openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-944)

High Nessus Plugin ID 92774

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for java-1_8_0-openjdk fixes the following issues :

 - Upgrade to version jdk8u101 (icedtea 3.1.0)

 - New in release 3.1.0 (2016-07-25) :

 - Security fixes

 - S8079718, CVE-2016-3458: IIOP Input Stream Hooking (boo#989732)

 - S8145446, CVE-2016-3485: Perfect pipe placement (Windows only) (boo#989734)

 - S8146514: Enforce GCM limits

 - S8147771: Construction of static protection domains under Javax custom policy

 - S8148872, CVE-2016-3500: Complete name checking (boo#989730)

 - S8149070: Enforce update ordering

 - S8149962, CVE-2016-3508: Better delineation of XML processing (boo#989731)

 - S8150752: Share Class Data

 - S8151925: Font reference improvements

 - S8152479, CVE-2016-3550: Coded byte streams (boo#989733)

 - S8153312: Constrain AppCDS behavior

 - S8154475, CVE-2016-3587: Clean up lookup visibility (boo#989721)

 - S8155981, CVE-2016-3606: Bolster bytecode verification (boo#989722)

 - S8155985, CVE-2016-3598: Persistent Parameter Processing (boo#989723)

 - S8158571, CVE-2016-3610: Additional method handle validation (boo#989725)

 - CVE-2016-3552 (boo#989726)

 - CVE-2016-3511 (boo#989727)

 - CVE-2016-3503 (boo#989728)

 - CVE-2016-3498 (boo#989729)

 - New features

 - S8145547, PR1061: [AWT/Swing] Conditional support for GTK 3 on Linux

 - PR2821: Support building OpenJDK with --disable-headful

 - PR2931, G478960: Provide Infinality Support via fontconfig

 - PR3079: Provide option to build Shenandoah on x86_64

 - Import of OpenJDK 8 u92 build 14

 - S6869327: Add new C2 flag to keep safepoints in counted loops.

 - S8022865: [TESTBUG] Compressed Oops testing needs to be revised

 - S8029630: Thread id should be displayed as a hex number in error report

 - S8029726: On OS X some dtrace probe names are mismatched with Solaris

 - S8029727: On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired.

 - S8029728: On OS X dtrace probes SetStaticBooleanField are not fired

 - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String

 - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits

 - S8041501: ImageIO reader is not capable of reading JPEGs without JFIF header

 - S8041900: [macosx] Java forces the use of discrete GPU

 - S8044363: Remove special build options for unpack200 executable

 - S8046471: Use OPENJDK_TARGET_CPU_ARCH instead of legacy value for hotspot ARCH

 - S8046611: Build errors with gcc on sparc/fastdebug

 - S8047763: Recognize sparc64 as a sparc platform

 - S8048232: Fix for 8046471 breaks PPC64 build

 - S8052396: Catch exceptions resulting from missing font cmap

 - S8058563: InstanceKlass::_dependencies list isn't cleared from empty nmethodBucket entries

 - S8061624: [TESTBUG] Some tests cannot be ran under compact profiles and therefore shall be excluded

 - S8062901: Iterators is spelled incorrectly in the Javadoc for Spliterator

 - S8064330: Remove SHA224 from the default support list if SunMSCAPI enabled

 - S8065579: WB method to start G1 concurrent mark cycle should be introduced

 - S8065986: Compiler fails to NullPointerException when calling super with Object<>()

 - S8066974: Compiler doesn't infer method's generic type information in lambda body

 - S8067800: Clarify java.time.chrono.Chronology.isLeapYear for out of range years

 - S8068033: JNI exception pending in jdk/src/share/bin/java.c

 - S8068042: Check jdk/src/share/native/sun/misc/URLClassPath.c for JNI pending

 - S8068162: jvmtiRedefineClasses.cpp: guarantee(false) failed: OLD and/or OBSOLETE method(s) found

 - S8068254: Method reference uses wrong qualifying type

 - S8074696: Remote debugging session hangs for several minutes when calling findBootType

 - S8074935: jdk8 keytool doesn't validate pem files for RFC 1421 correctness, as jdk7 did

