openSUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0161-1
Rating: important
References: #1120431 #1122293 #1122299
Cross-References: CVE-2018-11212 CVE-2019-2422 CVE-2019-2426

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for java-11-openjdk to version 11.0.2+7 fixes the following
issues:

Security issues fixed:

– CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
– CVE-2019-2426: Improve web server connections
– CVE-2018-11212: Improve JPEG processing (bsc#1122299)
– Better route routing
– Better interface enumeration
– Better interface lists
– Improve BigDecimal support
– Improve robot support
– Better icon support
– Choose printer defaults
– Proper allocation handling
– Initial class initialization
– More reliable p11 transactions
– Improve NIO stability
– Better loading of classloader classes
– Strengthen Windows Access Bridge Support
– Improved data set handling
– Improved LSA authentication
– Libsunmscapi improved interactions

Non-security issues fix:

– Do not resolve by default the added JavaEE modules (bsc#1120431)
– ~2.5% regression on compression benchmark starting with 12-b11
– java.net.http.HttpClient hangs on 204 reply without Content-length 0
– Add additional TeliaSonera root certificate
– Add more ld preloading related info to hs_error file on Linux
– Add test to exercise server-side client hello processing
– AES encrypt performance regression in jdk11b11
– AIX: ProcessBuilder: Piping between created processes does not work.
– AIX: Some class library files are missing the Classpath exception
– AppCDS crashes for some uses with JRuby
– Automate vtable/itable stub size calculation
– BarrierSetC1::generate_referent_check() confuses register allocator
– Better HTTP Redirection
– Catastrophic size_t underflow in BitMap::*_large methods
– Clip.isRunning() may return true after Clip.stop() was called
– Compiler thread creation should be bounded by available space in memory
and Code Cache
– com.sun.net.httpserver.HttpServer returns Content-length header for 204
response code
– Default mask register for avx512 instructions
– Delayed starting of debugging via jcmd
– Disable all DES cipher suites
– Disable anon and NULL cipher suites
– Disable unsupported GCs for Zero
– Epsilon alignment adjustments can overflow max TLAB size
– Epsilon elastic TLAB sizing may cause misalignment
– HotSpot update for vm_version.cpp to recognise updated VS2017
– HttpClient does not retrieve files with large sizes over HTTP/1.1
– IIOException “tEXt chunk length is not proper” on opening png file
– Improve TLS connection stability again
– InitialDirContext ctor sometimes throws NPE if the server has sent a
disconnection
– Inspect stack during error reporting
– Instead of circle rendered in appl window, but ellipse is produced
JEditor Pane
– Introduce diagnostic flag to abort VM on failed JIT compilation
– Invalid assert(HeapBaseMinAddress > 0) in
ReservedHeapSpace::initialize_compressed_heap
– jar has issues with UNC-path arguments for the jar -C parameter [windows]
– java.net.http HTTP client should allow specifying Origin and Referer
headers
– java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
– JDK 11.0.1 l10n resource file update
– JDWP Transport Listener: dt_socket thread crash
– JVMTI ResourceExhausted should not be posted in CompilerThread
– LDAPS communication failure with jdk 1.8.0_181
– linux: Poor StrictMath performance due to non-optimized compilation
– Missing synchronization when reading counters for live threads and peak
thread count
– NPE in SupportedGroupsExtension
– OpenDataException thrown when constructing CompositeData for
StackTraceElement
– Parent class loader may not have a referred ClassLoaderData instance
when obtained in Klass::class_in_module_of_loader
– Populate handlers while holding streamHandlerLock
– ppc64: Enable POWER9 CPU detection
– print_location is not reliable enough (printing register info)
– Reconsider default option for ClassPathURLCheck change done in
JDK-8195874
– Register to register spill may use AVX 512 move instruction on
unsupported platform.
– s390: Use of shift operators not covered by cpp standard
– serviceability/sa/TestUniverse.java#id0 intermittently fails with
assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
– SIGBUS in CodeHeapState::print_names()
– SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
– Soft reference reclamation race in
com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
– Swing apps are slow if displaying from a remote source to many local
displays
– switch jtreg to 4.2b13
– Test library OSInfo.getSolarisVersion cannot determine Solaris version
– TestOptionsWithRanges.java is very slow
– TestOptionsWithRanges.java of ‘-XX:TLABSize=2147483648’ fails
intermittently
– The Japanese message of FileNotFoundException garbled
– The “supported_groups” extension in ServerHellos
– ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to
CompositeData
– TimeZone.getDisplayName given Locale.US doesn’t always honor the Locale.
– TLS 1.2 Support algorithm in SunPKCS11 provider
– TLS 1.3 handshake server name indication is missing on a session resume
– TLS 1.3 server fails if ClientHello doesn’t have pre_shared_key and
psk_key_exchange_modes
– TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side
with mutual auth
– tz: Upgrade time-zone data to tzdata2018g
– Undefined behaviour in ADLC
– Update avx512 implementation
– URLStreamHandler initialization race
– UseCompressedOops requirement check fails fails on 32-bit system
– windows: Update OS detection code to recognize Windows Server 2019
– x86: assert on unbound assembler Labels used as branch targets
– x86: jck tests for ldc2_w bytecode fail
– x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
– “-XX:OnOutOfMemoryError” uses fork instead of vfork

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-161=1

Package List:

– openSUSE Leap 15.0 (x86_64):

java-11-openjdk-11.0.2.0-lp150.2.12.1
java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1
java-11-openjdk-accessibility-debuginfo-11.0.2.0-lp150.2.12.1
java-11-openjdk-debuginfo-11.0.2.0-lp150.2.12.1
java-11-openjdk-debugsource-11.0.2.0-lp150.2.12.1
java-11-openjdk-demo-11.0.2.0-lp150.2.12.1
java-11-openjdk-devel-11.0.2.0-lp150.2.12.1
java-11-openjdk-headless-11.0.2.0-lp150.2.12.1
java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1
java-11-openjdk-src-11.0.2.0-lp150.2.12.1

– openSUSE Leap 15.0 (noarch):

java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1

References:

https://www.suse.com/security/cve/CVE-2018-11212.html
https://www.suse.com/security/cve/CVE-2019-2422.html
https://www.suse.com/security/cve/CVE-2019-2426.html
https://bugzilla.suse.com/1120431
https://bugzilla.suse.com/1122293
https://bugzilla.suse.com/1122299

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org