Mailinglist Archive: opensuse-updates (113 mails)

< Previous Next >
openSUSE-SU-2014:1638-1: moderate: Security update for java-1_7_0-openjdk
openSUSE Security Update: Security update for java-1_7_0-openjdk

Announcement ID: openSUSE-SU-2014:1638-1
Rating: moderate
References: #887530
Cross-References: CVE-2013-6629 CVE-2013-6954 CVE-2014-0429
CVE-2014-0446 CVE-2014-0451 CVE-2014-0452
CVE-2014-0453 CVE-2014-0454 CVE-2014-0455
CVE-2014-0456 CVE-2014-0457 CVE-2014-0458
CVE-2014-0459 CVE-2014-0460 CVE-2014-0461
CVE-2014-1876 CVE-2014-2397 CVE-2014-2398
CVE-2014-2402 CVE-2014-2403 CVE-2014-2412
CVE-2014-2413 CVE-2014-2414 CVE-2014-2421
CVE-2014-2423 CVE-2014-2427 CVE-2014-2483
CVE-2014-2490 CVE-2014-4209 CVE-2014-4216
CVE-2014-4218 CVE-2014-4219 CVE-2014-4221
CVE-2014-4223 CVE-2014-4244 CVE-2014-4252
CVE-2014-4262 CVE-2014-4263 CVE-2014-4264
CVE-2014-4266 CVE-2014-4268
Affected Products:
openSUSE 13.1

An update that fixes 41 vulnerabilities is now available.


This openjdk update fixes the following security and non security issues:

- Upgrade to 2.4.8 (bnc#887530)
* Changed back from gzipped tarball to xz
* Changed the keyring file to add Andrew John Hughes that signed the
icedtea package
* Change ZERO to AARCH64 tarball
- Removed patches:
* gstackbounds.patch
* java-1.7.0-openjdk-ppc-zero-jdk.patch
* java-1.7.0-openjdk-ppc-zero-hotspot.patch
- Integrated in upstream icedtea
* java-1.7.0-openjdk-makefiles-zero.patch
- Does not apply on the AARCH64 tarball, since the change from DEFAULT
and ZERO tarball to DEFAULT and AARCH64
- Upstream changes since 2.4.4:
* Security fixes
- S8029755, CVE-2014-4209: Enhance subject class
- S8030763: Validate global memory allocation
- S8031340, CVE-2014-4264: Better TLS/EC management
- S8031346, CVE-2014-4244: Enhance RSA key handling
- S8031540: Introduce document horizon
- S8032536: JVM resolves wrong method in some unusual cases
- S8033055: Issues in 2d
- S8033301, CVE-2014-4266: Build more informative InfoBuilder
- S8034267: Probabilistic native crash
- S8034272: Do not cram data into CRAM arrays
- S8034985, CVE-2014-2483: Better form for Lambda Forms
- S8035004, CVE-2014-4252: Provider provides less service
- S8035009, CVE-2014-4218: Make Proxy representations consistent
- S8035119, CVE-2014-4219: Fix exceptions to bytecode verification
- S8035699, CVE-2014-4268: File choosers should be choosier
- S8035788. CVE-2014-4221: Provide more consistency for lookups
- S8035793, CVE-2014-4223: Maximum arity maxed out
- S8036571: (process) Process process arguments carefully
- S8036800: Attribute OOM to correct part of code
- S8037046: Validate libraries to be loaded
- S8037076, CVE-2014-2490: Check constant pool constants
- S8037157: Verify <init> call
- S8037162, CVE-2014-4263: More robust DH exchanges
- S8037167, CVE-2014-4216: Better method signature resolution
- S8039520, CVE-2014-4262: More atomicity of atomic updates
- S8023046: Enhance splashscreen support
- S8025005: Enhance CORBA initializations
- S8025010, CVE-2014-2412: Enhance AWT contexts
- S8025030, CVE-2014-2414: Enhance stream handling
- S8025152, CVE-2014-0458: Enhance activation set up
- S8026067: Enhance signed jar verification
- S8026163, CVE-2014-2427: Enhance media provisioning
- S8026188, CVE-2014-2423: Enhance envelope factory
- S8026200: Enhance RowSet Factory
- S8026716, CVE-2014-2402: (aio) Enhance asynchronous channel handling
- S8026736, CVE-2014-2398: Enhance Javadoc pages
- S8026797, CVE-2014-0451: Enhance data transfers
- S8026801, CVE-2014-0452: Enhance endpoint addressing
- S8027766, CVE-2014-0453: Enhance RSA processing
- S8027775: Enhance ICU code.
- S8027841, CVE-2014-0429: Enhance pixel manipulations
- S8028385: Enhance RowSet Factory
- S8029282, CVE-2014-2403: Enhance CharInfo set up
- S8029286: Enhance subject delegation
- S8029699: Update Poller demo
- S8029730: Improve audio device additions
- S8029735: Enhance service mgmt natives
- S8029740, CVE-2014-0446: Enhance handling of loggers
- S8029745, CVE-2014-0454: Enhance algorithm checking
- S8029750: Enhance LCMS color processing (in-tree LCMS)
- S8029760, CVE-2013-6629: Enhance AWT image libraries (in-tree
- S8029844, CVE-2014-0455: Enhance argument validation
- S8029854, CVE-2014-2421: Enhance JPEG decodings
- S8029858, CVE-2014-0456: Enhance array copies
- S8030731, CVE-2014-0460: Improve name service robustness
- S8031330: Refactor ObjectFactory
- S8031335, CVE-2014-0459: Better color profiling (in-tree LCMS)
- S8031352, CVE-2013-6954: Enhance PNG handling (in-tree libpng)
- S8031394, CVE-2014-0457: (sl) Fix exception handling in ServiceLoader
- S8031395: Enhance LDAP processing
- S8032686, CVE-2014-2413: Issues with method invoke
- S8033618, CVE-2014-1876: Correct logging output
- S8034926, CVE-2014-2397: Attribute classes properly
- S8036794, CVE-2014-0461: Manage JavaScript instances
* Backports
- S5049299: (process) Use posix_spawn, not fork, on S10 to avoid swap
- S6571600: JNI use results in UnsatisfiedLinkError looking for
- S7131153: GetDC called way too many times - causes bad performance.
- S7190349: [macosx] Text (Label) is incorrectly drawn with a rotated
- S8001108: an attempt to use "<init>" as a method name should elicit
- S8001109: arity mismatch on a call to spreader method handle should
elicit IllegalArgumentException
- S8008118: (process) Possible null pointer dereference in
- S8013611: Modal dialog fails to obtain keyboard focus
- S8013809: deadlock in SSLSocketImpl between between write and close
- S8013836: getFirstDayOfWeek reports wrong day for pt-BR locale
- S8014460: Need to check for non-empty EXT_LIBS_PATH before using it
- S8019853: Break logging and AWT circular dependency
- S8019990: IM candidate window appears on the South-East corner of
the display.
- S8020191: System.getProperty("") returns "Windows NT
(unknown)" on Windows 8.1
- S8022452: Hotspot needs to know about Windows 8.1 and Windows Server
2012 R2
- S8023990: Regression: postscript size increase from 6u18
- S8024283: 10 nashorn tests fail with similar stack trace
InternalError with cause being NoClassDefFoundError
- S8024616: JSR292: lazily initialize core NamedFunctions used for
- S8024648: 7141246 & 8016131 break Zero port (AArch64 only)
- S8024830: SEGV in
- S8025588: [macosx] Frozen AppKit thread in 7u40
- S8026404: Logging in Applet can trigger ACE: access denied
("java.lang.RuntimePermission" "modifyThreadGroup")