 - S8078423: [TESTBUG] javax/print/PrintSEUmlauts/PrintSEUmlauts.java relies on system locale

 - S8080492: [Parfait] Uninitialised variable in jdk/src/java/desktop/windows/native/libawt/

 - S8080650: Enable stubs to use frame pointers correctly

 - S8122944: perfdata used is seen as too high on sparc zone with jdk1.9 and causes a test failure

 - S8129348: Debugger hangs in trace mode with TRACE_SENDS

 - S8129847: Compiling methods generated by Nashorn triggers high memory usage in C2

 - S8130506: javac AssertionError when invoking MethodHandle.invoke with lambda parameter

 - S8130910: hsperfdata file is created in wrong directory and not cleaned up if /tmp/hsperfdata_<username> has wrong permissions

 - S8131129: Attempt to define a duplicate BMH$Species class

 - S8131665: Bad exception message in HandshakeHash.getFinishedHash

 - S8131782: C1 Class.cast optimization breaks when Class is loaded from static final

 - S8132503: [macosx] Chinese full stop symbol cannot be entered with Pinyin IM on OS X

 - S8133207: ParallelProbes.java test fails after changes for JDK-8080115

 - S8133924: NPE may be thrown when xsltc select a non-existing node after JDK-8062518

 - S8134007: Improve string folding

 - S8134759: jdb: Incorrect stepping inside finally block

 - S8134963: [Newtest] New stress test for changing the coarseness level of G1 remembered set

 - S8136442: Don't tie Certificate signature algorithms to ciphersuites

 - S8137106: EUDC (End User Defined Characters) are not displayed on Windows with Java 8u60+

 - S8138745: Implement ExitOnOutOfMemory and CrashOnOutOfMemory in HotSpot

 - S8138764: In some cases the usage of TreeLock can be replaced by other synchronization

 - S8139373: [TEST_BUG] java/net/MulticastSocket/MultiDead.java failed with timeout

 - S8139424: SIGSEGV, Problematic frame: # V [libjvm.so+0xd0c0cc] void InstanceKlass::oop_oop_iterate_oop_maps_specialized<true ,oopDesc*,MarkAndPushClosure>

 - S8139436: sun.security.mscapi.KeyStore might load incomplete data

 - S8139751: Javac crash with -XDallowStringFolding=false

 - S8139863: [TESTBUG] Need to port tests for JDK-8134903 to 8u-dev

 - S8139985: JNI exception pending in jdk/src/jdk/hprof/agent/share/native/libhprof

 - S8140031: SA: Searching for a value in Threads does not work

 - S8140249: JVM Crashing During startUp If Flight Recording is enabled

 - S8140344: add support for 3 digit update release numbers

 - S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check

 - S8141260: isReachable crash in windows xp

 - S8143297: Nashorn compilation time reported in nanoseconds

 - S8143397: It looks like InetAddress.isReachable(timeout) works incorrectly

 - S8143855: Bad printf formatting in frame_zero.cpp

 - S8143896: java.lang.Long is implicitly converted to double

 - S8143963: improve ClassLoader::trace_class_path to accept an additional outputStream* arg

 - S8144020: Remove long as an internal numeric type

 - S8144131: ArrayData.getInt implementations do not convert to int32

 - S8144483: One long Safepoint pause directly after each GC log rotation

 - S8144487: PhaseIdealLoop::build_and_optimize() must restore major_progress flag if skip_loop_opts is true

 - S8144885: agent/src/os/linux/libproc.h needs to support Linux/SPARC builds

 - S8144935: C2: safepoint is pruned from a non-counted loop

 - S8144937: [TEST_BUG] testlibrary_tests should be excluded for compact1 and compact2 execution

 - S8145017: Add support for 3 digit hotspot minor version numbers

 - S8145099: Better error message when SA can't attach to a process

 - S8145442: Add the facility to verify remembered sets for G1

 - S8145466: javac: No line numbers in compilation error

 - S8145539: (coll) AbstractMap.keySet and .values should not be volatile

 - S8145550: Megamorphic invoke should use CompiledFunction variants without any LinkLogic

