openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0377-1)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

java-1_7_0-openjdk was updated to icedtea-2.3.6 (bnc#803379)
containing various security and bugfixes :

- Security fixes

- S6563318, CVE-2013-0424: RMI data sanitization

- S6664509, CVE-2013-0425: Add logging context

- S6664528, CVE-2013-0426: Find log level matching its
name or value given at construction time

- S6776941: CVE-2013-0427: Improve thread pool shutdown

- S7141694, CVE-2013-0429: Improving CORBA internals

- S7173145: Improve in-memory representation of
splashscreens

- S7186945: Unpack200 improvement

- S7186946: Refine unpacker resource usage

- S7186948: Improve Swing data validation

- S7186952, CVE-2013-0432: Improve clipboard access

- S7186954: Improve connection performance

- S7186957: Improve Pack200 data validation

- S7192392, CVE-2013-0443: Better validation of client
keys

- S7192393, CVE-2013-0440: Better Checking of order of TLS
Messages

- S7192977, CVE-2013-0442: Issue in toolkit thread

- S7197546, CVE-2013-0428: (proxy) Reflect about creating
reflective proxies

- S7200491: Tighten up JTable layout code

- S7200493, CVE-2013-0444: Improve cache handling

- S7200499: Better data validation for options

- S7200500: Launcher better input validation

- S7201064: Better dialogue checking

- S7201066, CVE-2013-0441: Change modifiers on unused
fields

- S7201068, CVE-2013-0435: Better handling of UI elements

- S7201070: Serialization to conform to protocol

- S7201071, CVE-2013-0433: InetSocketAddress serialization
issue

- S8000210: Improve JarFile code quality

- S8000537, CVE-2013-0450: Contextualize
RequiredModelMBean class

- S8000539, CVE-2013-0431: Introspect JMX data handling

- S8000540, CVE-2013-1475: Improve IIOP type reuse
management

- S8000631, CVE-2013-1476: Restrict access to class
constructor

- S8001235, CVE-2013-0434: Improve JAXP HTTP handling

- S8001242: Improve RMI HTTP conformance

- S8001307: Modify ACC_SUPER behavior

- S8001972, CVE-2013-1478: Improve image processing

- S8002325, CVE-2013-1480: Improve management of images

- Backports

- S7057320:
test/java/util/concurrent/Executors/AutoShutdown.java
failing intermittently

- S7083664: TEST_BUG: test hard code of using c:/temp but
this dir might not exist

- S7107613: scalability blocker in
javax.crypto.CryptoPermissions

- S7107616: scalability blocker in
javax.crypto.JceSecurityManager

- S7146424: Wildcard expansion for single entry classpath

- S7160609: [macosx] JDK crash in libjvm.dylib ( C
[GeForceGLDriver+0x675a] gldAttachDrawable+0x941)

- S7160951: [macosx] ActionListener called twice for
JMenuItem using ScreenMenuBar

- S7162488: VM not printing unknown -XX options

- S7169395: Exception throws due to the changes in JDK 7
object tranversal and break backward compatibility

- S7175616: Port fix for TimeZone from JDK 8 to JDK 7

- S7176485: (bf) Allow temporary buffer cache to grow to
IOV_MAX

- S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and
reinitialize build number

- S7184326: TEST_BUG:
java/awt/Frame/7024749/bug7024749.java has a typo

- S7185245: Licensee source bundle tries to compile JFR

- S7185471: Avoid key expansion when AES cipher is re-init
w/ the same key

- S7186371: [macosx] Main menu shortcuts not displayed
(7u6 regression)

- S7187834: [macosx] Usage of private API in macosx 2d
implementation causes Apple Store rejection

- S7188114: (launcher) need an alternate command line
parser for Windows

- S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and
reinitialize build number

- S7189350: Fix failed for CR 7162144

- S7190550: REGRESSION: Some closed/com/oracle/jfr/api
tests fail to compile because of fix 7185245

- S7193219: JComboBox serialization fails in JDK 1.7

- S7193977: REGRESSION:Java 7's JavaBeans persistence
ignoring the 'transient' flag on properties

- S7195106: REGRESSION : There is no way to get Icon inf,
once Softreference is released

- S7195301: XML Signature DOM implementation should not
use instanceof to determine type of Node

- S7195931: UnsatisfiedLinkError on
PKCS11.C_GetOperationState while using NSS from jre7u6+

- S7197071: Makefiles for various security providers
aren't including the default manifest.

- S7197652: Impossible to run any signed JNLP applications
or applets, OCSP off by default

- S7198146: Another new regression test does not compile
on windows-amd64

- S7198570: (tz) Support tzdata2012f

- S7198640: new hotspot build - hs23.6-b04

- S7199488: [TEST] runtime/7158800/InternTest.java failed
due to false-positive on PID match.

- S7199645: Increment build # of hs23.5 to b02

- S7199669: Update tags in .hgtags file for CPU release
rename

- S7200720: crash in net.dll during NTLM authentication

- S7200742: (se) Selector.select does not block when
starting Coherence (sol11u1)

- S7200762: [macosx] Stuck in
sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Na
tive Method)

- S8000285: Deadlock between PostEventQueue.noEvents,
EventQueue.isDispatchThread and
SwingUtilities.invokeLater

- S8000286: [macosx] Views keep scrolling back to the drag
position after DnD

- S8000297: REGRESSION:
closed/java/awt/EventQueue/PostEventOrderingTest.java
fails

- S8000307: Jre7cert: focusgained does not get called for
all focus req when do alt + tab

- S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and
reinitialize build number

- S8001124: jdk7u ProblemList.txt updates (10/2012)

- S8001242: Improve RMI HTTP conformance

- S8001808: Create a test for 8000327

- S8001876: Create regtest for 8000283

- S8002068: Build broken: corba code changes unable to use
new JDK 7 classes

- S8002091: tools/launcher/ToolsOpts.java test started to
fail since 7u11 b01 on Windows

- S8002114: fix failed for JDK-7160951: [macosx]
ActionListener called twice for JMenuItem using
ScreenMenuBar

- S8002225: (tz) Support tzdata2012i

- S8003402: (dc)
test/java/nio/channels/DatagramChannel/SendToUnresovled.
java failing after 7u11 cleanup issues

- S8003403: Test ShortRSAKeyWithinTLS and
ClientJSSEServerJSSE failing after 7u11 cleanup

- S8003948: NTLM/Negotiate authentication problem

- S8004175: Restricted packages added in java.security are
missing in java.security-{macosx, solaris, windows}

- S8004302: javax/xml/soap/Test7013971.java fails since
jdk6u39b01

- S8004341: Two JCK tests fails with 7u11 b06

- S8005615: Java Logger fails to load tomcat logger
implementation (JULI)

- Bug fixes

- Fix build using Zero's HotSpot so all patches apply
again.

- PR1295: jamvm parallel unpack failure

- removed icedtea-2.3.2-fix-extract-jamvm-dependency.patch

- removed
icedtea-2.3.3-refresh-6924259-string_offset.patch

- few missing /openjdk/%{origin}/ changes

See also :

http://lists.opensuse.org/opensuse-updates/2013-03/msg00003.html
https://bugzilla.novell.com/show_bug.cgi?id=803379

Solution :

Update the affected java-1_7_0-openjdk packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now