nessus
via4
|
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2658.NASL | description | An update for java-1.7.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 94623 | published | 2016-11-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94623 | title | RHEL 5 / 6 / 7 : java-1.7.0-openjdk (RHSA-2016:2658) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-1216.NASL | description | An update for java-1.7.1-ibm is now available for Red Hat Satellite
5.7 and Red Hat Satellite 5.6.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
IBM Java SE version 7 Release 1 includes the IBM Java Runtime
Environment and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 7 to version 7R1 SR4-FP1.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-2183,
CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261,
CVE-2017-3231, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252,
CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2017-3241,
CVE-2017-3259, CVE-2016-5573, CVE-2016-5554, CVE-2016-5542,
CVE-2016-5597, CVE-2016-5556, CVE-2016-3598, CVE-2016-3511,
CVE-2016-0363, CVE-2016-0686, CVE-2016-0687, CVE-2016-3426,
CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, CVE-2016-3422,
CVE-2016-0376, CVE-2016-0264) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 100094 | published | 2017-05-10 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=100094 | title | RHEL 6 : java-1.7.1-ibm (RHSA-2017:1216) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-2953-1.NASL | description | This update for java-1_7_0-openjdk fixes the following issues :
- Update to 2.6.8 - OpenJDK 7u121
- Security fixes
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(bsc#1005522)
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (bsc#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(bsc#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(bsc#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(bsc#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(bsc#1005528)
+ PR3207, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (bsc#1005524)
- Import of OpenJDK 7 u121 build 0
+ S6624200: Regression test fails:
test/closed/javax/swing/JMenuItem/4654927/bug4654927.jav
a
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S7090158: Networking Libraries don't build with javac
-Werror
+ S7125055: ContentHandler.getContent API changed in error
+ S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing
on windows
+ S7187051: ShortRSAKeynnn.sh tests should do cleanup
before start test
+ S8000626: Implement dead key detection for KeyEvent on
Linux
+ S8003890: corelibs test scripts should pass TESTVMOPTS
+ S8005629: javac warnings compiling
java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
+ S8010297: Missing isLoggable() checks in logging code
+ S8010782: clean up source files containing carriage
return characters
+ S8014431: cleanup warnings indicated by the
-Wunused-value compiler option on linux
+ S8015265: revise the fix for 8007037
+ S8016747: Replace deprecated PlatformLogger
isLoggable(int) with isLoggable(Level)
+ S8020708: NLS mnemonics missing in
SwingSet2/JInternalFrame demo
+ S8024756: method grouping tabs are not selectable
+ S8026741: jdk8 l10n resource file translation update 5
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048357: PKCS basic tests
+ S8049171: Additional tests for jarsigner's warnings
+ S8059177: jdk8u40 l10n resource file translation update
1
+ S8075584: test for 8067364 depends on hardwired text
advance
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8077953: [TEST_BUG]
com/sun/management/OperatingSystemMXBean/TestTotalSwap.j
ava Compilation failed after JDK-8077387
+ S8080628: No mnemonics on Open and Save buttons in
JFileChooser
+ S8083601: jdk8u60 l10n resource file translation update
2
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8143134: L10n resource file translation update
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8159684: (tz) Support tzdata2016f
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S6604109, PR3162:
javax.print.PrintServiceLookup.lookupPrintServices fails
SOMETIMES for Cups
+ S6907252, PR3162: ZipFileInputStream Not Thread-Safe
+ S8024046, PR3162: Test
sun/security/krb5/runNameEquals.sh failed on 7u45
Embedded linux-ppc*
+ S8028479, PR3162: runNameEquals still cannot precisely
detect if a usable native krb5 is available
+ S8034057, PR3162: Files.getFileStore and
Files.isWritable do not work with SUBST'ed drives (win)
+ S8038491, PR3162: Improve synchronization in
ZipFile.read()
+ S8038502, PR3162: Deflater.needsInput() should use
synchronization
+ S8059411, PR3162: RowSetWarning does not correctly chain
warnings
+ S8062198, PR3162: Add RowSetMetaDataImpl Tests and add
column range validation to isdefinitlyWritable
+ S8066188, PR3162: BaseRowSet returns the wrong default
value for escape processing
+ S8072466, PR3162: Deadlock when initializing
MulticastSocket and DatagramSocket
+ S8075118, PR3162: JVM stuck in infinite loop during
verification
+ S8076579, PR3162: Popping a stack frame after exception
breakpoint sets last method param to exception
+ S8078495, PR3162: End time checking for native TGT is
wrong
+ S8078668, PR3162: jar usage string mentions unsupported
option '-n'
+ S8080115, PR3162: (fs) Crash in libgio when calling
Files.probeContentType(path) from parallel threads
+ S8081794, PR3162: ParsePosition getErrorIndex returns 0
for TimeZone parsing problem
+ S8129957, PR3162: Deadlock in JNDI LDAP implementation
when closing the LDAP context
+ S8130136, PR3162: Swing window sometimes fails to
repaint partially when it becomes exposed
+ S8130274, PR3162: java/nio/file/FileStore/Basic.java
fails when two successive stores in an iteration are
determined to be equal
+ S8132551, PR3162: Initialize local variables before
returning them in p11_convert.c
+ S8133207, PR3162: [TEST_BUG] ParallelProbes.java test
fails after changes for JDK-8080115
+ S8133666, PR3162: OperatingSystemMXBean reports
abnormally high machine CPU consumption on Linux
+ S8135002, PR3162: Fix or remove broken links in
objectMonitor.cpp comments
+ S8137121, PR3162: (fc) Infinite loop
FileChannel.truncate
+ S8137230, PR3162: TEST_BUG:
java/nio/channels/FileChannel/LoopingTruncate.java timed
out
+ S8139373, PR3162: [TEST_BUG]
java/net/MulticastSocket/MultiDead.java failed with
timeout
+ S8140249, PR3162: JVM Crashing During startUp If Flight
Recording is enabled
+ S8141491, PR3160, G592292: Unaligned memory access in
Bits.c
+ S8144483, PR3162: One long Safepoint pause directly
after each GC log rotation
+ S8149611, PR3160, G592292: Add tests for
Unsafe.copySwapMemory
- Bug fixes
+ S8078628, PR3151: Zero build fails with pre-compiled
headers disabled
+ PR3128: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3131: PaX marking fails on filesystems which don't
support extended attributes
+ PR3135: Makefile.am rule
stamps/add/tzdata-support-debug.stamp has a typo in
add-tzdata dependency
+ PR3141: Pass $(CC) and $(CXX) to OpenJDK build
+ PR3166: invalid zip timestamp handling leads to error
building bootstrap-javac
+ PR3202: Update infinality configure test
+ PR3212: Disable ARM32 JIT by default
- CACAO
+ PR3136: CACAO is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- JamVM
+ PR3134: JamVM is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- AArch64 port
+ S8167200, PR3204: AArch64: Broken stack pointer
adjustment in interpreter
+ S8168888: Port 8160591: Improve internal array handling
to AArch64.
