Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2516 Security update for java-11-openjdk 23 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-11-openjdk Publisher: SUSE Operating System: SUSE Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14621 CVE-2020-14593 CVE-2020-14583 CVE-2020-14581 CVE-2020-14577 CVE-2020-14573 CVE-2020-14562 CVE-2020-14556 Reference: ASB-2020.0128 ESB-2020.2438 ESB-2020.2436 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-20202008-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for java-11-openjdk ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:2008-1 Rating: important References: #1174157 Cross-References: CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 Affected Products: SUSE Linux Enterprise Server 12-SP5 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for java-11-openjdk fixes the following issues: o Update to upstream tag jdk-11.0.8+10 (July 2020 CPU, bsc#1174157) * Security fixes: + JDK-8230613: Better ASCII conversions + JDK-8231800: Better listing of arrays + JDK-8232014: Expand DTD support + JDK-8233234: Better Zip Naming + JDK-8233239, CVE-2020-14562: Enhance TIFF support + JDK-8233255: Better Swing Buttons + JDK-8234032: Improve basic calendar services + JDK-8234042: Better factory production of certificates + JDK-8234418: Better parsing with CertificateFactory + JDK-8234836: Improve serialization handling + JDK-8236191: Enhance OID processing + JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + JDK-8237592, CVE-2020-14577: Enhance certificate verification + JDK-8238002, CVE-2020-14581: Better matrix operations + JDK-8238013: Enhance String writing + JDK-8238804: Enhance key handling process + JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + JDK-8238843: Enhanced font handing + JDK-8238920, CVE-2020-14583: Better Buffer support + JDK-8238925: Enhance WAV file playback + JDK-8240119, CVE-2020-14593: Less Affine Transformations + JDK-8240482: Improved WAV file playback + JDK-8241379: Update JCEKS support + JDK-8241522: Manifest improved jar headers redux + JDK-8242136, CVE-2020-14621: Better XML namespace handling * Other changes: + JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + JDK-7124307: JSpinner and changing value by mouse + JDK-8022574: remove HaltNode code after uncommon trap calls + JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ ThreadMXBeanProxy.java Expected non-null LockInfo + JDK-8051349: nsk/jvmti/ scenarios/sampling/SP06/sp06t003 fails in nightly + JDK-8080353: JShell: Better error message on attempting to add default method + JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + JDK-8183369: RFC unconformity of HttpURLConnection with proxy + JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + JDK-8189861: Refactor CacheFind + JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + JDK-8191930: [Graal] emits unparseable XML into compile log + JDK-8193879: Java debugger hangs on method invocation + JDK-8196019: java/awt/Window/Grab/ GrabTest.java fails on Windows + JDK-8196181: sun/java2d/GdiRendering/ InsetClipping.java fails + JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/ / WrongParentAfterRemoveMenu.java debug assert on Windows + JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + JDK-8200701: jdk/jshell/ ExceptionsTest.java fails on Windows, after JDK-8198801 + JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + JDK-8203672: JNI exception pending in PlainSocketImpl.c + JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + JDK-8204834: Fix confusing "allocate" naming in OopStorage + JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + JDK-8205653: test/jdk/sun/management/jmxremote/ bootstrap/ /RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + JDK-8206179: com/sun/management/OperatingSystemMXBean/ /GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2020-2008=1 Package List: o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): java-11-openjdk-11.0.8.0-3.12.1 java-11-openjdk-debuginfo-11.0.8.0-3.12.1 java-11-openjdk-debugsource-11.0.8.0-3.12.1 java-11-openjdk-demo-11.0.8.0-3.12.1 java-11-openjdk-devel-11.0.8.0-3.12.1 java-11-openjdk-headless-11.0.8.0-3.12.1 References: o https://www.suse.com/security/cve/CVE-2020-14556.html o https://www.suse.com/security/cve/CVE-2020-14562.html o https://www.suse.com/security/cve/CVE-2020-14573.html o https://www.suse.com/security/cve/CVE-2020-14577.html o https://www.suse.com/security/cve/CVE-2020-14581.html o https://www.suse.com/security/cve/CVE-2020-14583.html o https://www.suse.com/security/cve/CVE-2020-14593.html o https://www.suse.com/security/cve/CVE-2020-14621.html o https://bugzilla.suse.com/1174157 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXxj+luNLKJtyKPYoAQiQghAAqrawKbHFqm29e4QwNeRvyqSJAuggEUkv ZBiKeTdGG1NRnIhhziXD9DpJ/a8oakNc96e4606mr62fikhxlmGGpRRtN/0Suxmf aIpm9iWqGCtAcP2JUxddQsZOvyrpPAbWh5ZK9O9lEdNUQRBFMipYtLpxBKpYkm/2 mkqvd8szR6g3OTXILGXoX2P/ICo7ya/HlQJMeKsnOZOt879LCxbRbFu19hGH8VE+ bLrJPTcAbKFXhe2wc33lQgP7POVPsQKbXq1HHVugEh0zouto84ctVXABtCBBjRsF tl7VR77muUv3T2/R7JcXFy/7tRkPpZrSShKGYSZgJ3ut7tVfMV6hKas9miZRB/aU 0uzf45N/kT2pxaQKMbW8hdk3kTWiHimBJjWRZ0msE+6ybjRxxL9qO3mb/lsNjl+p dBlCwPmWu/okuipPiVnrTtVFn72SLR3pzpVt6JZGuGN9YYEXWpYc1yeCDKu++gUr gmaPpPCrgz7FEtvwRtxXVnPPGQVVJeRt21b44mlPkZ4z6vVELqWPhhyrgE6vu6Ik +02UYdnvQ5MdcW7hkSzyDKNe4BhCpQ2sDldNH2N6pKebsIjy5/2Eupo9mNP2PZNz poTXenqer7rS4H77jD2ClMKRQnwR5PHVY2YXJ3RbrDaziqAucRoVnr700yPeNhug dfoicZiEG2E= =XRLg -----END PGP SIGNATURE-----