit-3.24-83.1
mozilla-nss-sysinit-debuginfo-32bit-3.24-83.1
References:
https://www.suse.com/security/cve/CVE-2016-0718.html
https://www.suse.com/security/cve/CVE-2016-2830.html
https://www.suse.com/security/cve/CVE-2016-2835.html
https://www.suse.com/security/cve/CVE-2016-2836.html
https://www.suse.com/security/cve/CVE-2016-2837.html
https://www.suse.com/security/cve/CVE-2016-2838.html
https://www.suse.com/security/cve/CVE-2016-2839.html
https://www.suse.com/security/cve/CVE-2016-5250.html
https://www.suse.com/security/cve/CVE-2016-5251.html
https://www.suse.com/security/cve/CVE-2016-5252.html
https://www.suse.com/security/cve/CVE-2016-5254.html
https://www.suse.com/security/cve/CVE-2016-5255.html
https://www.suse.com/security/cve/CVE-2016-5258.html
https://www.suse.com/security/cve/CVE-2016-5259.html
https://www.suse.com/security/cve/CVE-2016-5260.html
https://www.suse.com/security/cve/CVE-2016-5261.html
https://www.suse.com/security/cve/CVE-2016-5262.html
https://www.suse.com/security/cve/CVE-2016-5263.html
https://www.suse.com/security/cve/CVE-2016-5264.html
https://www.suse.com/security/cve/CVE-2016-5265.html
https://www.suse.com/security/cve/CVE-2016-5266.html
https://www.suse.com/security/cve/CVE-2016-5268.html
https://bugzilla.suse.com/984126
https://bugzilla.suse.com/984403
https://bugzilla.suse.com/984637
https://bugzilla.suse.com/986541
https://bugzilla.suse.com/991809
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] openSUSE-SU-2016:2025-1: important: Important security fixes for Typo3
by opensuse-security@opensuse.org 10 Aug '16
by opensuse-security@opensuse.org 10 Aug '16
10 Aug '16
openSUSE Security Update: Important security fixes for Typo3
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2025-1
Rating: important
References:
Cross-References: CVE-2013-4701 CVE-2013-7073 CVE-2014-3941
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
Important security fixes for vulnerabilities in typo3 which can be used
for Cross-Site Scripting or Denial of Service attacks or for
authentication bypassing.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- openSUSE 13.1:
zypper in -t patch 2016-959=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.1 (noarch):
typo3-cms-4_5-4.5.40-2.7.1
typo3-cms-4_7-4.7.20-3.3.1
References:
https://www.suse.com/security/cve/CVE-2013-4701.html
https://www.suse.com/security/cve/CVE-2013-7073.html
https://www.suse.com/security/cve/CVE-2014-3941.html
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0
[security-announce] SUSE-SU-2016:2018-1: important: Security update for the Linux Kernel
by opensuse-security@opensuse.org 09 Aug '16
by opensuse-security@opensuse.org 09 Aug '16
09 Aug '16
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2016:2018-1
Rating: important
References: #909589 #954847 #971030 #974620 #979915 #982544
#983721 #984755 #986362 #986572 #988498
Cross-References: CVE-2016-4470 CVE-2016-4997 CVE-2016-5829
Affected Products:
SUSE Linux Enterprise Software Development Kit 11-SP4
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Server 11-EXTRA
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________
An update that solves three vulnerabilities and has 8 fixes
is now available.
Description:
The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
- CVE-2016-5829: Multiple heap-based buffer overflows in the
hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux
kernel allowed local users to cause a denial of service or possibly have
unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)
HIDIOCSUSAGES ioctl call (bnc#986572).
- CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation
in the netfilter subsystem in the Linux kernel allowed local users to
gain privileges or cause a denial of service (memory corruption) by
leveraging in-container root access to provide a crafted offset value
that triggers an unintended decrement (bnc#986362).
- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c
in the Linux kernel did not ensure that a certain data structure is
initialized, which allowed local users to cause a denial of service
(system crash) via vectors involving a crafted keyctl request2 command
(bnc#984755).
The following non-security bugs were fixed:
- RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589).
- RDMA/cxgb4: Do not hang threads forever waiting on WR replies
(bsc#909589).
- RDMA/cxgb4: Fix locking issue in process_mpa_request (bsc#909589).
- RDMA/cxgb4: Handle NET_XMIT return codes (bsc#909589).
- RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589).
- RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589).
- RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589).
- RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589).
- bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit (bsc#982544).
- iucv: call skb_linearize() when needed (bnc#979915, LTC#141240).
- kabi: prevent spurious modversion changes after bsc#982544 fix
(bsc#982544).
- mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).
- mm: Fix DIF failures on ext3 filesystems (bsc#971030).