+ PR3211: AArch64 build fails with pre-compiled headers
disabled
- Changed patch :
- java-1_7_0-openjdk-gcc6.patch
+ Rediff to changed context
- Disable arm32 JIT, since its build broken
(http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2
942)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-29 | plugin id | 95423 | published | 2016-12-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95423 | title | SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2016:2953-1) |
NASL family | Gentoo Local Security Checks | NASL id | GENTOO_GLSA-201701-43.NASL | description | The remote host is affected by the vulnerability described in GLSA-201701-43
(IcedTea: Multiple vulnerabilities)
Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot,
Libraries, and JAXP, exist which allows remote attackers to affect the
confidentiality, integrity, and availability of vulnerable systems. Many
of the vulnerabilities can only be exploited through sandboxed Java Web
Start applications and java applets. Please review the CVE identifiers
referenced below for details.
Impact :
Remote attackers may execute arbitrary code, compromise information, or
cause a Denial of Service condition.
Workaround :
There is no known workaround at this time. | last seen | 2019-01-16 | modified | 2017-01-20 | plugin id | 96640 | published | 2017-01-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96640 | title | GLSA-201701-43 : IcedTea: Multiple vulnerabilities |
NASL family | Gentoo Local Security Checks | NASL id | GENTOO_GLSA-201611-04.NASL | description | The remote host is affected by the vulnerability described in GLSA-201611-04
(Oracle JRE/JDK: Multiple vulnerabilities)
Multiple vulnerabilities exist in both Oracle’s JRE and JDK. Please
review the referenced CVE’s for additional information.
Impact :
Remote attackers could gain access to information, remotely execute
arbitrary code, or cause Denial of Service.
Workaround :
There is no known workaround at this time. | last seen | 2019-01-16 | modified | 2016-11-07 | plugin id | 94595 | published | 2016-11-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94595 | title | GLSA-201611-04 : Oracle JRE/JDK: Multiple vulnerabilities |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2016-2658.NASL | description | From Red Hat Security Advisory 2016:2658 :
An update for java-1.7.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-07-24 | plugin id | 94621 | published | 2016-11-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94621 | title | Oracle Linux 5 / 6 / 7 : java-1.7.0-openjdk (ELSA-2016-2658) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2016-2079.NASL | description | An update for java-1.8.0-openjdk is now available for Red Hat
Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94140 | published | 2016-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94140 | title | CentOS 6 / 7 : java-1.8.0-openjdk (CESA-2016:2079) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1380.NASL | description | OpenJDK Java was updated to jdk8u111 (icedtea 3.2.0) to fix the
following issues :
- Security fixes
+ S8146490: Direct indirect CRL checks
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(bsc#1005522)
+ S8156794: Extend data sharing
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (bsc#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(bsc#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(bsc#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(bsc#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(bsc#1005528)
+ PR3206, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (bsc#1005524)
- New features
+ PR1370: Provide option to build without debugging
+ PR1375: Provide option to strip and link debugging info
after build
+ PR1537: Handle alternative Kerberos credential cache
locations
+ PR1978: Allow use of system PCSC
+ PR2445: Support system libsctp
+ PR3182: Support building without pre-compiled headers
+ PR3183: Support Fedora/RHEL system crypto policy
+ PR3221: Use pkgconfig to detect Kerberos CFLAGS and
libraries
- Import of OpenJDK 8 u102 build 14
+ S4515292: ReferenceType.isStatic() returns true for
arrays
+ S4858370: JDWP: Memory Leak: GlobalRefs never deleted
when processing invokeMethod command
+ S6976636: JVM/TI test ex03t001 fails assertion
+ S7185591: jcmd-big-script.sh ERROR: could not find app's
Java pid.
+ S8017462: G1: guarantee fails with
UseDynamicNumberOfGCThreads
+ S8034168: ThreadMXBean/Locks.java failed, blocked on
wrong object
+ S8036006: [TESTBUG]
sun/tools/native2ascii/NativeErrors.java fails: Process
exit code was 0, but error was expected.
+ S8041781: Need new regression tests for PBE keys
+ S8041787: Need new regressions tests for buffer handling
for PBE algorithms
+ S8043836: Need new tests for AES cipher
+ S8044199: Tests for RSA keys and key specifications
+ S8044772: TempDirTest.java still times out with -Xcomp
+ S8046339: sun.rmi.transport.DGCAckHandler leaks memory
+ S8047031: Add SocketPermission tests for legacy socket
types
+ S8048052: Permission tests for setFactory
+ S8048138: Tests for JAAS callbacks
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048356: SecureRandom default provider tests
+ S8048357: PKCS basic tests
+ S8048360: Test signed jar files
+ S8048362: Tests for doPrivileged with accomplice
+ S8048596: Tests for AEAD ciphers
+ S8048599: Tests for key wrap and unwrap operations
+ S8048603: Additional tests for MAC algorithms
+ S8048604: Tests for strong crypto ciphers
+ S8048607: Test key generation of DES and DESEDE
+ S8048610: Implement regression test for bug fix of
4686632 in JCE
+ S8048617: Tests for PKCS12 read operations
+ S8048618: Tests for PKCS12 write operations.
+ S8048619: Implement tests for converting PKCS12
keystores
+ S8048624: Tests for SealedObject
+ S8048819: Implement reliability test for DH algorithm
+ S8048820: Implement tests for SecretKeyFactory
+ S8048830: Implement tests for new functionality provided
in JEP 166
+ S8049237: Need new tests for X509V3 certificates
+ S8049321: Support SHA256WithDSA in JSSE
+ S8049429: Tests for java client server communications
with various TLS/SSL combinations.
