Detections
Analytics

openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-1335)

critical Nessus Plugin ID 95023

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

OpenJDK java-1_8_0-openjdk was updated to jdk8u111 (icedtea 3.2.0) to fix the following issues :

 - Security fixes

 + S8146490: Direct indirect CRL checks

 + S8151921: Improved page resolution

 + S8155968: Update command line options

 + S8155973, CVE-2016-5542: Tighten jar checks (boo#1005522)

 + S8156794: Extend data sharing

 + S8157176: Improved classfile parsing

 + S8157739, CVE-2016-5554: Classloader Consistency Checking (boo#1005523)

 + S8157749: Improve handling of DNS error replies

 + S8157753: Audio replay enhancement

 + S8157759: LCMS Transform Sampling Enhancement

 + S8157764: Better handling of interpolation plugins

 + S8158302: Handle contextual glyph substitutions

 + S8158993, CVE-2016-5568: Service Menu services (boo#1005525)

 + S8159495: Fix index offsets

 + S8159503: Amend Annotation Actions

 + S8159511: Stack map validation

 + S8159515: Improve indy validation

 + S8159519, CVE-2016-5573: Reformat JDWP messages (boo#1005526)

 + S8160090: Better signature handling in pack200

 + S8160094: Improve pack200 layout

 + S8160098: Clean up color profiles

 + S8160591, CVE-2016-5582: Improve internal array handling (boo#1005527)

 + S8160838, CVE-2016-5597: Better HTTP service (boo#1005528)

 + PR3206, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read()

 + CVE-2016-5556 (boo#1005524)

 - New features

 + PR1370: Provide option to build without debugging

 + PR1375: Provide option to strip and link debugging info after build

 + PR1537: Handle alternative Kerberos credential cache locations

 + PR1978: Allow use of system PCSC

 + PR2445: Support system libsctp

 + PR3182: Support building without pre-compiled headers

 + PR3183: Support Fedora/RHEL system crypto policy

 + PR3221: Use pkgconfig to detect Kerberos CFLAGS and libraries

 - Import of OpenJDK 8 u102 build 14

 + S4515292: ReferenceType.isStatic() returns true for arrays

 + S4858370: JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command

 + S6976636: JVM/TI test ex03t001 fails assertion

 + S7185591: jcmd-big-script.sh ERROR: could not find app's Java pid.

 + S8017462: G1: guarantee fails with UseDynamicNumberOfGCThreads

 + S8034168: ThreadMXBean/Locks.java failed, blocked on wrong object

 + S8036006: [TESTBUG] sun/tools/native2ascii/NativeErrors.java fails: Process exit code was 0, but error was expected.

 + S8041781: Need new regression tests for PBE keys

 + S8041787: Need new regressions tests for buffer handling for PBE algorithms

 + S8043836: Need new tests for AES cipher

 + S8044199: Tests for RSA keys and key specifications

 + S8044772: TempDirTest.java still times out with -Xcomp

 + S8046339: sun.rmi.transport.DGCAckHandler leaks memory

 + S8047031: Add SocketPermission tests for legacy socket types

 + S8048052: Permission tests for setFactory

 + S8048138: Tests for JAAS callbacks

 + S8048147: Privilege tests with JAAS Subject.doAs

 + S8048356: SecureRandom default provider tests

 + S8048357: PKCS basic tests

 + S8048360: Test signed jar files

 + S8048362: Tests for doPrivileged with accomplice

 + S8048596: Tests for AEAD ciphers

 + S8048599: Tests for key wrap and unwrap operations

 + S8048603: Additional tests for MAC algorithms

 + S8048604: Tests for strong crypto ciphers

 + S8048607: Test key generation of DES and DESEDE

 + S8048610: Implement regression test for bug fix of 4686632 in JCE

 + S8048617: Tests for PKCS12 read operations

 + S8048618: Tests for PKCS12 write operations.

 + S8048619: Implement tests for converting PKCS12 keystores

 + S8048624: Tests for SealedObject

 + S8048819: Implement reliability test for DH algorithm

 + S8048820: Implement tests for SecretKeyFactory

 + S8048830: Implement tests for new functionality provided in JEP 166

 + S8049237: Need new tests for X509V3 certificates

 + S8049321: Support SHA256WithDSA in JSSE

 + S8049429: Tests for java client server communications with various TLS/SSL combinations.

