openSUSE-SU-2016:2900-1: moderate: Security update for java-1_7_0-openjdk - openSUSE Updates

24 Nov 2016


      openSUSE Security Update: Security update for java-1_7_0-openjdk
______________________________________________________________________________
Announcement ID:    openSUSE-SU-2016:2900-1
Rating:             moderate
References:         #1005522 #1005523 #1005524 #1005525 #1005526 
                    #1005527 #1005528 
Cross-References:   CVE-2016-5542 CVE-2016-5554 CVE-2016-5556
                    CVE-2016-5568 CVE-2016-5573 CVE-2016-5582
                    CVE-2016-5597
Affected Products:
                    openSUSE 13.2
______________________________________________________________________________
An update that fixes 7 vulnerabilities is now available.
Description:
This update for java-1_7_0-openjdk fixes the following issues:
- Update to 2.6.8 - OpenJDK 7u121
     * Security fixes
       + S8151921: Improved page resolution
       + S8155968: Update command line options
       + S8155973, CVE-2016-5542: Tighten jar checks (boo#1005522)
       + S8157176: Improved classfile parsing
       + S8157739, CVE-2016-5554: Classloader Consistency Checking
         (boo#1005523)
       + S8157749: Improve handling of DNS error replies
       + S8157753: Audio replay enhancement
       + S8157759: LCMS Transform Sampling Enhancement
       + S8157764: Better handling of interpolation plugins
       + S8158302: Handle contextual glyph substitutions
       + S8158993, CVE-2016-5568: Service Menu services (boo#1005525)
       + S8159495: Fix index offsets
       + S8159503: Amend Annotation Actions
       + S8159511: Stack map validation
       + S8159515: Improve indy validation
       + S8159519, CVE-2016-5573: Reformat JDWP messages (boo#1005526)
       + S8160090: Better signature handling in pack200
       + S8160094: Improve pack200 layout
       + S8160098: Clean up color profiles
       + S8160591, CVE-2016-5582: Improve internal array handling
         (boo#1005527)
       + S8160838, CVE-2016-5597: Better HTTP service (boo#1005528)
       + PR3207, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read()
       + CVE-2016-5556 (boo#1005524)
     * Import of OpenJDK 7 u121 build 0
       + S6624200: Regression test fails:
         test/closed/javax/swing/JMenuItem/4654927/bug4654927.java
       + S6882559: new JEditorPane("text/plain","") fails for null context
         class loader
       + S7090158: Networking Libraries don't build with javac -Werror
       + S7125055: ContentHandler.getContent API changed in error
       + S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing on windows
       + S7187051: ShortRSAKeynnn.sh tests should do cleanup before start test
       + S8000626: Implement dead key detection for KeyEvent on Linux
       + S8003890: corelibs test scripts should pass TESTVMOPTS
       + S8005629: javac warnings compiling java.awt.EventDispatchThread and
         sun.awt.X11.XIconWindow
       + S8010297: Missing isLoggable() checks in logging code
       + S8010782: clean up source files containing carriage return characters
       + S8014431: cleanup warnings indicated by the -Wunused-value compiler
         option on linux
       + S8015265: revise the fix for 8007037
       + S8016747: Replace deprecated PlatformLogger isLoggable(int) with
         isLoggable(Level)
       + S8020708: NLS mnemonics missing in SwingSet2/JInternalFrame demo
       + S8024756: method grouping tabs are not selectable
       + S8026741: jdk8 l10n resource file translation update 5
       + S8048147: Privilege tests with JAAS Subject.doAs
       + S8048357: PKCS basic tests
       + S8049171: Additional tests for jarsigner's warnings
       + S8059177: jdk8u40 l10n resource file translation update 1
       + S8075584: test for 8067364 depends on hardwired text advance
       + S8076486: [TESTBUG]
         javax/security/auth/Subject/doAs/NestedActions.java fails if extra
         VM options are given
       + S8077953: [TEST_BUG]
         com/sun/management/OperatingSystemMXBean/TestTotalSwap.java
         Compilation failed after JDK-8077387
       + S8080628: No mnemonics on Open and Save buttons in JFileChooser
       + S8083601: jdk8u60 l10n resource file translation update 2
       + S8140530: Creating a VolatileImage with size 0,0 results in no
         longer working g2d.drawString
       + S8142926: OutputAnalyzer's shouldXXX() calls return this
       + S8143134: L10n resource file translation update
       + S8147077: IllegalArgumentException thrown by
         api/java_awt/Component/FlipBufferStrategy/indexTGF_General
       + S8148127: IllegalArgumentException thrown by JCK test
         api/java_awt/Component/FlipBufferStrategy/indexTGF_General in
         opengl pipeline
       + S8150611: Security problem on sun.misc.resources.Messages*
       + S8157653: [Parfait] Uninitialised variable in awt_Font.cpp
       + S8158734: JEditorPane.createEditorKitForContentType throws NPE after
         6882559
       + S8159684: (tz) Support tzdata2016f
       + S8160934: isnan() is not available on older MSVC compilers
       + S8162411: Service Menu services 2
       + S8162419: closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
         after JDK-8155968
       + S8162511: 8u111 L10n resource file updates
       + S8162792: Remove constraint DSA keySize < 1024 from
         jdk.jar.disabledAlgorithms in jdk8
       + S8164452: 8u111 L10n resource file update - msgdrop 20
       + S8165816: jarsigner -verify shows jar unsigned if it was signed with
         a weak algorithm
       + S8166381: Back out changes to the java.security file to not disable
         MD5
     * Backports
       + S6604109, PR3162: javax.print.PrintServiceLookup.lookupPrintServices
         fails SOMETIMES for Cups
       + S6907252, PR3162: ZipFileInputStream Not Thread-Safe