 - S8145669: apply2call optimized callsite fails after becoming megamorphic

 - S8145722: NullPointerException in javadoc

 - S8145754: PhaseIdealLoop::is_scaled_iv_plus_offset() does not match AddI

 - S8146147: Java linker indexed property getter does not work for computed nashorn string

 - S8146566: OpenJDK build can't handle commas in LDFLAGS

 - S8146725: Issues with SignatureAndHashAlgorithm.getSupportedAlgorithms

 - S8146979: Backport of 8046471 breaks ppc64 build in jdk8u because 8072383 was badly backported before

 - S8147087: Race when reusing PerRegionTable bitmaps may result in dropped remembered set entries

 - S8147630: Wrong test result pushed to 8u-dev

 - S8147845: Varargs Array functions still leaking longs

 - S8147857: RMIConnector logs attribute names incorrectly

 - S8148353: [linux-sparc] Crash in libawt.so on Linux SPARC

 - S8150791: 8u76 L10n resource file translation update

 - Import of OpenJDK 8 u101 build 13

 - S6483657: MSCAPI provider does not create unique alias names

 - S6675699: need comprehensive fix for unconstrained ConvI2L with narrowed type

 - S8037557: test SessionCacheSizeTests.java timeout

 - S8038837: Add support to jarsigner for specifying timestamp hash algorithm

 - S8081778: Use Intel x64 CPU instructions for RSA acceleration

 - S8130150: Implement BigInteger.montgomeryMultiply intrinsic

 - S8130735: javax.swing.TimerQueue: timer fires late when another timer starts

 - S8143913: MSCAPI keystore should accept Certificate[] in setEntry()

 - S8144313: Test SessionTimeOutTests can be timeout

 - S8146240: Three nashorn files contain 'GNU General Public License' header

 - S8146387: Test SSLSession/SessionCacheSizeTests socket accept timed out

 - S8146669: Test SessionTimeOutTests fails intermittently

 - S8146993: Several javax/management/remote/mandatory regression tests fail after JDK-8138811

 - S8147994: [macosx] JScrollPane jitters up/down during trackpad scrolling on MacOS/Aqua

 - S8151522: Disable 8130150 and 8081778 intrinsics by default

 - S8151876: (tz) Support tzdata2016d

 - S8152098: Fix 8151522 caused test compiler/intrinsics/squaretolen/TestSquareToLen.java to fail

 - S8157077: 8u101 L10n resource file updates

 - Backports

 - S6260348, PR3066: GTK+ L&F JTextComponent not respecting desktop caret blink rate

 - S6778087, PR1061: getLocationOnScreen() always returns (0, 0) for mouse wheel events

 - S6961123, PR2972: setWMClass fails to null-terminate WM_CLASS string

 - S8008657, PR3077: JSpinner setComponentOrientation doesn't affect on text orientation

 - S8014212, PR2866: Robot captures black screen

 - S8029339, PR1061: Custom MultiResolution image support on HiDPI displays

 - S8031145, PR3077: Re-examine closed i18n tests to see it they can be moved to the jdk repository.

 - S8034856, PR3095: gcc warnings compiling src/solaris/native/sun/security/pkcs11

 - S8034857, PR3095: gcc warnings compiling src/solaris/native/sun/management

 - S8035054, PR3095: JarFacade.c should not include ctype.h

 - S8035287, PR3095: gcc warnings compiling various libraries files

 - S8038631, PR3077: Create wrapper for awt.Robot with additional functionality

 - S8039279, PR3077: Move awt tests to openjdk repository

 - S8041561, PR3077: Inconsistent opacity behaviour between JCheckBox and JRadioButton

 - S8041592, PR3077: [TEST_BUG] Move 42 AWT hw/lw mixing tests to jdk

 - S8041915, PR3077: Move 8 awt tests to OpenJDK regression tests tree

 - S8043126, PR3077: move awt automated functional tests from AWT_Events/Lw and AWT_Events/AWT to OpenJDK repository

 - S8043131, PR3077: Move ShapedAndTranslucentWindows and GC functional AWT tests to regression tree

 - S8044157, PR3077: [TEST_BUG] Improve recently submitted AWT_Mixing tests

 - S8044172, PR3077: [TEST_BUG] Move regtests for 4523758 and AltPlusNumberKeyCombinationsTest to jdk