- net/qlge: Avoids recursive EEH error (bsc#954847).
- netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in
br_validate_ipv6 (bsc#982544).
- netfilter: bridge: do not leak skb in error paths (bsc#982544).
- netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).
- qeth: delete napi struct when removing a qeth device (bnc#979915,
LTC#143590).
- s390/mm: fix asce_bits handling with dynamic pagetable levels
(bnc#979915, LTC#141456).
- s390/pci: fix use after free in dma_init (bnc#979915, LTC#141626).
- s390: fix test_fp_ctl inline assembly contraints (bnc#979915,
LTC#143138).
- sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency
(bnc#988498).
- sched/cputime: Fix cpu_timer_sample_group() double accounting
(bnc#988498).
- sched: Provide update_curr callbacks for stop/idle scheduling classes
(bnc#988498).
- x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Software Development Kit 11-SP4:
zypper in -t patch sdksp4-kernel-12685=1
- SUSE Linux Enterprise Server 11-SP4:
zypper in -t patch slessp4-kernel-12685=1
- SUSE Linux Enterprise Server 11-EXTRA:
zypper in -t patch slexsp3-kernel-12685=1
- SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-kernel-12685=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch):
kernel-docs-3.0.101-80.2
- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
kernel-default-3.0.101-80.1
kernel-default-base-3.0.101-80.1
kernel-default-devel-3.0.101-80.1
kernel-source-3.0.101-80.1
kernel-syms-3.0.101-80.1
kernel-trace-3.0.101-80.1
kernel-trace-base-3.0.101-80.1
kernel-trace-devel-3.0.101-80.1
- SUSE Linux Enterprise Server 11-SP4 (i586 x86_64):
kernel-ec2-3.0.101-80.1
kernel-ec2-base-3.0.101-80.1
kernel-ec2-devel-3.0.101-80.1
kernel-xen-3.0.101-80.1
kernel-xen-base-3.0.101-80.1
kernel-xen-devel-3.0.101-80.1
- SUSE Linux Enterprise Server 11-SP4 (s390x):
kernel-default-man-3.0.101-80.1
- SUSE Linux Enterprise Server 11-SP4 (ppc64):
kernel-ppc64-3.0.101-80.1
kernel-ppc64-base-3.0.101-80.1
kernel-ppc64-devel-3.0.101-80.1
- SUSE Linux Enterprise Server 11-SP4 (i586):
kernel-pae-3.0.101-80.1
kernel-pae-base-3.0.101-80.1
kernel-pae-devel-3.0.101-80.1
- SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64):
kernel-default-extra-3.0.101-80.1
- SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64):
kernel-xen-extra-3.0.101-80.1
- SUSE Linux Enterprise Server 11-EXTRA (x86_64):
kernel-trace-extra-3.0.101-80.1
- SUSE Linux Enterprise Server 11-EXTRA (ppc64):
kernel-ppc64-extra-3.0.101-80.1
- SUSE Linux Enterprise Server 11-EXTRA (i586):
kernel-pae-extra-3.0.101-80.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
kernel-default-debuginfo-3.0.101-80.1
kernel-default-debugsource-3.0.101-80.1
kernel-trace-debuginfo-3.0.101-80.1
kernel-trace-debugsource-3.0.101-80.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64):
kernel-default-devel-debuginfo-3.0.101-80.1
kernel-trace-devel-debuginfo-3.0.101-80.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64):
kernel-ec2-debuginfo-3.0.101-80.1
kernel-ec2-debugsource-3.0.101-80.1
kernel-xen-debuginfo-3.0.101-80.1
kernel-xen-debugsource-3.0.101-80.1
kernel-xen-devel-debuginfo-3.0.101-80.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64):
kernel-ppc64-debuginfo-3.0.101-80.1
kernel-ppc64-debugsource-3.0.101-80.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586):
kernel-pae-debuginfo-3.0.101-80.1
kernel-pae-debugsource-3.0.101-80.1
kernel-pae-devel-debuginfo-3.0.101-80.1
References:
https://www.suse.com/security/cve/CVE-2016-4470.html
https://www.suse.com/security/cve/CVE-2016-4997.html
https://www.suse.com/security/cve/CVE-2016-5829.html
https://bugzilla.suse.com/909589
https://bugzilla.suse.com/954847
https://bugzilla.suse.com/971030
https://bugzilla.suse.com/974620
https://bugzilla.suse.com/979915
https://bugzilla.suse.com/982544
https://bugzilla.suse.com/983721
https://bugzilla.suse.com/984755
https://bugzilla.suse.com/986362
https://bugzilla.suse.com/986572
https://bugzilla.suse.com/988498
--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security-announce+help(a)opensuse.org
1
0