+ S8049432: New tests for TLS property
jdk.tls.client.protocols
+ S8049814: Additional SASL client-server tests
+ S8050281: New permission tests for JEP 140
+ S8050370: Need new regressions tests for messageDigest
with DigestIOStream
+ S8050371: More MessageDigest tests
+ S8050374: More Signature tests
+ S8050427: LoginContext tests to cover JDK-4703361
+ S8050460: JAAS login/logout tests with LoginContext
+ S8050461: Tests for syntax checking of JAAS
configuration file
+ S8054278: Refactor jps utility tests
+ S8055530: assert(_exits.control()->is_top() ||
!_gvn.type(ret_phi)->empty()) failed: return value must
be well defined
+ S8055844: [TESTBUG]
test/runtime/NMT/VirtualAllocCommitUncommitRecommit.java
fails on Solaris Sparc due to incorrect page size being
used
+ S8059677: Thread.getName() instantiates Strings
+ S8061464: A typo in CipherTestUtils test
+ S8062536: [TESTBUG] Conflicting GC combinations in jdk
tests
+ S8065076:
java/net/SocketPermission/SocketPermissionTest.java
fails intermittently
+ S8065078: NetworkInterface.getNetworkInterfaces()
triggers intermittent test failures
+ S8066871: java.lang.VerifyError: Bad local variable type
- local final String
+ S8068427: Hashtable deserialization reconstitutes table
with wrong capacity
+ S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java
needs to be updated for JDK-8061210
+ S8069253: javax/net/ssl/TLS/TestJSSE.java failed on Mac
+ S8071125: Improve exception messages in URLPermission
+ S8072081: Supplementary characters are rejected in
comments
+ S8072463: Remove requirement that AKID and SKID have to
match when building certificate chain
+ S8072725: Provide more granular levels for GC
verification
+ S8073400: Some Monospaced logical fonts have a different
width
+ S8073872: Schemagen fails with StackOverflowError if
element references containing class
+ S8074931: Additional tests for CertPath API
+ S8075286: Additional tests for signature algorithm OIDs
and transformation string
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8076545: Text size is twice bigger under Windows L&F on
Win 8.1 with HiDPI display
+ S8076995:
gc/ergonomics/TestDynamicNumberOfGCThreads.java failed
with java.lang.RuntimeException: 'new_active_workers'
missing from stdout/stderr
+ S8079138: Additional negative tests for XML signature
processing
+ S8081512: Remove sun.invoke.anon classes, or move /
co-locate them with tests
+ S8081771: ProcessTool.createJavaProcessBuilder() needs
new addTestVmAndJavaOptions argument
+ S8129419: heapDumper.cpp: assert(length_in_bytes > 0)
failed: nothing to copy
+ S8130150: Implement BigInteger.montgomeryMultiply
intrinsic
+ S8130242: DataFlavorComparator transitivity exception
+ S8130304: Inference: NodeNotFoundException thrown with
deep generic method call chain
+ S8130425: libjvm crash due to stack overflow in
executables with 32k tbss/tdata
+ S8133023: ParallelGCThreads is not calculated correctly
+ S8134111: Unmarshaller unmarshalls XML element which
doesn't have the expected namespace
+ S8135259: InetAddress.getAllByName only reports 'unknown
error' instead of actual cause
+ S8136506: Include sun.arch.data.model as a property that
can be queried by jtreg
+ S8137068: Tests added in JDK-8048604 fail to compile
+ S8139040: Fix initializations before
ShouldNotReachHere() etc. and enable -Wuninitialized on
linux.
+ S8139581: AWT components are not drawn after removal and
addition to a container
+ S8141243: Unexpected timezone returned after parsing a
date
+ S8141420: Compiler runtime entries don't hold Klass*
from being GCed
+ S8141445: Use of Solaris/SPARC M7 libadimalloc.so can
generate unknown signal in hs_err file
+ S8141551: C2 can not handle returns with inccompatible
interface arrays
+ S8143377: Test PKCS8Test.java fails
+ S8143647: Javac compiles method reference that allows
results in an IllegalAccessError
+ S8144144: ORB destroy() leaks filedescriptors after
unsuccessful connection
+ S8144593: Suppress not recognized property/feature
warning messages from SAXParser
+ S8144957: Remove PICL warning message
+ S8145039: JAXB marshaller fails with ClassCastException
on classes generated by xjc
+ S8145228: Java Access Bridge,
getAccessibleStatesStringFromContext doesn't wrap the
call to getAccessibleRole
+ S8145388: URLConnection.guessContentTypeFromStream
returns image/jpg for some JPEG images
+ S8145974: XMLStreamWriter produces invalid XML for
surrogate pairs on OutputStreamWriter
+ S8146035: Windows - With LCD antialiasing, some glyphs
are not rendered correctly
+ S8146192: Add test for JDK-8049321
+ S8146274: Thread spinning on WeakHashMap.getEntry() with
concurrent use of nashorn
+ S8147468: Allow users to bound the size of buffers
cached in the per-thread buffer caches
+ S8147645: get_ctrl_no_update() code is wrong
+ S8147807: crash in libkcms.so on linux-sparc
+ S8148379: jdk.nashorn.api.scripting spec. adjustments,
clarifications
+ S8148627: RestrictTestMaxCachedBufferSize.java to 64-bit
platforms
+ S8148820: Missing @since Javadoc tag in
Logger.log(Level, Supplier)
+ S8148926: Call site profiling fails on braces-wrapped
anonymous function
+ S8149017: Delayed provider selection broken in RSA
client key exchange
+ S8149029: Secure validation of XML based digital
signature always enabled when checking wrapping attacks
+ S8149330: Capacity of StringBuilder should not get close
to Integer.MAX_VALUE unless necessary
+ S8149334: JSON.parse(JSON.stringify([])).push(10)
creates an array containing two elements
+ S8149368: [hidpi] JLabel font is twice bigger than
JTextArea font on Windows 7,HiDPI, Windows L&F
+ S8149411: PKCS12KeyStore cannot extract AES Secret Keys
+ S8149417: Use final restricted flag
+ S8149450: LdapCtx.processReturnCode() throwing NULL
pointer Exception
+ S8149453: [hidpi] JFileChooser does not scale properly
on Windows with HiDPI display and Windows L&F
+ S8149543: range check CastII nodes should not be split
through Phi
+ S8149743: JVM crash after debugger hotswap with lambdas
+ S8149744: fix testng.jar delivery in Nashorn build.xml
+ S8149915: enabling validate-annotations feature for xsd
schema with annotation causes NPE
+ S8150002: Check for the validity of oop before printing
it in verify_remembered_set
+ S8150470: JCK: api/xsl/conf/copy/copy19 test failure
+ S8150518: G1 GC crashes at
G1CollectedHeap::do_collection_pause_at_safepoint(double
)
+ S8150533: Test
java/util/logging/LogManagerAppContextDeadlock.java
times out intermittently.
