SUSE Security Update: Security update for java-1_7_0-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1422-1 Rating: important References: #901242 Cross-References: CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6513 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security issues and bugs. * Security: - S8015256: Better class accessibility - S8022783, CVE-2014-6504: Optimize C2 optimizations - S8035162: Service printing service - S8035781: Improve equality for annotations - S8036805: Correct linker method lookup. - S8036810: Correct linker field lookup - S8036936: Use local locales - S8037066, CVE-2014-6457: Secure transport layer - S8037846, CVE-2014-6558: Ensure streaming of input cipher streams - S8038364: Use certificate exceptions correctly - S8038899: Safer safepoints - S8038903: More native monitor monitoring - S8038908: Make Signature more robust - S8038913: Bolster XML support - S8039509, CVE-2014-6512: Wrap sockets more thoroughly - S8039533, CVE-2014-6517: Higher resolution resolvers - S8041540, CVE-2014-6511: Better use of pages in font processing - S8041529: Better parameterization of parameter lists - S8041545: Better validation of generated rasters - S8041564, CVE-2014-6506: Improved management of logger resources - S8041717, CVE-2014-6519: Issue with class file parser - S8042609, CVE-2014-6513: Limit splashiness of splash images - S8042797, CVE-2014-6502: Avoid strawberries in LogRecord - S8044274, CVE-2014-6531: Proper property processing * Backports: - S4963723: Implement SHA-224 - S7044060: Need to support NSA Suite B Cryptography algorithms - S7122142: (ann) Race condition between isAnnotationPresent and getAnnotations - S7160837: DigestOutputStream does not turn off digest calculation when "close()" is called - S8006935: Need to take care of long secret keys in HMAC/PRF computation - S8012637: Adjust CipherInputStream class to work in AEAD/GCM mode - S8028192: Use of PKCS11-NSS provider in FIPS mode broken - S8038000: java.awt.image.RasterFormatException: Incorrect scanline stride - S8039396: NPE when writing a class descriptor object to a custom ObjectOutputStream - S8042603: 'SafepointPollOffset' was not declared in static member function 'static bool Arguments::check_vm_args_consistency()' - S8042850: Extra unused entries in ICU ScriptCodes enum - S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp tests fail since 7u71 b01 - S8053963: (dc) Use DatagramChannel.receive() instead of read() in connect() - S8055176: 7u71 l10n resource file translation update * Bugfixes: - PR1988: C++ Interpreter should no longer be used on ppc64 - PR1989: Make jdk_generic_profile.sh handle missing programs better and be more verbose - PR1992, RH735336: Support retrieving proxy settings on GNOME 3.12.2 - PR2000: Synchronise HEAD tarball paths with release branch paths - PR2002: Fix references to hotspot.map following PR2000 - PR2003: --disable-system-gtk option broken by refactoring in PR1736 - PR2009: Checksum of policy JAR files changes on every build - PR2014: Use version from hotspot.map to create tarball filename - PR2015: Update hotspot.map documentation in INSTALL - PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used unless SYSTEM_LCMS is enabled - RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError (revised comprehensive fix) * CACAO - PR2030, G453612, CA172: ARM hardfloat support for CACAO * AArch64 port - AArch64 C2 instruct for smull - Add frame anchor fences. - Add MacroAssembler::maybe_isb() - Add missing instruction synchronization barriers and cache flushes. - Add support for a few simple intrinsics - Add support for builtin crc32 instructions - Add support for Neon implementation of CRC32 - All address constants are 48 bits in size. - array load must only read 32 bits - Define uabs(). Use it everywhere an absolute value is wanted. - Fast string comparison - Fast String.equals() - Fix register usage in generate_verify_oop(). - Fix thinko in Atomic::xchg_ptr. - Fix typo in fsqrts - Improve C1 performance improvements in ic_cache checks - Performance improvement and ease of use changes pulled from upstream - Remove obsolete C1 patching code. - Replace hotspot jtreg test suite with tests from jdk7u - S8024648: 7141246 breaks Zero port - Save intermediate state before removing C1 patching code. - Unwind native AArch64 frames. - Use 2- and 3-instruction immediate form of movoop and mov_metadata in C2-generated code. - Various concurrency fixes. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2014-68 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2014-68 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): java-1_7_0-openjdk-1.7.0.71-6.2 java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-debugsource-1.7.0.71-6.2 java-1_7_0-openjdk-demo-1.7.0.71-6.2 java-1_7_0-openjdk-demo-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-devel-1.7.0.71-6.2 java-1_7_0-openjdk-devel-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-headless-1.7.0.71-6.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2 - SUSE Linux Enterprise Desktop 12 (x86_64): java-1_7_0-openjdk-1.7.0.71-6.2 java-1_7_0-openjdk-debuginfo-1.7.0.71-6.2 java-1_7_0-openjdk-debugsource-1.7.0.71-6.2 java-1_7_0-openjdk-headless-1.7.0.71-6.2 java-1_7_0-openjdk-headless-debuginfo-1.7.0.71-6.2 References: http://support.novell.com/security/cve/CVE-2014-6457.html http://support.novell.com/security/cve/CVE-2014-6502.html http://support.novell.com/security/cve/CVE-2014-6504.html http://support.novell.com/security/cve/CVE-2014-6506.html http://support.novell.com/security/cve/CVE-2014-6511.html http://support.novell.com/security/cve/CVE-2014-6512.html http://support.novell.com/security/cve/CVE-2014-6513.html http://support.novell.com/security/cve/CVE-2014-6517.html http://support.novell.com/security/cve/CVE-2014-6519.html http://support.novell.com/security/cve/CVE-2014-6531.html http://support.novell.com/security/cve/CVE-2014-6558.html https://bugzilla.suse.com/show_bug.cgi?id=901242 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org