 + S8049432: New tests for TLS property jdk.tls.client.protocols

 + S8049814: Additional SASL client-server tests

 + S8050281: New permission tests for JEP 140

 + S8050370: Need new regressions tests for messageDigest with DigestIOStream

 + S8050371: More MessageDigest tests

 + S8050374: More Signature tests

 + S8050427: LoginContext tests to cover JDK-4703361

 + S8050460: JAAS login/logout tests with LoginContext

 + S8050461: Tests for syntax checking of JAAS configuration file

 + S8054278: Refactor jps utility tests

 + S8055530: assert(_exits.control()->is_top() || !_gvn.type(ret_phi)->empty()) failed: return value must be well defined

 + S8055844: [TESTBUG] test/runtime/NMT/VirtualAllocCommitUncommitRecommit.java fails on Solaris Sparc due to incorrect page size being used

 + S8059677: Thread.getName() instantiates Strings

 + S8061464: A typo in CipherTestUtils test

 + S8062536: [TESTBUG] Conflicting GC combinations in jdk tests

 + S8065076:
 java/net/SocketPermission/SocketPermissionTest.java fails intermittently

 + S8065078: NetworkInterface.getNetworkInterfaces() triggers intermittent test failures

 + S8066871: java.lang.VerifyError: Bad local variable type
 - local final String

 + S8068427: Hashtable deserialization reconstitutes table with wrong capacity

 + S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210

 + S8069253: javax/net/ssl/TLS/TestJSSE.java failed on Mac

 + S8071125: Improve exception messages in URLPermission

 + S8072081: Supplementary characters are rejected in comments

 + S8072463: Remove requirement that AKID and SKID have to match when building certificate chain

 + S8072725: Provide more granular levels for GC verification

 + S8073400: Some Monospaced logical fonts have a different width

 + S8073872: Schemagen fails with StackOverflowError if element references containing class

 + S8074931: Additional tests for CertPath API

 + S8075286: Additional tests for signature algorithm OIDs and transformation string

 + S8076486: [TESTBUG] javax/security/auth/Subject/doAs/NestedActions.java fails if extra VM options are given

 + S8076545: Text size is twice bigger under Windows L&F on Win 8.1 with HiDPI display

 + S8076995:
 gc/ergonomics/TestDynamicNumberOfGCThreads.java failed with java.lang.RuntimeException: 'new_active_workers' missing from stdout/stderr

 + S8079138: Additional negative tests for XML signature processing

 + S8081512: Remove sun.invoke.anon classes, or move / co-locate them with tests

 + S8081771: ProcessTool.createJavaProcessBuilder() needs new addTestVmAndJavaOptions argument

 + S8129419: heapDumper.cpp: assert(length_in_bytes > 0) failed: nothing to copy

 + S8130150: Implement BigInteger.montgomeryMultiply intrinsic

 + S8130242: DataFlavorComparator transitivity exception

 + S8130304: Inference: NodeNotFoundException thrown with deep generic method call chain

 + S8130425: libjvm crash due to stack overflow in executables with 32k tbss/tdata

 + S8133023: ParallelGCThreads is not calculated correctly

 + S8134111: Unmarshaller unmarshalls XML element which doesn't have the expected namespace

 + S8135259: InetAddress.getAllByName only reports 'unknown error' instead of actual cause

 + S8136506: Include sun.arch.data.model as a property that can be queried by jtreg

 + S8137068: Tests added in JDK-8048604 fail to compile

 + S8139040: Fix initializations before ShouldNotReachHere() etc. and enable -Wuninitialized on linux.