+ S8150704: XALAN: ERROR: 'No more DTM IDs are available'
when transforming with lots of temporary result trees
+ S8150780: Repeated offer and remove on
ConcurrentLinkedQueue lead to an OutOfMemoryError
+ S8151064: com/sun/jdi/RedefineAddPrivateMethod.sh fails
intermittently
+ S8151197: [TEST_BUG] Need to backport fix for
test/javax/net/ssl/TLS/TestJSSE.java
+ S8151352: jdk/test/sample fails with 'effective library
path is outside the test suite'
+ S8151431: DateFormatSymbols triggers this.clone() in the
constructor
+ S8151535: TESTBUG:
java/lang/invoke/AccessControlTest.java should be
modified to run with JTREG 4.1 b13
+ S8151731: Add new jtreg keywords to jdk 8
+ S8151998: VS2010 ThemeReader.cpp(758) : error C3861:
'round': identifier not found
+ S8152927: Incorrect GPL header in
StubFactoryDynamicBase.java reported
+ S8153252: SA: Hotspot build on Windows fails if
make/closed folder does not exist
+ S8153531: Improve exception messaging for
RSAClientKeyExchange
+ S8153641: assert(thread_state == _thread_in_native)
failed: Assumed thread_in_native while heap dump
+ S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never
deleted when processing invokeMethod command
+ S8154304: NullpointerException at
LdapReferralException.getReferralContext
+ S8154722: Test
gc/ergonomics/TestDynamicNumberOfGCThreads.java fails
+ S8157078: 8u102 L10n resource file updates
+ S8157838: Personalized Windows Font Size is not taken
into account in Java8u102
- Import of OpenJDK 8 u111 build 14
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S8049171: Additional tests for jarsigner's warnings
+ S8063086: Math.pow yields different results upon
repeated calls
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8153399: Constrain AppCDS behavior (back port)
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8158994: Service Menu services
+ S8159684: (tz) Support tzdata2016f
+ S8160904: Typo in code from 8079718 fix :
enableCustomValueHanlde
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8161141: correct bugId for JDK-8158994 fix push
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize < 1024 from
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S8078628, PR3208: Zero build fails with pre-compiled
headers disabled
+ S8141491, PR3159, G592292: Unaligned memory access in
Bits.c
+ S8157306, PR3121: Random infrequent NULL pointer
exceptions in javac (enabled on AArch64 only)
+ S8162384, PR3122: Performance regression: bimorphic
inlining may be bypassed by type speculation
- Bug fixes
+ PR3123: Some object files built without -fPIC on x86
only
+ PR3126: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3127, G590348: Only apply PaX markings by default on
running PaX kernels
+ PR3199: Invalid nashorn URL
+ PR3201: Update infinality configure test
+ PR3218: PR3159 leads to build failure on clean tree
- AArch64 port
+ S8131779, PR3220: AARCH64: add Montgomery multiply
intrinsic
+ S8167200, PR3220: AArch64: Broken stack pointer
adjustment in interpreter
+ S8167421, PR3220: AArch64: in one core system, fatal
error: Illegal threadstate encountered
+ S8167595, PR3220: AArch64: SEGV in stub code
cipherBlockChaining_decryptAESCrypt
+ S8168888, PR3220: Port 8160591: Improve internal array
handling to AArch64.
- Shenandoah
+ PR3224: Shenandoah broken when building without
pre-compiled headers
- Build against system kerberos
- Build against system pcsc and sctp
- S8158260, PR2991, RH1341258: PPC64: unaligned
Unsafe.getInt can lead to the generation of illegal
instructions (bsc#988651)
This update was imported from the SUSE:SLE-12-SP1:Update update
project. | last seen | 2019-01-16 | modified | 2016-12-05 | plugin id | 95532 | published | 2016-12-05 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95532 | title | openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-1380) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1389.NASL | description | - Update to 2.6.8 - OpenJDK 7u121
- Security fixes
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(boo#1005522)
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (boo#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(boo#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(boo#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(boo#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(boo#1005528)
+ PR3207, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (boo#1005524)
- Import of OpenJDK 7 u121 build 0
+ S6624200: Regression test fails:
test/closed/javax/swing/JMenuItem/4654927/bug4654927.jav
a
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S7090158: Networking Libraries don't build with javac
-Werror
+ S7125055: ContentHandler.getContent API changed in error
+ S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing
on windows
+ S7187051: ShortRSAKeynnn.sh tests should do cleanup
before start test
+ S8000626: Implement dead key detection for KeyEvent on
Linux
+ S8003890: corelibs test scripts should pass TESTVMOPTS
+ S8005629: javac warnings compiling
java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
+ S8010297: Missing isLoggable() checks in logging code
+ S8010782: clean up source files containing carriage
return characters
+ S8014431: cleanup warnings indicated by the
-Wunused-value compiler option on linux
+ S8015265: revise the fix for 8007037
+ S8016747: Replace deprecated PlatformLogger
isLoggable(int) with isLoggable(Level)
+ S8020708: NLS mnemonics missing in
SwingSet2/JInternalFrame demo
+ S8024756: method grouping tabs are not selectable
+ S8026741: jdk8 l10n resource file translation update 5
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048357: PKCS basic tests
+ S8049171: Additional tests for jarsigner's warnings
+ S8059177: jdk8u40 l10n resource file translation update
1
+ S8075584: test for 8067364 depends on hardwired text
advance
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8077953: [TEST_BUG]
com/sun/management/OperatingSystemMXBean/TestTotalSwap.j
ava Compilation failed after JDK-8077387
+ S8080628: No mnemonics on Open and Save buttons in
JFileChooser
+ S8083601: jdk8u60 l10n resource file translation update
2
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8143134: L10n resource file translation update
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8159684: (tz) Support tzdata2016f
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize < 1024 from
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S6604109, PR3162:
javax.print.PrintServiceLookup.lookupPrintServices fails
SOMETIMES for Cups
+ S6907252, PR3162: ZipFileInputStream Not Thread-Safe
+ S8024046, PR3162: Test
sun/security/krb5/runNameEquals.sh failed on 7u45
Embedded linux-ppc*
+ S8028479, PR3162: runNameEquals still cannot precisely
detect if a usable native krb5 is available
+ S8034057, PR3162: Files.getFileStore and
Files.isWritable do not work with SUBST'ed drives (win)
+ S8038491, PR3162: Improve synchronization in
ZipFile.read()
+ S8038502, PR3162: Deflater.needsInput() should use
synchronization
+ S8059411, PR3162: RowSetWarning does not correctly chain
warnings
+ S8062198, PR3162: Add RowSetMetaDataImpl Tests and add
column range validation to isdefinitlyWritable
+ S8066188, PR3162: BaseRowSet returns the wrong default
value for escape processing
+ S8072466, PR3162: Deadlock when initializing
MulticastSocket and DatagramSocket
+ S8075118, PR3162: JVM stuck in infinite loop during
verification
+ S8076579, PR3162: Popping a stack frame after exception
breakpoint sets last method param to exception
+ S8078495, PR3162: End time checking for native TGT is
wrong
+ S8078668, PR3162: jar usage string mentions unsupported
option '-n'
+ S8080115, PR3162: (fs) Crash in libgio when calling
Files.probeContentType(path) from parallel threads
+ S8081794, PR3162: ParsePosition getErrorIndex returns 0