- S8026705: [TEST_BUG] java/beans/Introspector/
- S8027196: Increment minor version of HSx for 7u55 and initialize the
build number
- S8027212: java/nio/channels/Selector/ fails
- S8028285: RMI Thread can no longer call out to AWT
- S8029177: [Parfait] warnings from b117 for JNI exception pending
- S8030655: Regression: 14_01 Security fix 8024306 causes test failures
- S8030813: Signed applet fails to load when CRLs are stored in an
LDAP directory
- S8030822: (tz) Support tzdata2013i
- S8031050: (thread) Change Thread initialization so that thread name
is set before invoking SecurityManager
- S8031075: [Regression] focus disappears with shift+tab on dialog
having one focus component
- S8031462: Fonts with morx tables are broken with latest ICU fixes
- S8032585: JSR292: IllegalAccessError when attempting to invoke
protected method from different package
- S8032740: Need to create SE Embedded Source Bundles in 7 Release
- S8033278: Missed access checks for Lookup.unreflect* after 8032585
- S8034772: JDK-8028795 brought a specification change to 7u55 release
and caused JCK7 signature test failure
- S8035283: Second phase of branch shortening doesn't account for loop
- S8035613: With active Securitymanager JAXBContext.newInstance fails
- S8035618: Four api/org_omg/CORBA TCK tests fail under plugin only
- S8036147: Increment hsx 24.55 build to b02 for 7u55-b11
- S8036786: Update jdk7 testlibrary to match jdk8
- S8036837: Increment hsx 24.55 build to b03 for 7u55-b12
- S8037012: (tz) Support tzdata2014a
- S8038306: (tz) Support tzdata2014b
- S8038392: Generating prelink cache breaks JAVA 'jinfo' utility
normal behavior
- S8042264: 7u65 l10n resource file translation update 1
- S8042582: Test
java/awt/KeyboardFocusmanager/ChangeKFMTest/ChangeKFMTest.html fails
on Windows x64
- S8042590: Running form URL throws NPE
- S8042789: org.omg.CORBA.ORBSingletonClass loading no longer uses
context class loader
- S8043012: (tz) Support tzdata2014c
- S8004145: New improved, ctrl-c now properly terminates
mercurial processes.
- S8007625: race with nested repos in /common/bin/
- S8011178: improve common/bin/ python detection (MacOS)
- S8011342: : 'python --version' not supported on older
- S8011350: uses non-POSIX sh features that may fail with
some shells
- S8024200: handle hg wrapper with space after #!
- S8025796: could trigger unbuffered output from hg
without complicated machinations
- S8028388: 9 jaxws tests failed in nightly build with
- S8031477: [macosx] Loading AWT native library fails
- S8032370: No "Truncated file" warning from IIOReadWarningListener on
- S8035834: InetAddress.getLocalHost() can hang after JDK-8030731 was
- S8009062: poor performance of JNI AttachCurrentThread after fix for
- S8035893: JVM_GetVersionInfo fails to zero structure
- Re-enable the 'gamma' test at the end of the HotSpot build, but only
for HotSpot based bootstrap JDKs.
- S8015976: OpenJDK part of bug JDK-8015812 [TEST_BUG] Tests have
conflicting test descriptions
- S8022698: javax/script/ fails since 7u45 b04
with -agentvm option
- S8022868: missing codepage Cp290 at java runtime
- S8023310: Thread contention in the method Beans.IsDesignTime()
- S8024461: [macosx] Java crashed on mac10.9 for swing and 2d function
manual test
- S8025679: Increment minor version of HSx for 7u51 and initialize the
build number
- S8026037: [TESTBUG] sun/security/tools/jarsigner/ test
fails on Solaris
- S8026304: jarsigner output bad grammar
- S8026772: test/sun/util/resources/TimeZone/ failing
- S8026887: Make issues due to failed large pages allocations easier
to debug
- S8027204: Revise the update of 8026204 and 8025758
- S8027224: test regression - ClassNotFoundException
- S8027370: Support tzdata2013h
- S8027378: Two closed/javax/xml/8005432 fails with jdk7u51b04
- S8027787: 7u51 l10n resource file translation update 1
- S8027837: JDK-8021257 causes CORBA build failure on emdedded
- S8027943: serial version of
changed in 7u45
- S8027944: Increment hsx 24.51 build to b02 for 7u51-b07
- S8028057: Modify jarsigner man page documentation to document CCC
8024302: Clarify jar verifications
- S8028090: reverting change - changeset pushed with incorrect commit
message, linked to wrong issue
- S8028111: XML readers share the same entity expansion counter
- S8028215: ORB.init fails with SecurityException if properties select
the JDK default ORB
- S8028293: Check local configuration for actual ephemeral port range
- S8028382: Two javax/xml/8005433 tests still fail after the fix
- S8028453: AsynchronousSocketChannel.connect() requires
SocketPermission due to bind to local address (win)
- S8028823: java/net/Makefile tabs converted to spaces
- S8029038: Revise fix for XML readers share the same entity expansion
- S8029842: Increment hsx 24.51 build to b03 for 7u51-b11
* Bug fixes
- Fix accidental reversion of PR1188 for armel
- PR1781: NSS PKCS11 provider fails to handle multipart AES encryption
- PR1830: Drop version requirement for LCMS 2
- PR1833, RH1022017: Report elliptic curves supported by NSS, not the
SunEC library
- RH905128: [CRASH] OpenJDK-1.7.0 while using NSS security provider
and kerberos
- PR1393: JPEG support in build is broken on non-system-libjpeg builds
- PR1726: configure fails looking for ecj.jar before even trying to
find javac
- Red Hat local: Fix for repo with path statting with / .
- Remove unused hgforest script
