openSUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:3235-1
Rating: moderate
References: #1111162 #1112142 #1112143 #1112144 #1112145
#1112146 #1112147 #1112148 #1112149
Cross-References: CVE-2018-3136 CVE-2018-3139 CVE-2018-3149
CVE-2018-3150 CVE-2018-3157 CVE-2018-3169
CVE-2018-3180 CVE-2018-3183
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves 8 vulnerabilities and has one errata
is now available.

Description:

This update for java-11-openjdk fixes the following issues:

Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)

Security fixes:

– S8202936, CVE-2018-3183, bsc#1112148: Improve script engine support
– S8199226, CVE-2018-3169, bsc#1112146: Improve field accesses
– S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI lookups
– S8202613, CVE-2018-3180, bsc#1112147: Improve TLS connections stability
– S8208209, CVE-2018-3180, bsc#1112147: Improve TLS connection stability
again
– S8199172, CVE-2018-3150, bsc#1112145: Improve jar attribute checks
– S8200648, CVE-2018-3157, bsc#1112149: Make midi code more sound
– S8194534, CVE-2018-3136, bsc#1112142: Manifest better support
– S8208754, CVE-2018-3136, bsc#1112142: The fix for JDK-8194534 needs
updates
– S8196902, CVE-2018-3139, bsc#1112143: Better HTTP Redirection

Security-In-Depth fixes:

– S8194546: Choosier FileManagers
– S8195874: Improve jar specification adherence
– S8196897: Improve PRNG support
– S8197881: Better StringBuilder support
– S8201756: Improve cipher inputs
– S8203654: Improve cypher state updates
– S8204497: Better formatting of decimals
– S8200666: Improve LDAP support
– S8199110: Address Internet Addresses

Update to upstream tag jdk-11+28 (OpenJDK 11 rc1)

– S8207317: SSLEngine negotiation fail exception behavior changed from
fail-fast to fail-lazy
– S8207838: AArch64: Float registers incorrectly restored in JNI call
– S8209637: [s390x] Interpreter doesn’t call result handler after native
calls
– S8209670: CompilerThread releasing code buffer in destructor is unsafe
– S8209735: Disable avx512 by default
– S8209806: API docs should be updated to refer to javase11
– Report version without the “-internal” postfix

– Don’t build against gdk making the accessibility depend on a particular
version of gtk.