for TimeZone parsing problem
+ S8129957, PR3162: Deadlock in JNDI LDAP implementation
when closing the LDAP context
+ S8130136, PR3162: Swing window sometimes fails to
repaint partially when it becomes exposed
+ S8130274, PR3162: java/nio/file/FileStore/Basic.java
fails when two successive stores in an iteration are
determined to be equal
+ S8132551, PR3162: Initialize local variables before
returning them in p11_convert.c
+ S8133207, PR3162: [TEST_BUG] ParallelProbes.java test
fails after changes for JDK-8080115
+ S8133666, PR3162: OperatingSystemMXBean reports
abnormally high machine CPU consumption on Linux
+ S8135002, PR3162: Fix or remove broken links in
objectMonitor.cpp comments
+ S8137121, PR3162: (fc) Infinite loop
FileChannel.truncate
+ S8137230, PR3162: TEST_BUG:
java/nio/channels/FileChannel/LoopingTruncate.java timed
out
+ S8139373, PR3162: [TEST_BUG]
java/net/MulticastSocket/MultiDead.java failed with
timeout
+ S8140249, PR3162: JVM Crashing During startUp If Flight
Recording is enabled
+ S8141491, PR3160, G592292: Unaligned memory access in
Bits.c
+ S8144483, PR3162: One long Safepoint pause directly
after each GC log rotation
+ S8149611, PR3160, G592292: Add tests for
Unsafe.copySwapMemory
- Bug fixes
+ S8078628, PR3151: Zero build fails with pre-compiled
headers disabled
+ PR3128: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3131: PaX marking fails on filesystems which don't
support extended attributes
+ PR3135: Makefile.am rule
stamps/add/tzdata-support-debug.stamp has a typo in
add-tzdata dependency
+ PR3141: Pass $(CC) and $(CXX) to OpenJDK build
+ PR3166: invalid zip timestamp handling leads to error
building bootstrap-javac
+ PR3202: Update infinality configure test
+ PR3212: Disable ARM32 JIT by default
- CACAO
+ PR3136: CACAO is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- JamVM
+ PR3134: JamVM is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- AArch64 port
+ S8167200, PR3204: AArch64: Broken stack pointer
adjustment in interpreter
+ S8168888: Port 8160591: Improve internal array handling
to AArch64.
+ PR3211: AArch64 build fails with pre-compiled headers
disabled
- Changed patch :
- java-1_7_0-openjdk-gcc6.patch
+ Rediff to changed context
- Disable arm32 JIT, since its build broken
(http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2
942) | last seen | 2019-01-16 | modified | 2018-11-19 | plugin id | 95549 | published | 2016-12-06 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95549 | title | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-1389) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2079.NASL | description | An update for java-1.8.0-openjdk is now available for Red Hat
Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94150 | published | 2016-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94150 | title | RHEL 6 / 7 : java-1.8.0-openjdk (RHSA-2016:2079) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2016-2079.NASL | description | From Red Hat Security Advisory 2016:2079 :
An update for java-1.8.0-openjdk is now available for Red Hat
Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website. | last seen | 2019-01-16 | modified | 2018-07-24 | plugin id | 94149 | published | 2016-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94149 | title | Oracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2016-2079) |
NASL family | Misc. | NASL id | ORACLE_JAVA_CPU_OCT_2016_UNIX.NASL | description | The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is prior to 8 Update 111, 7 Update 121,
or 6 Update 131. It is, therefore, affected by multiple
vulnerabilities :
- An unspecified flaw exists in the Libraries
subcomponent that allows an unauthenticated, remote
attacker to impact integrity. (CVE-2016-5542)
- An unspecified flaw exists in the JMX subcomponent that
allows an unauthenticated, remote attacker to impact
integrity. (CVE-2016-5554)
- An unspecified flaw exists in the 2D subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5556)
- An unspecified flaw exists in the AWT subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5568)
- Multiple unspecified flaws exist in the Hotspot
subcomponent that allow an unauthenticated, remote
attacker to execute arbitrary code. (CVE-2016-5573,
CVE-2016-5582)
- An unspecified flaw exists in the Networking
subcomponent that allows an unauthenticated, remote
attacker to disclose sensitive information.
(CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-15 | plugin id | 94139 | published | 2016-10-19 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94139 | title | Oracle Java SE Multiple Vulnerabilities (October 2016 CPU) (Unix) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2016-2658.NASL | description | An update for java-1.7.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime
Environment and the OpenJDK 7 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94740 | published | 2016-11-14 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94740 | title | CentOS 5 / 6 / 7 : java-1.7.0-openjdk (CESA-2016:2658) |
NASL family | Windows | NASL id | ORACLE_JAVA_CPU_OCT_2016.NASL | description | The version of Oracle (formerly Sun) Java SE or Java for Business
installed on the remote host is prior to 8 Update 111, 7 Update 121,
or 6 Update 131. It is, therefore, affected by multiple
vulnerabilities :
- An unspecified flaw exists in the Libraries
subcomponent that allows an unauthenticated, remote
attacker to impact integrity. (CVE-2016-5542)
- An unspecified flaw exists in the JMX subcomponent that
allows an unauthenticated, remote attacker to impact
integrity. (CVE-2016-5554)
- An unspecified flaw exists in the 2D subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5556)
- An unspecified flaw exists in the AWT subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5568)
- Multiple unspecified flaws exist in the Hotspot
subcomponent that allow an unauthenticated, remote
attacker to execute arbitrary code. (CVE-2016-5573,
CVE-2016-5582)
- An unspecified flaw exists in the Networking
subcomponent that allows an unauthenticated, remote
attacker to disclose sensitive information.
(CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-15 | plugin id | 94138 | published | 2016-10-19 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94138 | title | Oracle Java SE Multiple Vulnerabilities (October 2016 CPU) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1335.NASL | description | OpenJDK java-1_8_0-openjdk was updated to jdk8u111 (icedtea 3.2.0) to
fix the following issues :
- Security fixes
+ S8146490: Direct indirect CRL checks
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(boo#1005522)
+ S8156794: Extend data sharing
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (boo#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(boo#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(boo#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(boo#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(boo#1005528)
+ PR3206, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (boo#1005524)
- New features
+ PR1370: Provide option to build without debugging
+ PR1375: Provide option to strip and link debugging info
after build
+ PR1537: Handle alternative Kerberos credential cache
locations
+ PR1978: Allow use of system PCSC
+ PR2445: Support system libsctp
+ PR3182: Support building without pre-compiled headers
+ PR3183: Support Fedora/RHEL system crypto policy
+ PR3221: Use pkgconfig to detect Kerberos CFLAGS and
libraries
- Import of OpenJDK 8 u102 build 14
+ S4515292: ReferenceType.isStatic() returns true for
arrays
+ S4858370: JDWP: Memory Leak: GlobalRefs never deleted
when processing invokeMethod command
+ S6976636: JVM/TI test ex03t001 fails assertion
+ S7185591: jcmd-big-script.sh ERROR: could not find app's
Java pid.
+ S8017462: G1: guarantee fails with
UseDynamicNumberOfGCThreads
+ S8034168: ThreadMXBean/Locks.java failed, blocked on
wrong object
+ S8036006: [TESTBUG]
sun/tools/native2ascii/NativeErrors.java fails: Process
exit code was 0, but error was expected.
+ S8041781: Need new regression tests for PBE keys
+ S8041787: Need new regressions tests for buffer handling
for PBE algorithms
+ S8043836: Need new tests for AES cipher
+ S8044199: Tests for RSA keys and key specifications
+ S8044772: TempDirTest.java still times out with -Xcomp
+ S8046339: sun.rmi.transport.DGCAckHandler leaks memory
+ S8047031: Add SocketPermission tests for legacy socket
types
+ S8048052: Permission tests for setFactory
+ S8048138: Tests for JAAS callbacks
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048356: SecureRandom default provider tests
+ S8048357: PKCS basic tests
+ S8048360: Test signed jar files
+ S8048362: Tests for doPrivileged with accomplice
+ S8048596: Tests for AEAD ciphers
+ S8048599: Tests for key wrap and unwrap operations
+ S8048603: Additional tests for MAC algorithms
+ S8048604: Tests for strong crypto ciphers
+ S8048607: Test key generation of DES and DESEDE
+ S8048610: Implement regression test for bug fix of
4686632 in JCE
+ S8048617: Tests for PKCS12 read operations
+ S8048618: Tests for PKCS12 write operations.
+ S8048619: Implement tests for converting PKCS12
keystores
+ S8048624: Tests for SealedObject
+ S8048819: Implement reliability test for DH algorithm
+ S8048820: Implement tests for SecretKeyFactory
+ S8048830: Implement tests for new functionality provided
in JEP 166
+ S8049237: Need new tests for X509V3 certificates
+ S8049321: Support SHA256WithDSA in JSSE
+ S8049429: Tests for java client server communications
with various TLS/SSL combinations.
+ S8049432: New tests for TLS property
jdk.tls.client.protocols
+ S8049814: Additional SASL client-server tests
+ S8050281: New permission tests for JEP 140
+ S8050370: Need new regressions tests for messageDigest
with DigestIOStream
+ S8050371: More MessageDigest tests
+ S8050374: More Signature tests
+ S8050427: LoginContext tests to cover JDK-4703361
+ S8050460: JAAS login/logout tests with LoginContext
+ S8050461: Tests for syntax checking of JAAS
configuration file
+ S8054278: Refactor jps utility tests
+ S8055530: assert(_exits.control()->is_top() ||
!_gvn.type(ret_phi)->empty()) failed: return value must
be well defined
+ S8055844: [TESTBUG]
test/runtime/NMT/VirtualAllocCommitUncommitRecommit.java
fails on Solaris Sparc due to incorrect page size being
used
+ S8059677: Thread.getName() instantiates Strings
+ S8061464: A typo in CipherTestUtils test
+ S8062536: [TESTBUG] Conflicting GC combinations in jdk
tests
+ S8065076:
java/net/SocketPermission/SocketPermissionTest.java
fails intermittently
+ S8065078: NetworkInterface.getNetworkInterfaces()
triggers intermittent test failures
+ S8066871: java.lang.VerifyError: Bad local variable type
- local final String
+ S8068427: Hashtable deserialization reconstitutes table
with wrong capacity
+ S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java
needs to be updated for JDK-8061210
+ S8069253: javax/net/ssl/TLS/TestJSSE.java failed on Mac
+ S8071125: Improve exception messages in URLPermission
+ S8072081: Supplementary characters are rejected in
comments
+ S8072463: Remove requirement that AKID and SKID have to
match when building certificate chain
+ S8072725: Provide more granular levels for GC
verification
+ S8073400: Some Monospaced logical fonts have a different
width
+ S8073872: Schemagen fails with StackOverflowError if
element references containing class
+ S8074931: Additional tests for CertPath API
+ S8075286: Additional tests for signature algorithm OIDs
and transformation string
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8076545: Text size is twice bigger under Windows L&F on
Win 8.1 with HiDPI display
+ S8076995:
gc/ergonomics/TestDynamicNumberOfGCThreads.java failed
with java.lang.RuntimeException: 'new_active_workers'
missing from stdout/stderr
+ S8079138: Additional negative tests for XML signature
processing
+ S8081512: Remove sun.invoke.anon classes, or move /
co-locate them with tests
+ S8081771: ProcessTool.createJavaProcessBuilder() needs
new addTestVmAndJavaOptions argument
+ S8129419: heapDumper.cpp: assert(length_in_bytes > 0)
failed: nothing to copy
+ S8130150: Implement BigInteger.montgomeryMultiply
intrinsic
+ S8130242: DataFlavorComparator transitivity exception
+ S8130304: Inference: NodeNotFoundException thrown with
deep generic method call chain
+ S8130425: libjvm crash due to stack overflow in
executables with 32k tbss/tdata
+ S8133023: ParallelGCThreads is not calculated correctly
+ S8134111: Unmarshaller unmarshalls XML element which
doesn't have the expected namespace
+ S8135259: InetAddress.getAllByName only reports 'unknown
error' instead of actual cause
+ S8136506: Include sun.arch.data.model as a property that
can be queried by jtreg
+ S8137068: Tests added in JDK-8048604 fail to compile
+ S8139040: Fix initializations before
ShouldNotReachHere() etc. and enable -Wuninitialized on
linux.