 + S8139581: AWT components are not drawn after removal and addition to a container

 + S8141243: Unexpected timezone returned after parsing a date

 + S8141420: Compiler runtime entries don't hold Klass* from being GCed

 + S8141445: Use of Solaris/SPARC M7 libadimalloc.so can generate unknown signal in hs_err file

 + S8141551: C2 can not handle returns with inccompatible interface arrays

 + S8143377: Test PKCS8Test.java fails

 + S8143647: Javac compiles method reference that allows results in an IllegalAccessError

 + S8144144: ORB destroy() leaks filedescriptors after unsuccessful connection

 + S8144593: Suppress not recognized property/feature warning messages from SAXParser

 + S8144957: Remove PICL warning message

 + S8145039: JAXB marshaller fails with ClassCastException on classes generated by xjc

 + S8145228: Java Access Bridge, getAccessibleStatesStringFromContext doesn't wrap the call to getAccessibleRole

 + S8145388: URLConnection.guessContentTypeFromStream returns image/jpg for some JPEG images

 + S8145974: XMLStreamWriter produces invalid XML for surrogate pairs on OutputStreamWriter

 + S8146035: Windows - With LCD antialiasing, some glyphs are not rendered correctly

 + S8146192: Add test for JDK-8049321

 + S8146274: Thread spinning on WeakHashMap.getEntry() with concurrent use of nashorn

 + S8147468: Allow users to bound the size of buffers cached in the per-thread buffer caches

 + S8147645: get_ctrl_no_update() code is wrong

 + S8147807: crash in libkcms.so on linux-sparc

 + S8148379: jdk.nashorn.api.scripting spec. adjustments, clarifications

 + S8148627: RestrictTestMaxCachedBufferSize.java to 64-bit platforms

 + S8148820: Missing @since Javadoc tag in Logger.log(Level, Supplier)

 + S8148926: Call site profiling fails on braces-wrapped anonymous function

 + S8149017: Delayed provider selection broken in RSA client key exchange

 + S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks

 + S8149330: Capacity of StringBuilder should not get close to Integer.MAX_VALUE unless necessary

 + S8149334: JSON.parse(JSON.stringify([])).push(10) creates an array containing two elements

 + S8149368: [hidpi] JLabel font is twice bigger than JTextArea font on Windows 7,HiDPI, Windows L&F

 + S8149411: PKCS12KeyStore cannot extract AES Secret Keys

 + S8149417: Use final restricted flag

 + S8149450: LdapCtx.processReturnCode() throwing NULL pointer Exception

 + S8149453: [hidpi] JFileChooser does not scale properly on Windows with HiDPI display and Windows L&F

 + S8149543: range check CastII nodes should not be split through Phi

 + S8149743: JVM crash after debugger hotswap with lambdas

 + S8149744: fix testng.jar delivery in Nashorn build.xml

 + S8149915: enabling validate-annotations feature for xsd schema with annotation causes NPE

 + S8150002: Check for the validity of oop before printing it in verify_remembered_set

 + S8150470: JCK: api/xsl/conf/copy/copy19 test failure

 + S8150518: G1 GC crashes at G1CollectedHeap::do_collection_pause_at_safepoint(double )

 + S8150533: Test java/util/logging/LogManagerAppContextDeadlock.java times out intermittently.

 + S8150704: XALAN: ERROR: 'No more DTM IDs are available' when transforming with lots of temporary result trees

 + S8150780: Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError

 + S8151064: com/sun/jdi/RedefineAddPrivateMethod.sh fails intermittently

 + S8151197: [TEST_BUG] Need to backport fix for test/javax/net/ssl/TLS/TestJSSE.java

 + S8151352: jdk/test/sample fails with 'effective library path is outside the test suite'

 + S8151431: DateFormatSymbols triggers this.clone() in the constructor

 + S8151535: TESTBUG:
 java/lang/invoke/AccessControlTest.java should be modified to run with JTREG 4.1 b13

 + S8151731: Add new jtreg keywords to jdk 8

 + S8151998: VS2010 ThemeReader.cpp(758) : error C3861:
 'round': identifier not found

 + S8152927: Incorrect GPL header in StubFactoryDynamicBase.java reported

 + S8153252: SA: Hotspot build on Windows fails if make/closed folder does not exist

 + S8153531: Improve exception messaging for RSAClientKeyExchange

 + S8153641: assert(thread_state == _thread_in_native) failed: Assumed thread_in_native while heap dump

