Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                    Security update for java-11-openjdk
                               23 July 2020


        AusCERT Security Bulletin Summary

Product:           java-11-openjdk
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-14621 CVE-2020-14593 CVE-2020-14583
                   CVE-2020-14581 CVE-2020-14577 CVE-2020-14573
                   CVE-2020-14562 CVE-2020-14556 

Reference:         ASB-2020.0128

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for java-11-openjdk


Announcement ID:   SUSE-SU-2020:2008-1
Rating:            important
References:        #1174157
Cross-References:  CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577
                   CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621
Affected Products:
                   SUSE Linux Enterprise Server 12-SP5

An update that fixes 8 vulnerabilities is now available.


This update for java-11-openjdk fixes the following issues:

  o Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157) *
    Security fixes:
    + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of
    arrays + JDK-8232014: Expand DTD support + JDK-8233234: Better Zip Naming +
    JDK-8233239, CVE-2020-14562: Enhance TIFF support + JDK-8233255: Better
    Swing Buttons + JDK-8234032: Improve basic calendar services + JDK-8234042:
    Better factory production of certificates + JDK-8234418: Better parsing
    with CertificateFactory + JDK-8234836: Improve serialization handling +
    JDK-8236191: Enhance OID processing + JDK-8236867, CVE-2020-14573: Enhance
    Graal interface handling + JDK-8237117, CVE-2020-14556: Better ForkJoinPool
    behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification +
    JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238013:
    Enhance String writing + JDK-8238804: Enhance key handling process +
    JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843:
    Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support
    + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593:
    Less Affine Transformations + JDK-8240482: Improved WAV file playback +
    JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar
    headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling
    * Other changes:
    + JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not
    been created + JDK-7124307: JSpinner and changing value by mouse +
    JDK-8022574: remove HaltNode code after uncommon trap calls + JDK-8039082:
    [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java
    fails + JDK-8040630: Popup menus and tooltips flicker with previous popup
    contents when first shown + JDK-8044365: (dc)
    MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X
    10.9) + JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/
    ThreadMXBeanProxy.java Expected non-null LockInfo + JDK-8051349: nsk/jvmti/
    scenarios/sampling/SP06/sp06t003 fails in nightly + JDK-8080353: JShell:
    Better error message on attempting to add default method + JDK-8139876:
    Exclude hanging nsk/stress/stack from execution with deoptimization enabled
    + JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with
    -XX:+DeoptimizeALot + JDK-8153430: jdk regression test
    MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout +
    JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily +
    JDK-8159740: JShell: corralled declarations do not have correct source to
    wrapper mapping + JDK-8175984: ICC_Profile has un-needed, not-empty
    finalize method + JDK-8176359: Frame#setMaximizedbounds not working
    properly in multi screen environments + JDK-8183369: RFC unconformity of
    HttpURLConnection with proxy + JDK-8187078: -XX:+VerifyOops finds numerous
    problems when running JPRT + JDK-8189861: Refactor CacheFind + JDK-8191169:
    java/net/Authenticator/B4769350.java failed intermittently + JDK-8191930:
    [Graal] emits unparseable XML into compile log + JDK-8193879: Java debugger
    hangs on method invocation + JDK-8196019: java/awt/Window/Grab/
    GrabTest.java fails on Windows + JDK-8196181: sun/java2d/GdiRendering/
    InsetClipping.java fails + JDK-8198000:
    java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on
    Windows + JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ /
    WrongParentAfterRemoveMenu.java debug assert on Windows + JDK-8198339: Test
    javax/swing/border/Test6981576.java is unstable + JDK-8200701: jdk/jshell/
    ExceptionsTest.java fails on Windows, after JDK-8198801 + JDK-8203264: JNI
    exception pending in PlainDatagramSocketImpl.c:740 + JDK-8203672: JNI
    exception pending in PlainSocketImpl.c + JDK-8203673: JNI exception pending
    in DualStackPlainDatagramSocketImpl.c:398 + JDK-8204834: Fix confusing
    "allocate" naming in OopStorage + JDK-8205399: Set node color on pinned
    HashMap.TreeNode deletion + JDK-8205653: test/jdk/sun/management/jmxremote/
    bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with
    handshake_failure + JDK-8206179: com/sun/management/OperatingSystemMXBean/
    /GetCommittedVirtualMemorySize.java fails with Committed virtual memory
    size illegal value + JDK-8207334: VM times out in
    VM_HandshakeAllThreads::doit() with RunThese30M + JDK-8208277: Code cache
    heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Server 12-SP5:
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2008=1

Package List:

  o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):


  o https://www.suse.com/security/cve/CVE-2020-14556.html
  o https://www.suse.com/security/cve/CVE-2020-14562.html
  o https://www.suse.com/security/cve/CVE-2020-14573.html
  o https://www.suse.com/security/cve/CVE-2020-14577.html
  o https://www.suse.com/security/cve/CVE-2020-14581.html
  o https://www.suse.com/security/cve/CVE-2020-14583.html
  o https://www.suse.com/security/cve/CVE-2020-14593.html
  o https://www.suse.com/security/cve/CVE-2020-14621.html
  o https://bugzilla.suse.com/1174157

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967