openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2012:1154-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Java-1_7_0-openjdk was updated to fix a remote exploit
(CVE-2012-4681).

Also bugfixes were done :

- fix build on ARM and i586

- remove files that are no longer used

- zero build can be enabled using rpmbuild (osc build)
--with zero

- add hotspot 2.1 needed for zero

- fix filelist on %{ix86}

- Security fixes

- S7162476, CVE-2012-1682: XMLDecoder security issue via
ClassFinder

- S7194567, CVE-2012-3136: Improve long term persistence
of java.beans objects

- S7163201, CVE-2012-0547: Simplify toolkit internals
references

- RH852051, CVE-2012-4681, S7162473: Reintroduce
PackageAccessible checks removed in 6788531.

- OpenJDK

- Fix Zero FTBFS issues with 2.3

- S7180036: Build failure in Mac platform caused by fix #
7163201

- S7182135: Impossible to use some editors directly

- S7183701: [TEST]
closed/java/beans/security/TestClassFinder.java –
compilation failed

- S7185678:
java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java
failed with NPE

- Bug fixes

- PR1149: Zero-specific patch files not being packaged

- use icedtea tarball for build again, this led into
following dropped files because the are already in the
tarball and simplified %prep and %build

- drop class-rewriter.tar.gz

- drop systemtap-tapset.tar.gz

- drop desktop-files.tar.gz

- drop nss.cfg

- drop pulseaudio.tar.gz

- drop remove-intree-libraries.sh

- add archives from icedtea7-forest-2.3 for openjdk,
corba, jaxp, jaxws, jdk, langtools and hotspot

- drop rhino.patch, pulse-soundproperties and systemtap
patch

- move gnome bridge patches before make as it's irritating
to have the patch fail after openjdk is built

- use explicit file attributes in %files sections to
prevent the file permissions problems in a future (like
bnc#770040)

- changed version scheme, so it now matches Oracle Java
1.7.0.6 == Java7 u 6

- update to icedtea-2.3.1 / OpenJDK7 u6 (bnc#777499)

- Security fixes

- RH852051, CVE-2012-4681: Reintroduce PackageAccessible
checks removed in 6788531.

- Bug fixes

- PR902: PulseAudioClip getMicrosecondsLength() returns
length in milliseconds, not microseconds

- PR986: IcedTea7 fails to build with IcedTea6 CACAO due
to low max heapsize

- PR1050: Stream objects not garbage collected

- PR1119: Only add classes to rt-source-files.txt if the
class (or one or more of its methods/fields) are
actually missing from the boot JDK

- PR1137: Allow JARs to be optionally compressed by
setting COMPRESS_JARS

- OpenJDK

- Make dynamic support for GConf work again.

- PR1095: Add configure option for -Werror

- PR1101: Undefined symbols on GNU/Linux SPARC

- PR1140: Unnecessary diz files should not be installed

- S7192804, PR1138: Build should not install jvisualvm man
page for OpenJDK

- JamVM

- ARMv6 armhf: Changes for Raspbian (Raspberry Pi)

- PPC: Don't use lwsync if it isn't supported

- X86: Generate machine-dependent stubs for i386

- When suspending, ignore detached threads that have died,
this prevents a user caused deadlock when an external
thread has been attached to the VM via JNI and it has
exited without detaching

- Add missing REF_TO_OBJs for references passed from JNI,
this enable JamVM to run Qt-Jambi

- there are number of fixes in 2.3, see NEWS

See also :

http://lists.opensuse.org/opensuse-updates/2012-09/msg00052.html
https://bugzilla.novell.com/show_bug.cgi?id=770040
https://bugzilla.novell.com/show_bug.cgi?id=777499

Solution :

Update the affected java-1_7_0-openjdk packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 74748 ()

Bugtraq ID: 55213
55336
55337
55339

CVE ID: CVE-2012-0547
CVE-2012-1682
CVE-2012-3136
CVE-2012-4681

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now