Update to upstream tag jdk-11+27

– S8031761: [TESTBUG] Add a regression test for JDK-8026328
– S8151259: [TESTBUG] nsk/jvmti/RedefineClasses/redefclass030 fails with
“unexpected values of outer fields of the class” when running with -Xcomp
– S8164639: Configure PKCS11 tests to use user-supplied NSS libraries
– S8189667: Desktop#moveToTrash expects incorrect “<<ALL FILES>>”
FilePermission
– S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM in
-Xcomp
– S8195156: [Graal] serviceability/jvmti/GetModulesInfo/
/JvmtiGetAllModulesTest.java fails with Graal in Xcomp mode
– S8199081: [Testbug] compiler/linkage/LinkageErrors.java fails if run
twice
– S8201394: Update java.se module summary to reflect removal of java.se.ee
module
– S8204931: Colors with alpha are painted incorrectly on Linux
– S8204966: [TESTBUG] hotspot/test/compiler/whitebox/
/IsMethodCompilableTest.java test fails with
-XX:CompileThreshold=1
– S8205608: Fix ‘frames()’ in ThreadReferenceImpl.c to prevent quadratic
runtime behavior
– S8205687: TimeoutHandler generates huge core files
– S8206176: Remove the temporary tls13VN field
– S8206258: [Test Error] sun/security/pkcs11 tests fail if NSS libs not
found
– S8206965: java/util/TimeZone/Bug8149452.java failed on de_DE and ja_JP
locale.
– S8207009: TLS 1.3 half-close and synchronization issues
– S8207046: arm32 vm crash: C1 arm32 platform functions parameters type
mismatch
– S8207139: NMT is not enabled on Windows 2016/10
– S8207237: SSLSocket#setEnabledCipherSuites is accepting empty string
– S8207355: C1 compilation hangs in
ComputeLinearScanOrder::compute_dominator
– S8207746: C2: Lucene crashes on AVX512 instruction
– S8207765: HeapMonitorTest.java intermittent failure
– S8207944: java.lang.ClassFormatError: Extra bytes at the end
of class file test” possibly violation of JVMS 4.7.1
– S8207948: JDK 11 L10n resource file update msg drop 10
– S8207966: HttpClient response without content-length does not return body
– S8208125: Cannot input text into JOptionPane Text Input Dialog
– S8208164: (str) improve specification of String::lines
– S8208166: Still unable to use custom SSLEngine with default
TrustManagerFactory after JDK-8207029
– S8208189: ProblemList compiler/graalunit/JttThreadsTest.java
– S8208205: ProblemList tests that fail due to ‘Error attaching to
process: Can’t create thread_db agent!’
– S8208226: ProblemList com/sun/jdi/BasicJDWPConnectionTest.java
– S8208251: serviceability/jvmti/HeapMonitor/MyPackage/
/HeapMonitorGCCMSTest.java fails intermittently on Linux-X64
– S8208305: ProblemList compiler/jvmci/compilerToVM/GetFlagValueTest.java
– S8208347: ProblemList
compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.java
– S8208353: Upgrade JDK 11 to libpng 1.6.35
– S8208358: update bug ids mentioned in tests
– S8208370: fix typo in ReservedStack tests’ @requires
– S8208391: Differentiate response and connect timeouts in HTTP Client API
– S8208466: Fix potential memory leak in harfbuzz shaping.
– S8208496: New Test to verify concurrent behavior of TLS.
– S8208521: ProblemList more tests that fail due to ‘Error attaching to
process: Can’t create thread_db agent!’
– S8208640: [a11y] [macos] Unable to navigate between Radiobuttons in
Radio group using keyboard.
– S8208663: JDK 11 L10n resource file update msg drop 20
– S8208676: Missing NULL check and resource leak in
NetworkPerformanceInterface::NetworkPerformance::network_utilization
– S8208691: Tighten up jdk.includeInExceptions security property
– S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/
/TestNssDbSqlite.java fails in aarch64 platforms
– S8209029: ProblemList tests that fail due to ‘Error attaching to
process: Can’t create thread_db agent!’ in jdk-11+25 testing
– S8209149: [TESTBUG] runtime/RedefineTests/ /RedefineRunningMethods.java
needs a longer timeout
– S8209451: Please change jdk 11 milestone to FCS
– S8209452: VerifyCACerts.java failed with “At least one cacert test
failed”
– S8209506: Add Google Trust Services GlobalSign root certificates
– S8209537: Two security tests failed after JDK-8164639 due to dependency
was missed

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-1205=1

Package List:

– openSUSE Leap 15.0 (x86_64):

java-11-openjdk-11.0.1.0-lp150.2.6.1
java-11-openjdk-accessibility-11.0.1.0-lp150.2.6.1
java-11-openjdk-accessibility-debuginfo-11.0.1.0-lp150.2.6.1
java-11-openjdk-debuginfo-11.0.1.0-lp150.2.6.1
java-11-openjdk-debugsource-11.0.1.0-lp150.2.6.1
java-11-openjdk-demo-11.0.1.0-lp150.2.6.1
java-11-openjdk-devel-11.0.1.0-lp150.2.6.1
java-11-openjdk-headless-11.0.1.0-lp150.2.6.1
java-11-openjdk-jmods-11.0.1.0-lp150.2.6.1
java-11-openjdk-src-11.0.1.0-lp150.2.6.1

– openSUSE Leap 15.0 (noarch):

java-11-openjdk-javadoc-11.0.1.0-lp150.2.6.1

References:

https://www.suse.com/security/cve/CVE-2018-3136.html
https://www.suse.com/security/cve/CVE-2018-3139.html
https://www.suse.com/security/cve/CVE-2018-3149.html
https://www.suse.com/security/cve/CVE-2018-3150.html
https://www.suse.com/security/cve/CVE-2018-3157.html
https://www.suse.com/security/cve/CVE-2018-3169.html
https://www.suse.com/security/cve/CVE-2018-3180.html
https://www.suse.com/security/cve/CVE-2018-3183.html
https://bugzilla.suse.com/1111162
https://bugzilla.suse.com/1112142
https://bugzilla.suse.com/1112143
https://bugzilla.suse.com/1112144
https://bugzilla.suse.com/1112145
https://bugzilla.suse.com/1112146
https://bugzilla.suse.com/1112147
https://bugzilla.suse.com/1112148
https://bugzilla.suse.com/1112149

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org