[security-announce] openSUSE-SU-2012:1154-1: critical: java-1_7_0-openjdk: security fix for remote exploit

news · September 12, 2012

openSUSE Security Update: java-1_7_0-openjdk: security fix for remote exploit

______________________________________________________________________________

Announcement ID: openSUSE-SU-2012:1154-1

Rating: critical

References: #770040 #777499

Cross-References: CVE-2012-0547 CVE-2012-1682 CVE-2012-3136

CVE-2012-4681

Affected Products:

openSUSE 12.2

______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

Java-1_7_0-openjdk was updated to fix a remote exploit

(CVE-2012-4681).

Also bugfixes were done:

- fix build on ARM and i586

- remove files that are no longer used

- zero build can be enabled using rpmbuild (osc build)

--with zero

- add hotspot 2.1 needed for zero

- fix filelist on %{ix86}

* Security fixes

- S7162476, CVE-2012-1682: XMLDecoder security issue via

ClassFinder

- S7194567, CVE-2012-3136: Improve long term persistence

of java.beans objects

- S7163201, CVE-2012-0547: Simplify toolkit internals

references

- RH852051, CVE-2012-4681, S7162473: Reintroduce

PackageAccessible checks removed in 6788531.

* OpenJDK

- Fix Zero FTBFS issues with 2.3

- S7180036: Build failure in Mac platform caused by fix #

7163201

- S7182135: Impossible to use some editors directly

- S7183701: [TEST]

closed/java/beans/security/TestClassFinder.java Ã¢Â€Â“

compilation failed

- S7185678:

java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java

failed with NPE

* Bug fixes

- PR1149: Zero-specific patch files not being packaged

- use icedtea tarball for build again, this led into

following dropped files because the are already in the

tarball and simplified %prep and %build

- drop class-rewriter.tar.gz

- drop systemtap-tapset.tar.gz

- drop desktop-files.tar.gz

- drop nss.cfg

- drop pulseaudio.tar.gz

- drop remove-intree-libraries.sh

- add archives from icedtea7-forest-2.3 for openjdk,

corba, jaxp, jaxws, jdk, langtools and hotspot

- drop rhino.patch, pulse-soundproperties and systemtap

patch

- move gnome bridge patches before make as it's irritating

to have the patch fail after openjdk is built

- use explicit file attributes in %files sections to

prevent the file permissions problems in a future (like

bnc#770040)

- changed version scheme, so it now matches Oracle Java

1.7.0.6 == Java7 u 6

- update to icedtea-2.3.1 / OpenJDK7 u6 (bnc#777499)

* Security fixes

- RH852051, CVE-2012-4681: Reintroduce PackageAccessible

checks removed in 6788531.

* Bug fixes

- PR902: PulseAudioClip getMicrosecondsLength() returns

length in milliseconds, not microseconds

- PR986: IcedTea7 fails to build with IcedTea6 CACAO due

to low max heapsize

- PR1050: Stream objects not garbage collected

- PR1119: Only add classes to rt-source-files.txt if the

class (or one or more of its methods/fields) are

actually missing from the boot JDK

- PR1137: Allow JARs to be optionally compressed by

setting COMPRESS_JARS

* OpenJDK

- Make dynamic support for GConf work again.

- PR1095: Add configure option for -Werror

- PR1101: Undefined symbols on GNU/Linux SPARC

- PR1140: Unnecessary diz files should not be installed

- S7192804, PR1138: Build should not install jvisualvm

man page for OpenJDK

* JamVM

- ARMv6 armhf: Changes for Raspbian (Raspberry Pi)

- PPC: Don't use lwsync if it isn't supported

- X86: Generate machine-dependent stubs for i386

- When suspending, ignore detached threads that have

died, this prevents a user caused deadlock when an

external thread has been attached to the VM via JNI and

it has exited without detaching

- Add missing REF_TO_OBJs for references passed from JNI,

this enable JamVM to run Qt-Jambi

- there are number of fixes in 2.3, see NEWS

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 12.2:

zypper in -t patch openSUSE-2012-592

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 12.2 (i586 x86_64):

java-1_7_0-openjdk-1.7.0.6-3.12.1

java-1_7_0-openjdk-debuginfo-1.7.0.6-3.12.1

java-1_7_0-openjdk-debugsource-1.7.0.6-3.12.1

java-1_7_0-openjdk-demo-1.7.0.6-3.12.1

java-1_7_0-openjdk-demo-debuginfo-1.7.0.6-3.12.1

java-1_7_0-openjdk-devel-1.7.0.6-3.12.1

java-1_7_0-openjdk-devel-debuginfo-1.7.0.6-3.12.1

java-1_7_0-openjdk-javadoc-1.7.0.6-3.12.1

java-1_7_0-openjdk-src-1.7.0.6-3.12.1

References:

http://support.novell.com/security/cve/CVE-2012-0547.html

http://support.novell.com/security/cve/CVE-2012-1682.html

http://support.novell.com/security/cve/CVE-2012-3136.html

http://support.novell.com/security/cve/CVE-2012-4681.html

https://bugzilla.novell.com/770040

https://bugzilla.novell.com/777499

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

Sign In

[security-announce] openSUSE-SU-2012:1154-1: critical: java-1_7_0-openjdk: security fix for remote exploit

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity