ESB-2017.2046 - [SUSE] java-1_8_0-openjdk: Multiple vulnerabilities 2017-08-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2046
       SUSE Security Update: Security update for java-1_8_0-openjdk
                              17 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           java-1_8_0-openjdk
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote/Unauthenticated      
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Delete Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10243 CVE-2017-10198 CVE-2017-10193
                   CVE-2017-10176 CVE-2017-10135 CVE-2017-10125
                   CVE-2017-10118 CVE-2017-10116 CVE-2017-10115
                   CVE-2017-10114 CVE-2017-10111 CVE-2017-10110
                   CVE-2017-10109 CVE-2017-10108 CVE-2017-10107
                   CVE-2017-10105 CVE-2017-10102 CVE-2017-10101
                   CVE-2017-10096 CVE-2017-10090 CVE-2017-10089
                   CVE-2017-10087 CVE-2017-10086 CVE-2017-10081
                   CVE-2017-10078 CVE-2017-10074 CVE-2017-10067
                   CVE-2017-10053  

Reference:         ESB-2017.2038
                   ESB-2017.2023
                   ESB-2017.1858
                   ESB-2017.1837

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2017/suse-su-20172175-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for java-1_8_0-openjdk
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2175-1
Rating:             important
References:         #1049302 #1049305 #1049306 #1049307 #1049308 
                    #1049309 #1049310 #1049311 #1049312 #1049313 
                    #1049314 #1049315 #1049316 #1049317 #1049318 
                    #1049319 #1049320 #1049321 #1049322 #1049323 
                    #1049324 #1049325 #1049326 #1049327 #1049328 
                    #1049329 #1049330 #1049331 #1049332 
Cross-References:   CVE-2017-10053 CVE-2017-10067 CVE-2017-10074
                    CVE-2017-10078 CVE-2017-10081 CVE-2017-10086
                    CVE-2017-10087 CVE-2017-10089 CVE-2017-10090
                    CVE-2017-10096 CVE-2017-10101 CVE-2017-10102
                    CVE-2017-10105 CVE-2017-10107 CVE-2017-10108
                    CVE-2017-10109 CVE-2017-10110 CVE-2017-10111
                    CVE-2017-10114 CVE-2017-10115 CVE-2017-10116
                    CVE-2017-10118 CVE-2017-10125 CVE-2017-10135
                    CVE-2017-10176 CVE-2017-10193 CVE-2017-10198
                    CVE-2017-10243
Affected Products:
                    SUSE OpenStack Cloud 6
                    SUSE Linux Enterprise Server for SAP 12-SP1
                    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
                    SUSE Linux Enterprise Server 12-SP3
                    SUSE Linux Enterprise Server 12-SP2
                    SUSE Linux Enterprise Server 12-SP1-LTSS
                    SUSE Linux Enterprise Desktop 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP2
______________________________________________________________________________

   An update that solves 28 vulnerabilities and has one errata
   is now available.

Description:

   This java-1_8_0-openjdk update to version jdk8u141 (icedtea 3.5.0) fixes
   the following issues:

   Security issues fixed:
   - CVE-2017-10053: Improved image post-processing steps (bsc#1049305)
   - CVE-2017-10067: Additional jar validation steps (bsc#1049306)
   - CVE-2017-10074: Image conversion improvements (bsc#1049307)
   - CVE-2017-10078: Better script accessibility for JavaScript (bsc#1049308)
   - CVE-2017-10081: Right parenthesis issue (bsc#1049309)
   - CVE-2017-10086: Unspecified vulnerability in subcomponent JavaFX
     (bsc#1049310)
   - CVE-2017-10087: Better Thread Pool execution (bsc#1049311)
   - CVE-2017-10089: Service Registration Lifecycle (bsc#1049312)
   - CVE-2017-10090: Better handling of channel groups (bsc#1049313)
   - CVE-2017-10096: Transform Transformer Exceptions (bsc#1049314)
   - CVE-2017-10101: Better reading of text catalogs (bsc#1049315)
   - CVE-2017-10102: Improved garbage collection (bsc#1049316)
   - CVE-2017-10105: Unspecified vulnerability in subcomponent deployment
     (bsc#1049317)
   - CVE-2017-10107: Less Active Activations (bsc#1049318)
   - CVE-2017-10108: Better naming attribution (bsc#1049319)
   - CVE-2017-10109: Better sourcing of code (bsc#1049320)
   - CVE-2017-10110: Better image fetching (bsc#1049321)
   - CVE-2017-10111: Rearrange MethodHandle arrangements (bsc#1049322)
   - CVE-2017-10114: Unspecified vulnerability in subcomponent JavaFX
     (bsc#1049323)
   - CVE-2017-10115: Higher quality DSA operations (bsc#1049324)
   - CVE-2017-10116: Proper directory lookup processing (bsc#1049325)
   - CVE-2017-10118: Higher quality ECDSA operations (bsc#1049326)
   - CVE-2017-10125: Unspecified vulnerability in subcomponent deployment
     (bsc#1049327)
   - CVE-2017-10135: Better handling of PKCS8 material (bsc#1049328)
   - CVE-2017-10176: Additional elliptic curve support (bsc#1049329)
   - CVE-2017-10193: Improve algorithm constraints implementation
     (bsc#1049330)
   - CVE-2017-10198: Clear certificate chain connections (bsc#1049331)
   - CVE-2017-10243: Unspecified vulnerability in subcomponent JAX-WS
     (bsc#1049332)

   Bug fixes:
   - Check registry registration location
   - Improved certificate processing
   - JMX diagnostic improvements
   - Update to libpng 1.6.28
   - Import of OpenJDK 8 u141 build 15 (bsc#1049302)

   New features:
   - Support using RSAandMGF1 with the SHA hash algorithms in the PKCS11
     provider


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 6:

      zypper in -t patch SUSE-OpenStack-Cloud-6-2017-1337=1

   - SUSE Linux Enterprise Server for SAP 12-SP1:

      zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1337=1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

      zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-1337=1

   - SUSE Linux Enterprise Server 12-SP3:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2017-1337=1

   - SUSE Linux Enterprise Server 12-SP2:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-1337=1

   - SUSE Linux Enterprise Server 12-SP1-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1337=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2017-1337=1

   - SUSE Linux Enterprise Desktop 12-SP2:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-1337=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE OpenStack Cloud 6 (x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Server for SAP 12-SP1 (ppc64le x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Server 12-SP1-LTSS (ppc64le s390x x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-demo-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-devel-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3

   - SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

      java-1_8_0-openjdk-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debuginfo-1.8.0.144-27.5.3
      java-1_8_0-openjdk-debugsource-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-1.8.0.144-27.5.3
      java-1_8_0-openjdk-headless-debuginfo-1.8.0.144-27.5.3


References:

   https://www.suse.com/security/cve/CVE-2017-10053.html
   https://www.suse.com/security/cve/CVE-2017-10067.html
   https://www.suse.com/security/cve/CVE-2017-10074.html
   https://www.suse.com/security/cve/CVE-2017-10078.html
   https://www.suse.com/security/cve/CVE-2017-10081.html
   https://www.suse.com/security/cve/CVE-2017-10086.html
   https://www.suse.com/security/cve/CVE-2017-10087.html
   https://www.suse.com/security/cve/CVE-2017-10089.html
   https://www.suse.com/security/cve/CVE-2017-10090.html
   https://www.suse.com/security/cve/CVE-2017-10096.html
   https://www.suse.com/security/cve/CVE-2017-10101.html
   https://www.suse.com/security/cve/CVE-2017-10102.html
   https://www.suse.com/security/cve/CVE-2017-10105.html
   https://www.suse.com/security/cve/CVE-2017-10107.html
   https://www.suse.com/security/cve/CVE-2017-10108.html
   https://www.suse.com/security/cve/CVE-2017-10109.html
   https://www.suse.com/security/cve/CVE-2017-10110.html
   https://www.suse.com/security/cve/CVE-2017-10111.html
   https://www.suse.com/security/cve/CVE-2017-10114.html
   https://www.suse.com/security/cve/CVE-2017-10115.html
   https://www.suse.com/security/cve/CVE-2017-10116.html
   https://www.suse.com/security/cve/CVE-2017-10118.html
   https://www.suse.com/security/cve/CVE-2017-10125.html
   https://www.suse.com/security/cve/CVE-2017-10135.html
   https://www.suse.com/security/cve/CVE-2017-10176.html
   https://www.suse.com/security/cve/CVE-2017-10193.html
   https://www.suse.com/security/cve/CVE-2017-10198.html
   https://www.suse.com/security/cve/CVE-2017-10243.html
   https://bugzilla.suse.com/1049302
   https://bugzilla.suse.com/1049305
   https://bugzilla.suse.com/1049306
   https://bugzilla.suse.com/1049307
   https://bugzilla.suse.com/1049308
   https://bugzilla.suse.com/1049309
   https://bugzilla.suse.com/1049310
   https://bugzilla.suse.com/1049311
   https://bugzilla.suse.com/1049312
   https://bugzilla.suse.com/1049313
   https://bugzilla.suse.com/1049314
   https://bugzilla.suse.com/1049315
   https://bugzilla.suse.com/1049316
   https://bugzilla.suse.com/1049317
   https://bugzilla.suse.com/1049318
   https://bugzilla.suse.com/1049319
   https://bugzilla.suse.com/1049320
   https://bugzilla.suse.com/1049321
   https://bugzilla.suse.com/1049322
   https://bugzilla.suse.com/1049323
   https://bugzilla.suse.com/1049324
   https://bugzilla.suse.com/1049325
   https://bugzilla.suse.com/1049326
   https://bugzilla.suse.com/1049327
   https://bugzilla.suse.com/1049328
   https://bugzilla.suse.com/1049329
   https://bugzilla.suse.com/1049330
   https://bugzilla.suse.com/1049331
   https://bugzilla.suse.com/1049332

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZUGlYx+lLeg9Ub1AQjxahAAnCBkUVLWqVckC0Gx3WUfqtz2nCTSMlAB
Zb9i8grp6143DwSHJrGQoPAS3km296QGJFDZTYQl7s00R+jBYBjTm/TWVgVD0Vdo
yit1T+RXzqtlMJXUyt6mUBaYCe8vuSThB+7xHgaNGWS7MTGmE/1/fpQfaYg79cwG
m70KVWN52RTQF0kwS9Znddx/U3fwFnI3I+QsL2Iy/i11uN4S+4I1N8DJ7L8B+8Vs
I7K3bWX/gaMhVWeN3KCB3/j+P215O/9F4dvB8CVJvlimbtbGGKzdezu9FZkzCzvh
Wg4w16qyIjpIQ1hcAu1bfFBx30EA6KQRzwIlAoUgRay5LmUeEgObeTc/U4n94WrT
hMjsgijoD/sDDNN4az0gqVak9PYVh56k1ARV5++ics+LvX7baJkKVyjZznHFjdIC
wzAkuJPqSqFPsNoWXI9lNNHc5wMpH2vcPivIP8HPTc5fnhaZaBapmyYLlqK3/wzK
bFd8ZZsrlNwGFn+CaZudlyrsTko7gLBgOVJoxzhL0rp/ylbdl4ME9TnK6oHlLI7Z
Tx7XQQBNOG/YKddOYE3BRXDdbUuaoIF5kkPnaDQRgMtXpyf6rEi47vsffSZ8WDOM
aaWHhT/sKdeaii1H71IMEQU5Yjnp1Ow47U08PKGKwgv6wtAaiVRQ+ppt9KcD8uz7
vyzd3fpHq64=
=oDrm
-----END PGP SIGNATURE-----

« Back to bulletins