 - S8044429, PR3077: move awt automated tests for AWT_Modality to OpenJDK repository

 - S8044762, PR2960: com/sun/jdi/OptionTest.java test time out

 - S8044765, PR3077: Move functional tests AWT_SystemTray/Automated to openjdk repository

 - S8047180, PR3077: Move functional tests AWT_Headless/Automated to OpenJDK repository

 - S8047367, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 2

 - S8048246, PR3077: Move AWT_DnD/Clipboard/Automated functional tests to OpenJDK

 - S8049226, PR2960: com/sun/jdi/OptionTest.java test times out again

 - S8049617, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 3

 - S8049694, PR3077: Migrate functional AWT_DesktopProperties/Automated tests to OpenJDK

 - S8050885, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 4

 - S8051440, PR3077: move tests about maximizing undecorated to OpenJDK

 - S8052012, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 5

 - S8052408, PR3077: Move AWT_BAT functional tests to OpenJDK (3 of 3)

 - S8053657, PR3077: [TEST_BUG] move some 5 tests related to undecorated Frame/JFrame to JDK

 - S8054143, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 6

 - S8054358, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 7

 - S8054359, PR3077: move awt automated tests from AWT_Modality to OpenJDK repository - part 8

 - S8055360, PR3077: Move the rest part of AWT ShapedAndTranslucent tests to OpenJDK

 - S8055664, PR3077: move 14 tests about setLocationRelativeTo to jdk

 - S8055836, PR3077: move awt tests from AWT_Modality to OpenJDK repository - part 9

 - S8056911, PR3077: Remove internal API usage from ExtendedRobot class

 - S8057694, PR3077: move awt tests from AWT_Modality to OpenJDK repository - part 10

 - S8058959, PR1061:
 closed/java/awt/event/ComponentEvent/MovedResizedTwiceTe st/MovedResizedTwiceTest.java failed automatically

 - S8062606, PR3077: Fix a typo in java.awt.Robot class

 - S8063102, PR3077: Change open awt regression tests to avoid sun.awt.SunToolkit.realSync, part 1

 - S8063104, PR3077: Change open awt regression tests to avoid sun.awt.SunToolkit.realSync, part 2

 - S8063106, PR3077: Change open swing regression tests to avoid sun.awt.SunToolkit.realSync, part 1

 - S8063107, PR3077: Change open swing regression tests to avoid sun.awt.SunToolkit.realSync, part 2

 - S8064573, PR3077: [TEST_BUG] javax/swing/text/AbstractDocument/6968363/Test6968363.ja va is asocial pressing VK_LEFT and not releasing

 - S8064575, PR3077: [TEST_BUG] javax/swing/JEditorPane/6917744/bug6917744.java 100 times press keys and never releases

 - S8064809, PR3077: [TEST_BUG] javax/swing/JComboBox/4199622/bug4199622.java contains a lot of keyPress and not a single keyRelease

 - S8067441, PR3077: Some tests fails with error: cannot find symbol getSystemMnemonicKeyCodes()

 - S8068228, PR3077: Test closed/java/awt/Mouse/MaximizedFrameTest/MaximizedFrameT est fails with GTKLookAndFeel

 - S8069361, PR1061: SunGraphics2D.getDefaultTransform() does not include scale factor

 - S8073320, PR1061: Windows HiDPI Graphics support

 - S8074807, PR3077: Fix some tests unnecessary using internal API

 - S8076315, PR3077: move 4 manual functional swing tests to regression suite

 - S8078504, PR3094: Zero lacks declaration of VM_Version::initialize()

 - S8129822, PR3077: Define 'headful' jtreg keyword

 - S8132123, PR1061: MultiResolutionCachedImage unnecessarily creates base image to get its size

 - S8133539, PR1061: [TEST_BUG] Split java/awt/image/MultiResolutionImageTest.java in two to allow restricted access

 - S8137571, PR1061: Linux HiDPI Graphics support

 - S8142406, PR1061: [TEST] MultiResolution image: need test to cover the case when @2x image is corrupted

 - S8145188, PR2945: No LocalVariableTable generated for the entire JDK

 - S8150258, PR1061: [TEST] HiDPI: create a test for multiresolution menu items icons