+ S8139581: AWT components are not drawn after removal and
addition to a container
+ S8141243: Unexpected timezone returned after parsing a
date
+ S8141420: Compiler runtime entries don't hold Klass*
from being GCed
+ S8141445: Use of Solaris/SPARC M7 libadimalloc.so can
generate unknown signal in hs_err file
+ S8141551: C2 can not handle returns with inccompatible
interface arrays
+ S8143377: Test PKCS8Test.java fails
+ S8143647: Javac compiles method reference that allows
results in an IllegalAccessError
+ S8144144: ORB destroy() leaks filedescriptors after
unsuccessful connection
+ S8144593: Suppress not recognized property/feature
warning messages from SAXParser
+ S8144957: Remove PICL warning message
+ S8145039: JAXB marshaller fails with ClassCastException
on classes generated by xjc
+ S8145228: Java Access Bridge,
getAccessibleStatesStringFromContext doesn't wrap the
call to getAccessibleRole
+ S8145388: URLConnection.guessContentTypeFromStream
returns image/jpg for some JPEG images
+ S8145974: XMLStreamWriter produces invalid XML for
surrogate pairs on OutputStreamWriter
+ S8146035: Windows - With LCD antialiasing, some glyphs
are not rendered correctly
+ S8146192: Add test for JDK-8049321
+ S8146274: Thread spinning on WeakHashMap.getEntry() with
concurrent use of nashorn
+ S8147468: Allow users to bound the size of buffers
cached in the per-thread buffer caches
+ S8147645: get_ctrl_no_update() code is wrong
+ S8147807: crash in libkcms.so on linux-sparc
+ S8148379: jdk.nashorn.api.scripting spec. adjustments,
clarifications
+ S8148627: RestrictTestMaxCachedBufferSize.java to 64-bit
platforms
+ S8148820: Missing @since Javadoc tag in
Logger.log(Level, Supplier)
+ S8148926: Call site profiling fails on braces-wrapped
anonymous function
+ S8149017: Delayed provider selection broken in RSA
client key exchange
+ S8149029: Secure validation of XML based digital
signature always enabled when checking wrapping attacks
+ S8149330: Capacity of StringBuilder should not get close
to Integer.MAX_VALUE unless necessary
+ S8149334: JSON.parse(JSON.stringify([])).push(10)
creates an array containing two elements
+ S8149368: [hidpi] JLabel font is twice bigger than
JTextArea font on Windows 7,HiDPI, Windows L&F
+ S8149411: PKCS12KeyStore cannot extract AES Secret Keys
+ S8149417: Use final restricted flag
+ S8149450: LdapCtx.processReturnCode() throwing NULL
pointer Exception
+ S8149453: [hidpi] JFileChooser does not scale properly
on Windows with HiDPI display and Windows L&F
+ S8149543: range check CastII nodes should not be split
through Phi
+ S8149743: JVM crash after debugger hotswap with lambdas
+ S8149744: fix testng.jar delivery in Nashorn build.xml
+ S8149915: enabling validate-annotations feature for xsd
schema with annotation causes NPE
+ S8150002: Check for the validity of oop before printing
it in verify_remembered_set
+ S8150470: JCK: api/xsl/conf/copy/copy19 test failure
+ S8150518: G1 GC crashes at
G1CollectedHeap::do_collection_pause_at_safepoint(double
)
+ S8150533: Test
java/util/logging/LogManagerAppContextDeadlock.java
times out intermittently.
+ S8150704: XALAN: ERROR: 'No more DTM IDs are available'
when transforming with lots of temporary result trees
+ S8150780: Repeated offer and remove on
ConcurrentLinkedQueue lead to an OutOfMemoryError
+ S8151064: com/sun/jdi/RedefineAddPrivateMethod.sh fails
intermittently
+ S8151197: [TEST_BUG] Need to backport fix for
test/javax/net/ssl/TLS/TestJSSE.java
+ S8151352: jdk/test/sample fails with 'effective library
path is outside the test suite'
+ S8151431: DateFormatSymbols triggers this.clone() in the
constructor
+ S8151535: TESTBUG:
java/lang/invoke/AccessControlTest.java should be
modified to run with JTREG 4.1 b13
+ S8151731: Add new jtreg keywords to jdk 8
+ S8151998: VS2010 ThemeReader.cpp(758) : error C3861:
'round': identifier not found
+ S8152927: Incorrect GPL header in
StubFactoryDynamicBase.java reported
+ S8153252: SA: Hotspot build on Windows fails if
make/closed folder does not exist
+ S8153531: Improve exception messaging for
RSAClientKeyExchange
+ S8153641: assert(thread_state == _thread_in_native)
failed: Assumed thread_in_native while heap dump
+ S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never
deleted when processing invokeMethod command
+ S8154304: NullpointerException at
LdapReferralException.getReferralContext
+ S8154722: Test
gc/ergonomics/TestDynamicNumberOfGCThreads.java fails
+ S8157078: 8u102 L10n resource file updates
+ S8157838: Personalized Windows Font Size is not taken
into account in Java8u102
- Import of OpenJDK 8 u111 build 14
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S8049171: Additional tests for jarsigner's warnings
+ S8063086: Math.pow yields different results upon
repeated calls
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8153399: Constrain AppCDS behavior (back port)
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8158994: Service Menu services
+ S8159684: (tz) Support tzdata2016f
+ S8160904: Typo in code from 8079718 fix :
enableCustomValueHanlde
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8161141: correct bugId for JDK-8158994 fix push
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize < 1024 from
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S8078628, PR3208: Zero build fails with pre-compiled
headers disabled
+ S8141491, PR3159, G592292: Unaligned memory access in
Bits.c
+ S8157306, PR3121: Random infrequent NULL pointer
exceptions in javac (enabled on AArch64 only)
+ S8162384, PR3122: Performance regression: bimorphic
inlining may be bypassed by type speculation
- Bug fixes
+ PR3123: Some object files built without -fPIC on x86
only
+ PR3126: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3127, G590348: Only apply PaX markings by default on
running PaX kernels
+ PR3199: Invalid nashorn URL
+ PR3201: Update infinality configure test
+ PR3218: PR3159 leads to build failure on clean tree
- AArch64 port
+ S8131779, PR3220: AARCH64: add Montgomery multiply
intrinsic
+ S8167200, PR3220: AArch64: Broken stack pointer
adjustment in interpreter
+ S8167421, PR3220: AArch64: in one core system, fatal
error: Illegal threadstate encountered
+ S8167595, PR3220: AArch64: SEGV in stub code
cipherBlockChaining_decryptAESCrypt
+ S8168888, PR3220: Port 8160591: Improve internal array
handling to AArch64.
- Shenandoah
+ PR3224: Shenandoah broken when building without
pre-compiled headers
- S8158260, PR2991, RH1341258: PPC64: unaligned
Unsafe.getInt can lead to the generation of illegal
instructions (boo#988651) | last seen | 2019-01-16 | modified | 2016-11-21 | plugin id | 95023 | published | 2016-11-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95023 | title | openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-1335) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2090.NASL | description | An update for java-1.6.0-sun is now available for Oracle Java for Red
Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux 6,
and Oracle Java for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Oracle Java SE version 6 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update upgrades Oracle Java SE 6 to version 6 Update 131.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the Oracle Java
Runtime Environment and the Oracle Java Software Development Kit.
