openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2014:0174-1)

critical Nessus Plugin ID 75413
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

- Fix a file conflict between -devel and -headless package

- Update to 2.4.4 (bnc#858818)

- changed from xz to gzipped tarball as the first was not available during update

- changed a keyring file due release manager change new one is signed by 66484681 from [email protected], see http://mail.openjdk.java.net/pipermail/distro-pkg-dev/20 14-January/025800.html

- Security fixes

- S6727821: Enhance JAAS Configuration

- S7068126, CVE-2014-0373: Enhance SNMP statuses

- S8010935: Better XML handling

- S8011786, CVE-2014-0368: Better applet networking

- S8021257, S8025022, CVE-2013-5896 : com.sun.corba.se.** should be on restricted package list

- S8021271, S8021266, CVE-2014-0408: Better buffering in ObjC code

- S8022904: Enhance JDBC Parsers

- S8022927: Input validation for byte/endian conversions

- S8022935: Enhance Apache resolver classes

- S8022945: Enhance JNDI implementation classes

- S8023057: Enhance start up image display

- S8023069, CVE-2014-0411: Enhance TLS connections

- S8023245, CVE-2014-0423: Enhance Beans decoding

- S8023301: Enhance generic classes

- S8023338: Update jarsigner to encourage timestamping

- S8023672: Enhance jar file validation

- S8024302: Clarify jar verifications

- S8024306, CVE-2014-0416: Enhance Subject consistency

- S8024530: Enhance font process resilience

- S8024867: Enhance logging start up

- S8025014: Enhance Security Policy

- S8025018, CVE-2014-0376: Enhance JAX-P set up

- S8025026, CVE-2013-5878: Enhance canonicalization

- S8025034, CVE-2013-5907: Improve layout lookups

- S8025448: Enhance listening events

- S8025758, CVE-2014-0422: Enhance Naming management

- S8025767, CVE-2014-0428: Enhance IIOP Streams

- S8026172: Enhance UI Management

- S8026176: Enhance document printing

- S8026193, CVE-2013-5884: Enhance CORBA stub factories

- S8026204: Enhance auth login contexts

- S8026417, CVE-2013-5910: Enhance XML canonicalization

- S8026502: java/lang/invoke/MethodHandleConstants.java fails on all platforms

- S8027201, CVE-2014-0376: Enhance JAX-P set up

- S8029507, CVE-2013-5893: Enhance JVM method processing

- S8029533: REGRESSION:
closed/java/lang/invoke/8008140/Test8008140.java fails against

- Backports

- S8025255: (tz) Support tzdata2013g

- S8026826: JDK 7 fix for 8010935 broke the build

- Bug fixes

- PR1618: Include defs.make in vm.make so VM_LITTLE_ENDIAN is defined on Zero builds

- D729448: 32-bit alignment on mips and mipsel

- PR1623: Collision between OpenJDK 6 & 7 classes when bootstrapping with OpenJDK 6

- Add update.py, helper script to download openjdk tarballs from hg repo

- Buildrequire quilt unconditionally as it's used unconditionally.

- Really disable tests on non-JIT architectures. (from Ulrich Weigand)

- Add headless subpackage wich does not require X and pulse/alsa

- Add accessibility to extra subpackage, which requires new java-atk-wrapper package

- removed java-1.7.0-openjdk-java-access-bridge-idlj.patch

- removed java-1.7.0-openjdk-java-access-bridge-tck.patch

- removed java-access-bridge-1.26.2.tar.bz2

- Refreshed

- java-1.7.0-openjdk-java-access-bridge-security.patch

- Add a support for running tests using --with tests

- this is ignored on non-jit architectures

- Prefer global over define as bcond_with does use them

- Forward declare aarch64 arch macro

- Define archbuild/archinstall macros for arm and aarch64

- remove a few ifarch conditions by using those macros in filelist

- Need ecj-bootstrap in bootstrap mode (noted by mmatz)

- Don't install vim and quilt in bootstrap mode

- A few enhancenments of bootstrap mode

- usable wia --with bootstrap

- disable docs, javadoc package

- fix configure arguments on bootstrap

- Add the unversioned SDK directory link to the files list of -devel package (fixes update-alternatives from %post).

- Add support for bootstrapping with just gcj (using included ecj directly). Increase stacksize for powerpc (amends java-1.7.0-openjdk-ppc-zero-jdk.patch). Add support for ppc64le.

- fix stackoverflow for powerpc (java-1_7_0-openjdk-ppc-stackoverflow.patch)

Solution

Update the affected java-1_7_0-openjdk packages.

See Also

http://www.nessus.org/u?3c8576e2

https://bugzilla.novell.com/show_bug.cgi?id=858818

https://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html

https://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html

Plugin Details

Severity: Critical

ID: 75413

File Name: openSUSE-2014-95.nasl

Version: 1.5

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_7_0-openjdk, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 1/22/2014

Reference Information

CVE: CVE-2013-5878, CVE-2013-5884, CVE-2013-5893, CVE-2013-5896, CVE-2013-5907, CVE-2013-5910, CVE-2014-0368, CVE-2014-0373, CVE-2014-0376, CVE-2014-0408, CVE-2014-0411, CVE-2014-0416, CVE-2014-0422, CVE-2014-0423, CVE-2014-0428