 - S8150724, PR1061: [TEST] HiDPI: create a test for multiresolution icons

 - S8150844, PR1061: [hidpi] [macosx] -Dsun.java2d.uiScale should be taken into account for OS X

 - S8151841, PR2882: Build needs additional flags to compile with GCC 6 [plus parts of 8149647 & 8032045]

 - S8155613, PR1061: [PIT] crash in AWT_Desktop/Automated/Exceptions/BasicTest

 - S8156020, PR1061: 8145547 breaks AIX and and uses RTLD_NOLOAD incorrectly

 - S8156128, PR1061: Tests for [AWT/Swing] Conditional support for GTK 3 on Linux

 - S8158260, PR2991, RH1341258: PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions

 - S8159244, PR3074: Partially initialized string object created by C2's string concat optimization may escape

 - S8159690, PR3077: [TESTBUG] Mark headful tests with @key headful.

 - S8160294, PR2882, PR3095: Some client libraries cannot be built with GCC 6

 - Bug fixes

 - PR1958: GTKLookAndFeel does not honor gtk-alternative-button-order

 - PR2822: Feed LIBS & CFLAGS into configure rather than make to avoid re-discovery by OpenJDK configure

 - PR2932: Support ccache in a non-automagic manner

 - PR2933: Support ccache 3.2 and later

 - PR2964: Set system defaults based on OS

 - PR2974, RH1337583: PKCS#10 certificate requests now use CRLF line endings rather than system line endings

 - PR3078: Remove duplicated line dating back to 6788347 and 6894807

 - PR3083, RH1346460: Regression in SSL debug output without an ECC provider

 - PR3089: Remove old memory limits patch

 - PR3090, RH1204159: SystemTap is heavily confused by multiple JDKs

 - PR3095: Fix warnings in URLClassPath.c

 - PR3096: Remove dead --disable-optimizations option

 - PR3105: Use version from hotspot.map to create tarball filename

 - PR3106: Handle both correctly-spelt property 'enableCustomValueHandler' introduced by S8079718 and typo version

 - PR3108: Shenandoah patches not included in release tarball

 - PR3110: Update hotspot.map documentation in INSTALL

 - Fix script linking /usr/share/javazi/tzdb.dat for platform where it applies (boo#987895)

 - Fix aarch64 running with 48 bits va space (boo#984684)

Solution

Update the affected java-1_8_0-openjdk packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=984684

https://bugzilla.opensuse.org/show_bug.cgi?id=987895

https://bugzilla.opensuse.org/show_bug.cgi?id=989721

https://bugzilla.opensuse.org/show_bug.cgi?id=989722

https://bugzilla.opensuse.org/show_bug.cgi?id=989723

https://bugzilla.opensuse.org/show_bug.cgi?id=989725

https://bugzilla.opensuse.org/show_bug.cgi?id=989726

https://bugzilla.opensuse.org/show_bug.cgi?id=989727

https://bugzilla.opensuse.org/show_bug.cgi?id=989728

https://bugzilla.opensuse.org/show_bug.cgi?id=989729

https://bugzilla.opensuse.org/show_bug.cgi?id=989730

https://bugzilla.opensuse.org/show_bug.cgi?id=989731

https://bugzilla.opensuse.org/show_bug.cgi?id=989732

https://bugzilla.opensuse.org/show_bug.cgi?id=989733

https://bugzilla.opensuse.org/show_bug.cgi?id=989734

Plugin Details

Severity: High

ID: 92774

File Name: openSUSE-2016-944.nasl

Version: Revision: 2.2

Type: local

Agent: unix

Published: 2016/08/08

Updated: 2016/10/13

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_8_0-openjdk, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src, cpe:/o:novell:opensuse:13.2

Patch Publication Date: 2016/08/05

Reference Information

CVE: CVE-2016-3458, CVE-2016-3485, CVE-2016-3498, CVE-2016-3500, CVE-2016-3503, CVE-2016-3508, CVE-2016-3511, CVE-2016-3550, CVE-2016-3552, CVE-2016-3587, CVE-2016-3598, CVE-2016-3606, CVE-2016-3610