 + S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command

 + S8154304: NullpointerException at LdapReferralException.getReferralContext

 + S8154722: Test gc/ergonomics/TestDynamicNumberOfGCThreads.java fails

 + S8157078: 8u102 L10n resource file updates

 + S8157838: Personalized Windows Font Size is not taken into account in Java8u102

 - Import of OpenJDK 8 u111 build 14

 + S6882559: new JEditorPane('text/plain','') fails for null context class loader

 + S8049171: Additional tests for jarsigner's warnings

 + S8063086: Math.pow yields different results upon repeated calls

 + S8140530: Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString

 + S8142926: OutputAnalyzer's shouldXXX() calls return this

 + S8147077: IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener al

 + S8148127: IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener al in opengl pipeline

 + S8150611: Security problem on sun.misc.resources.Messages*

 + S8153399: Constrain AppCDS behavior (back port)

 + S8157653: [Parfait] Uninitialised variable in awt_Font.cpp

 + S8158734: JEditorPane.createEditorKitForContentType throws NPE after 6882559

 + S8158994: Service Menu services

 + S8159684: (tz) Support tzdata2016f

 + S8160904: Typo in code from 8079718 fix :
 enableCustomValueHanlde

 + S8160934: isnan() is not available on older MSVC compilers

 + S8161141: correct bugId for JDK-8158994 fix push

 + S8162411: Service Menu services 2

 + S8162419:
 closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing after JDK-8155968

 + S8162511: 8u111 L10n resource file updates

 + S8162792: Remove constraint DSA keySize < 1024 from jdk.jar.disabledAlgorithms in jdk8

 + S8164452: 8u111 L10n resource file update - msgdrop 20

 + S8165816: jarsigner -verify shows jar unsigned if it was signed with a weak algorithm

 + S8166381: Back out changes to the java.security file to not disable MD5

 - Backports

 + S8078628, PR3208: Zero build fails with pre-compiled headers disabled

 + S8141491, PR3159, G592292: Unaligned memory access in Bits.c

 + S8157306, PR3121: Random infrequent NULL pointer exceptions in javac (enabled on AArch64 only)

 + S8162384, PR3122: Performance regression: bimorphic inlining may be bypassed by type speculation

 - Bug fixes

 + PR3123: Some object files built without -fPIC on x86 only

 + PR3126: pax-mark-vm script calls 'exit -1' which is invalid in dash

 + PR3127, G590348: Only apply PaX markings by default on running PaX kernels

 + PR3199: Invalid nashorn URL

 + PR3201: Update infinality configure test

 + PR3218: PR3159 leads to build failure on clean tree

 - AArch64 port

 + S8131779, PR3220: AARCH64: add Montgomery multiply intrinsic

 + S8167200, PR3220: AArch64: Broken stack pointer adjustment in interpreter

 + S8167421, PR3220: AArch64: in one core system, fatal error: Illegal threadstate encountered

 + S8167595, PR3220: AArch64: SEGV in stub code cipherBlockChaining_decryptAESCrypt

 + S8168888, PR3220: Port 8160591: Improve internal array handling to AArch64.

 - Shenandoah

 + PR3224: Shenandoah broken when building without pre-compiled headers

 - S8158260, PR2991, RH1341258: PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions (boo#988651)

Solution

Update the affected java-1_8_0-openjdk packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1005522

https://bugzilla.opensuse.org/show_bug.cgi?id=1005523

https://bugzilla.opensuse.org/show_bug.cgi?id=1005524

https://bugzilla.opensuse.org/show_bug.cgi?id=1005525

https://bugzilla.opensuse.org/show_bug.cgi?id=1005526

https://bugzilla.opensuse.org/show_bug.cgi?id=1005527

https://bugzilla.opensuse.org/show_bug.cgi?id=1005528

https://bugzilla.opensuse.org/show_bug.cgi?id=988651

Plugin Details

Severity: Critical

ID: 95023

File Name: openSUSE-2016-1335.nasl

Version: 3.3

Type: local

Agent: unix

Published: 11/21/2016

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_8_0-openjdk, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 11/19/2016

Reference Information

CVE: CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5568, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597