       + S8024046, PR3162: Test sun/security/krb5/runNameEquals.sh failed on
         7u45 Embedded linux-ppc*
       + S8028479, PR3162: runNameEquals still cannot precisely detect if a
         usable native krb5 is available
       + S8034057, PR3162: Files.getFileStore and Files.isWritable do not
         work with SUBST'ed drives (win)
       + S8038491, PR3162: Improve synchronization in ZipFile.read()
       + S8038502, PR3162: Deflater.needsInput() should use synchronization
       + S8059411, PR3162: RowSetWarning does not correctly chain warnings
       + S8062198, PR3162: Add RowSetMetaDataImpl Tests and add column range
         validation to isdefinitlyWritable
       + S8066188, PR3162: BaseRowSet returns the wrong default value for
         escape processing
       + S8072466, PR3162: Deadlock when initializing MulticastSocket and
         DatagramSocket
       + S8075118, PR3162: JVM stuck in infinite loop during verification
       + S8076579, PR3162: Popping a stack frame after exception breakpoint
         sets last method param to exception
       + S8078495, PR3162: End time checking for native TGT is wrong
       + S8078668, PR3162: jar usage string mentions unsupported
         option '-n'
       + S8080115, PR3162: (fs) Crash in libgio when calling
         Files.probeContentType(path) from parallel threads
       + S8081794, PR3162: ParsePosition getErrorIndex returns 0 for TimeZone
         parsing problem
       + S8129957, PR3162: Deadlock in JNDI LDAP implementation when closing
         the LDAP context
       + S8130136, PR3162: Swing window sometimes fails to repaint partially
         when it becomes exposed
       + S8130274, PR3162: java/nio/file/FileStore/Basic.java fails when two
         successive stores in an iteration are determined to be equal
       + S8132551, PR3162: Initialize local variables before returning them
         in p11_convert.c
       + S8133207, PR3162: [TEST_BUG] ParallelProbes.java test fails after
         changes for JDK-8080115
       + S8133666, PR3162: OperatingSystemMXBean reports abnormally high
         machine CPU consumption on Linux
       + S8135002, PR3162: Fix or remove broken links in
         objectMonitor.cpp comments
       + S8137121, PR3162: (fc) Infinite loop FileChannel.truncate
       + S8137230, PR3162: TEST_BUG:
         java/nio/channels/FileChannel/LoopingTruncate.java timed out
       + S8139373, PR3162: [TEST_BUG] java/net/MulticastSocket/MultiDead.java
         failed with timeout
       + S8140249, PR3162: JVM Crashing During startUp If Flight Recording is
         enabled
       + S8141491, PR3160, G592292: Unaligned memory access in Bits.c
       + S8144483, PR3162: One long Safepoint pause directly after each GC
         log rotation
       + S8149611, PR3160, G592292: Add tests for Unsafe.copySwapMemory
     * Bug fixes
       + S8078628, PR3151: Zero build fails with pre-compiled headers disabled
       + PR3128: pax-mark-vm script calls "exit -1" which is invalid in dash
       + PR3131: PaX marking fails on filesystems which don't support
         extended attributes
       + PR3135: Makefile.am rule stamps/add/tzdata-support-debug.stamp has a
         typo in add-tzdata dependency
       + PR3141: Pass $(CC) and $(CXX) to OpenJDK build
       + PR3166: invalid zip timestamp handling leads to error building
         bootstrap-javac
       + PR3202: Update infinality configure test
       + PR3212: Disable ARM32 JIT by default
     * CACAO
       + PR3136: CACAO is broken due to 2 new native methods in
         sun.misc.Unsafe (from S8158260)
   * JamVM
       + PR3134: JamVM is broken due to 2 new native methods in
         sun.misc.Unsafe (from S8158260)
   * AArch64 port
       + S8167200, PR3204: AArch64: Broken stack pointer adjustment in
         interpreter
       + S8168888: Port 8160591: Improve internal array handling to AArch64.
       + PR3211: AArch64 build fails with pre-compiled headers disabled
   - Changed patch:
     * java-1_7_0-openjdk-gcc6.patch
       + Rediff to changed context
- Disable arm32 JIT, since its build broken
     (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2942)
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-1357=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
java-1_7_0-openjdk-1.7.0.121-28.2
      java-1_7_0-openjdk-accessibility-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-debugsource-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-devel-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-devel-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-headless-1.7.0.121-28.2
      java-1_7_0-openjdk-bootstrap-headless-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-debugsource-1.7.0.121-28.2
      java-1_7_0-openjdk-demo-1.7.0.121-28.2
      java-1_7_0-openjdk-demo-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-devel-1.7.0.121-28.2
      java-1_7_0-openjdk-devel-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-headless-1.7.0.121-28.2
      java-1_7_0-openjdk-headless-debuginfo-1.7.0.121-28.2
      java-1_7_0-openjdk-src-1.7.0.121-28.2
- openSUSE 13.2 (noarch):
java-1_7_0-openjdk-javadoc-1.7.0.121-28.2
References:
https://www.suse.com/security/cve/CVE-2016-5542.html
   https://www.suse.com/security/cve/CVE-2016-5554.html
   https://www.suse.com/security/cve/CVE-2016-5556.html
   https://www.suse.com/security/cve/CVE-2016-5568.html
   https://www.suse.com/security/cve/CVE-2016-5573.html
   https://www.suse.com/security/cve/CVE-2016-5582.html
   https://www.suse.com/security/cve/CVE-2016-5597.html
   https://bugzilla.suse.com/1005522
   https://bugzilla.suse.com/1005523
   https://bugzilla.suse.com/1005524
   https://bugzilla.suse.com/1005525
   https://bugzilla.suse.com/1005526
   https://bugzilla.suse.com/1005527
   https://bugzilla.suse.com/1005528