- PR1101: Undefined symbols on GNU/Linux SPARC
- PR1659: OpenJDK 7 returns incorrect TrueType font metrics when bold
style is set
- PR1677, G498288: Update PaX support to detect running PaX kernel and
use newer tools
- PR1679: Allow OpenJDK to build on PaX-enabled kernels
- PR1684: Build fails with empty PAX_COMMAND
- RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError
(revised fix)
- Link against $(LIBDL) if SYSTEM_CUPS is not true
- Perform configure checks using ecj.jar when --with-gcj (native ecj
build) is enabled.
- Fix broken bootstrap build by updating ecj-multicatch.patch
- PR1653: Support ppc64le via Zero
- PR1654: ppc32 needs a larger ThreadStackSize to build
- RH1015432: java-1.7.0-openjdk: Fails on PPC with StackOverflowError
- RH910107: fail to load PC/SC library
* ARM32 port
- Add arm_port from IcedTea 6
- Add patches/arm.patch from IcedTea 6
- Add patches/arm-debug.patch from IcedTea 6
- Add patches/arm-hsdis.patch from IcedTea 6
- added jvmti event generation for dynamic_generate and
compiled_method_load events to ARM JIT compiler
- Adjust saved SP when safepointing.
- First cut of invokedynamic
- Fix trashed thread ptr after recursive re-entry from asm JIT.
- JIT-compilation of ldc methodHandle
- Rename a bunch of misleadingly-named functions
- Changes for HSX22
- Rename a bunch of misleadingly-named functions
- Patched method handle adapter code to deal with failures in TCK
- Phase 1
- Phase 2
- RTC Thumb2 JIT enhancements.
- Zero fails to build in hsx22+, fix for hsx22 after runs gamma OK,
hsx23 still nogo.
- Use ldrexd for atomic reads on ARMv7.
- Use unified syntax for thumb code.
- Corrected call from fast_method_handle_entry to
CppInterpreter::method_handle_entry so that thread is loaded into r2
- Don't save locals at a return.
- Fix call to handle_special_method(). Fix compareAndSwapLong.
- Fix JIT bug that miscompiles
- invokedynamic and aldc for JIT
- Modified safepoint check to rely on memory protect signal instead of
- Minor review cleanups.
- PR1188: ASM Interpreter and Thumb2 JIT javac miscompile modulo
reminder on armel
- PR1363: Fedora 19 / rawhide FTBFS SIGILL
- Changes for HSX23
- Remove fragment from method that has been removed
- Remove C++ flags from CC_COMPILE and fix usage in zeroshark.make.
- Use $(CC) to compile mkbc instead of $(CC_COMPILE) to avoid C++-only
- Add note about use of $(CFLAGS)/$(CXXFLAGS)/$(CPPFLAGS) at present.
- Override automatic detection of source language for bytecodes_arm.def
- Include $(CFLAGS) in assembler stage
- PR1626: ARM32 assembler update for hsx24. Use ARM32JIT to turn it
- Replace literal offsets for METHOD_SIZEOFPARAMETERS and
ISTATE_NEXT_FRAME with correct symbolic names.
- Turn ARM32 JIT on by default
* AArch64 port
- AArch64 C2 instruct for smull
- Add a constructor as a conversion from Register - RegSet. Use it.
- Add RegSet::operator+=.
- Add support for a few simple intrinsics
- Add support for builtin crc32 instructions
- Add support for CRC32 intrinsic
- Add support for Neon implementation of CRC32
- All address constants are 48 bits in size.
- C1: Fix offset overflow when profiling.
- Common frame handling for C1/C2 which correctly handle all frame
- Correct costs for operations with shifts.
- Correct OptoAssembly for prologs and epilogs.
- Delete useless instruction.
- Don't use any form of _call_VM_leaf when we're calling a stub.
- Fast string comparison
- Fast String.equals()
- Fix a tonne of bogus comments.
- Fix biased locking and enable as default
- Fix instruction size from 8 to 4
- Fix opto assembly for shifts.
- Fix register misuse in verify_method_data_pointer
- Fix register usage in generate_verify_oop().
- Implement various locked memory operations.
- Improve C1 performance improvements in ic_cache checks
- Improve code generation for pop(), as suggested by Edward Nevill.
- Improvements to safepoint polling
- Make code entry alignment 64 for C2
- Minor optimisation for divide by 2
- New cost model for instruction selection.
- Offsets in lookupswitch instructions should be signed.
- Optimise addressing of card table byte map base
- Optimise C2 entry point verification
- Optimise long divide by 2
- Performance improvement and ease of use changes pulled from upstream
- Preserve callee save FP registers around call to java code
- Remove obsolete C1 patching code.
- Remove special-case handling of division arguments. AArch64 doesn't
need it.
- Remove unnecessary memory barriers around CAS operations
- Restore sp from sender sp, r13 in crc32 code
- Restrict default ReservedCodeCacheSize to 128M
- Rewrite CAS operations to be more conservative
- Save intermediate state before removing C1 patching code.
- Tidy up register usage in push/pop instructions.
- Tidy up stack frame handling.
- Use 2- and 3-instruction immediate form of movoop and mov_metadata
in C2-generated code.
- Use an explicit set of registers rather than a bitmap for psh and
pop operations.
- Use explicit barrier instructions in C1.
- Use gcc __clear_cache instead of doing it ourselves
- PR1713: Support AArch64 Port
* Shark
- Add Shark definitions from 8003868
- Drop compile_method argument removed in 7083786 from

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-773

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 13.1 (i586 x86_64):



< Previous Next >
This Thread
  • No further messages