SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2014:1422-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

OpenJDK was updated to icedtea 2.5.3 (OpenJDK 7u71) fixing security
issues and bugs.

- Security :

- S8015256: Better class accessibility

- S8022783, CVE-2014-6504: Optimize C2 optimizations

- S8035162: Service printing service

- S8035781: Improve equality for annotations

- S8036805: Correct linker method lookup.

- S8036810: Correct linker field lookup

- S8036936: Use local locales

- S8037066, CVE-2014-6457: Secure transport layer

- S8037846, CVE-2014-6558: Ensure streaming of input
cipher streams

- S8038364: Use certificate exceptions correctly

- S8038899: Safer safepoints

- S8038903: More native monitor monitoring

- S8038908: Make Signature more robust

- S8038913: Bolster XML support

- S8039509, CVE-2014-6512: Wrap sockets more thoroughly

- S8039533, CVE-2014-6517: Higher resolution resolvers

- S8041540, CVE-2014-6511: Better use of pages in font
processing

- S8041529: Better parameterization of parameter lists

- S8041545: Better validation of generated rasters

- S8041564, CVE-2014-6506: Improved management of logger
resources

- S8041717, CVE-2014-6519: Issue with class file parser

- S8042609, CVE-2014-6513: Limit splashiness of splash
images

- S8042797, CVE-2014-6502: Avoid strawberries in LogRecord

- S8044274, CVE-2014-6531: Proper property processing

- Backports :

- S4963723: Implement SHA-224

- S7044060: Need to support NSA Suite B Cryptography
algorithms

- S7122142: (ann) Race condition between
isAnnotationPresent and getAnnotations

- S7160837: DigestOutputStream does not turn off digest
calculation when 'close()' is called

- S8006935: Need to take care of long secret keys in
HMAC/PRF computation

- S8012637: Adjust CipherInputStream class to work in
AEAD/GCM mode

- S8028192: Use of PKCS11-NSS provider in FIPS mode broken

- S8038000: java.awt.image.RasterFormatException:
Incorrect scanline stride

- S8039396: NPE when writing a class descriptor object to
a custom ObjectOutputStream

- S8042603: 'SafepointPollOffset' was not declared in
static member function 'static bool
Arguments::check_vm_args_consistency()'

- S8042850: Extra unused entries in ICU ScriptCodes enum

- S8052162: REGRESSION: sun/java2d/cmm/ColorConvertOp
tests fail since 7u71 b01

- S8053963: (dc) Use DatagramChannel.receive() instead of
read() in connect()

- S8055176: 7u71 l10n resource file translation update

- Bugfixes :

- PR1988: C++ Interpreter should no longer be used on
ppc64

- PR1989: Make jdk_generic_profile.sh handle missing
programs better and be more verbose

- PR1992, RH735336: Support retrieving proxy settings on
GNOME 3.12.2

- PR2000: Synchronise HEAD tarball paths with release
branch paths

- PR2002: Fix references to hotspot.map following PR2000

- PR2003: --disable-system-gtk option broken by
refactoring in PR1736

- PR2009: Checksum of policy JAR files changes on every
build

- PR2014: Use version from hotspot.map to create tarball
filename

- PR2015: Update hotspot.map documentation in INSTALL

- PR2025: LCMS_CFLAGS and LCMS_LIBS should not be used
unless SYSTEM_LCMS is enabled

- RH1015432: java-1.7.0-openjdk: Fails on PPC with
StackOverflowError (revised comprehensive fix)

- CACAO

- PR2030, G453612, CA172: ARM hardfloat support for CACAO

- AArch64 port

- AArch64 C2 instruct for smull

- Add frame anchor fences.

- Add MacroAssembler::maybe_isb()

- Add missing instruction synchronization barriers and
cache flushes.

- Add support for a few simple intrinsics

- Add support for builtin crc32 instructions

- Add support for Neon implementation of CRC32

- All address constants are 48 bits in size.

- array load must only read 32 bits

- Define uabs(). Use it everywhere an absolute value is
wanted.

- Fast string comparison

- Fast String.equals()

- Fix register usage in generate_verify_oop().

- Fix thinko in Atomic::xchg_ptr.

- Fix typo in fsqrts

- Improve C1 performance improvements in ic_cache checks

- Performance improvement and ease of use changes pulled
from upstream

- Remove obsolete C1 patching code.

- Replace hotspot jtreg test suite with tests from jdk7u

- S8024648: 7141246 breaks Zero port

- Save intermediate state before removing C1 patching
code.

- Unwind native AArch64 frames.

- Use 2- and 3-instruction immediate form of movoop and
mov_metadata in C2-generated code.

- Various concurrency fixes.

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://support.novell.com/security/cve/CVE-2014-6457.html
http://support.novell.com/security/cve/CVE-2014-6502.html
http://support.novell.com/security/cve/CVE-2014-6504.html
http://support.novell.com/security/cve/CVE-2014-6506.html
http://support.novell.com/security/cve/CVE-2014-6511.html
http://support.novell.com/security/cve/CVE-2014-6512.html
http://support.novell.com/security/cve/CVE-2014-6513.html
http://support.novell.com/security/cve/CVE-2014-6517.html
http://support.novell.com/security/cve/CVE-2014-6519.html
http://support.novell.com/security/cve/CVE-2014-6531.html
http://support.novell.com/security/cve/CVE-2014-6558.html
https://bugzilla.suse.com/show_bug.cgi?id=901242
http://www.nessus.org/u?cc412d22

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12 :

zypper in -t patch SUSE-SLE-SERVER-12-2014-68

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2014-68

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now