openSUSE Security Update : java-11-openjdk (openSUSE-2020-1175)

medium Nessus Plugin ID 139451
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for java-11-openjdk fixes the following issues :

- Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157)

- Security fixes :

+ JDK-8230613: Better ASCII conversions

+ JDK-8231800: Better listing of arrays

+ JDK-8232014: Expand DTD support

+ JDK-8233234: Better Zip Naming

+ JDK-8233239, CVE-2020-14562: Enhance TIFF support

+ JDK-8233255: Better Swing Buttons

+ JDK-8234032: Improve basic calendar services

+ JDK-8234042: Better factory production of certificates

+ JDK-8234418: Better parsing with CertificateFactory

+ JDK-8234836: Improve serialization handling

+ JDK-8236191: Enhance OID processing

+ JDK-8236867, CVE-2020-14573: Enhance Graal interface handling

+ JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior

+ JDK-8237592, CVE-2020-14577: Enhance certificate verification

+ JDK-8238002, CVE-2020-14581: Better matrix operations

+ JDK-8238013: Enhance String writing

+ JDK-8238804: Enhance key handling process

+ JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable

+ JDK-8238843: Enhanced font handing

+ JDK-8238920, CVE-2020-14583: Better Buffer support

+ JDK-8238925: Enhance WAV file playback

+ JDK-8240119, CVE-2020-14593: Less Affine Transformations

+ JDK-8240482: Improved WAV file playback

+ JDK-8241379: Update JCEKS support

+ JDK-8241522: Manifest improved jar headers redux

+ JDK-8242136, CVE-2020-14621: Better XML namespace handling

- Other changes :

+ JDK-6933331: (d3d/ogl) java.lang.IllegalStateException:
Buffers have not been created

+ JDK-7124307: JSpinner and changing value by mouse

+ JDK-8022574: remove HaltNode code after uncommon trap calls

+ JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.j ava fails

+ JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown

+ JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)

+ JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy .java Expected non-null LockInfo

+ JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly

+ JDK-8080353: JShell: Better error message on attempting to add default method

+ JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled

+ JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot

+ JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout

+ JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily

+ JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping

+ JDK-8175984: ICC_Profile has un-needed, not-empty finalize method

+ JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments

+ JDK-8183369: RFC unconformity of HttpURLConnection with proxy

+ JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT

+ JDK-8189861: Refactor CacheFind

+ JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently

+ JDK-8191930: [Graal] emits unparseable XML into compile log

+ JDK-8193879: Java debugger hangs on method invocation

+ JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows

+ JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails

+ JDK-8198000:
java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows

+ JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ /WrongParentAfterRemoveMenu.java debug assert on Windows

+ JDK-8198339: Test javax/swing/border/Test6981576.java is unstable

+ JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801

+ JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740

+ JDK-8203672: JNI exception pending in PlainSocketImpl.c

+ JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398

+ JDK-8204834: Fix confusing 'allocate' naming in OopStorage

+ JDK-8205399: Set node color on pinned HashMap.TreeNode deletion

+ JDK-8205653:
test/jdk/sun/management/jmxremote/bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure

+ JDK-8206179: com/sun/management/OperatingSystemMXBean/ /GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value

+ JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M

+ JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected java-11-openjdk packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1174157

Plugin Details

Severity: Medium

ID: 139451

File Name: openSUSE-2020-1175.nasl

Version: 1.2

Type: local

Agent: unix

Published: 8/10/2020

Updated: 8/12/2020

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2020-14556

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-11-openjdk, p-cpe:/a:novell:opensuse:java-11-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-11-openjdk-accessibility-debuginfo, p-cpe:/a:novell:opensuse:java-11-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-11-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-11-openjdk-demo, p-cpe:/a:novell:opensuse:java-11-openjdk-devel, p-cpe:/a:novell:opensuse:java-11-openjdk-headless, p-cpe:/a:novell:opensuse:java-11-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-11-openjdk-jmods, p-cpe:/a:novell:opensuse:java-11-openjdk-src, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/9/2020

Vulnerability Publication Date: 7/15/2020

Reference Information

CVE: CVE-2020-14556, CVE-2020-14562, CVE-2020-14573, CVE-2020-14577, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621