Further information about these flaws can be found on the Oracle Java
SE Critical Patch Update Advisory page, listed in the References
section. (CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5573,
CVE-2016-5582, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94190 | published | 2016-10-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94190 | title | RHEL 5 / 6 / 7 : java-1.6.0-sun (RHSA-2016:2090) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3068-1.NASL | description | This update for java-1_7_0-ibm fixes the following issues :
- Version update to 7.0-9.60 (bsc#1009280, bsc#992537)
fixing the following CVE's: CVE-2016-5568,
CVE-2016-5556, CVE-2016-5573, CVE-2016-5597,
CVE-2016-5554, CVE-2016-5542
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 95710 | published | 2016-12-12 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95710 | title | SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:3068-1) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3041-1.NASL | description | This update for java-1_7_1-ibm fixes the following issues :
- Version update to 7.1-3.60 (bsc#1009280) fixing the
following CVE's: CVE-2016-5568, CVE-2016-5556,
CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
CVE-2016-5542
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 95608 | published | 2016-12-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95608 | title | SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2016:3041-1) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20170113_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL | description | Security Fix(es) :
- It was discovered that the Hotspot component of OpenJDK
did not properly check arguments of the
System.arraycopy() function in certain cases. An
untrusted Java application or applet could use this flaw
to corrupt virtual machine's memory and completely
bypass Java sandbox restrictions. (CVE-2016-5582)
- It was discovered that the Hotspot component of OpenJDK
did not properly check received Java Debug Wire Protocol
(JDWP) packets. An attacker could possibly use this flaw
to send debugging commands to a Java program running
with debugging enabled if they could make victim's
browser send HTTP requests to the JDWP port of the
debugged application. (CVE-2016-5573)
- It was discovered that the Libraries component of
OpenJDK did not restrict the set of algorithms used for
Jar integrity verification. This flaw could allow an
attacker to modify content of the Jar file that used
weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
- A flaw was found in the way the JMX component of OpenJDK
handled classloaders. An untrusted Java application or
applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2016-5554)
- A flaw was found in the way the Networking component of
OpenJDK handled HTTP proxy authentication. A Java
application could possibly expose HTTPS server
authentication credentials via a plain text network
connection to an HTTP proxy if proxy asked for
authentication. (CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 96526 | published | 2017-01-16 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96526 | title | Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64 |
NASL family | Huawei Local Security Checks | NASL id | EULEROS_SA-2016-1080.NASL | description | According to the versions of the java-1.7.0-openjdk packages
installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :
- It was discovered that the Libraries component of
OpenJDK did not restrict the set of algorithms used for
JAR integrity verification. This flaw could allow an
attacker to modify content of the JAR file that used
weak signing key or hash algorithm.(CVE-2016-5542)
- A flaw was found in the way the JMX component of
OpenJDK handled classloaders. An untrusted Java
application or applet could use this flaw to bypass
certain Java sandbox restrictions.(CVE-2016-5554)
- It was discovered that the Hotspot component of OpenJDK
did not properly check received Java Debug Wire
Protocol (JDWP) packets. An attacker could possibly use
this flaw to send debugging commands to a Java program
running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of
the debugged application.(CVE-2016-5573)
- It was discovered that the Hotspot component of OpenJDK
did not properly check arguments of the
System.arraycopy() function in certain cases. An
untrusted Java application or applet could use this
flaw to corrupt virtual machine's memory and completely
bypass Java sandbox restrictions.(CVE-2016-5582)
- A flaw was found in the way the Networking component of
OpenJDK handled HTTP proxy authentication. A Java
application could possibly expose HTTPS server
authentication credentials via a plain text network
connection to an HTTP proxy if proxy asked for
authentication.(CVE-2016-5597)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-14 | plugin id | 99840 | published | 2017-05-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=99840 | title | EulerOS 2.0 SP1 : java-1.7.0-openjdk (EulerOS-SA-2016-1080) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3154-1.NASL | description | It was discovered that OpenJDK did not restrict the set of algorithms
used for Jar integrity verification. An attacker could use this to
modify without detection the content of a JAR file, affecting system
integrity. (CVE-2016-5542)
It was discovered that the JMX component of OpenJDK did not
sufficiently perform classloader consistency checks. An attacker could
use this to bypass Java sandbox restrictions. (CVE-2016-5554)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could use this to send debugging commands to a Java
application with debugging enabled. (CVE-2016-5573)
It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An attacker could use this to bypass Java sandbox restrictions.
(CVE-2016-5582)
It was discovered that OpenJDK did not properly handle HTTP proxy
authentication. An attacker could use this to expose HTTPS server
authentication credentials. (CVE-2016-5597).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 95629 | published | 2016-12-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95629 | title | Ubuntu 12.04 LTS : openjdk-6 vulnerabilities (USN-3154-1) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3043-1.NASL | description | This update for java-1_7_1-ibm fixes the following issues :
- Version update to 7.1-3.60 (bsc#1009280) Fixing the
following CVE's: CVE-2016-5568, CVE-2016-5556,
CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
CVE-2016-5542
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 95623 | published | 2016-12-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95623 | title | SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2016:3043-1) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3130-1.NASL | description | It was discovered that OpenJDK did not restrict the set of algorithms
used for Jar integrity verification. An attacker could use this to
modify without detection the content of a JAR file, affecting system
integrity. (CVE-2016-5542)
It was discovered that the JMX component of OpenJDK did not
sufficiently perform classloader consistency checks. An attacker could
use this to bypass Java sandbox restrictions. (CVE-2016-5554)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could use this to send debugging commands to a Java
application with debugging enabled. (CVE-2016-5573)
It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An attacker could use this to bypass Java sandbox restrictions.
(CVE-2016-5582)
It was discovered that OpenJDK did not properly handle HTTP proxy
authentication. An attacker could use this to expose HTTPS server
authentication credentials. (CVE-2016-5597).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 94954 | published | 2016-11-18 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94954 | title | Ubuntu 14.04 LTS : openjdk-7 vulnerabilities (USN-3130-1) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-704.NASL | description | Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in information
disclosure, denial of service and arbitrary code execution.
For Debian 7 'Wheezy', these problems have been fixed in version
7u111-2.6.7-2~deb7u1.
We recommend that you upgrade your openjdk-7 packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-07-09 | plugin id | 94587 | published | 2016-11-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94587 | title | Debian DLA-704-1 : openjdk-7 security update |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2016-759.NASL | description | It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for JAR integrity verification.
This flaw could allow an attacker to modify content of the JAR file
that used weak signing key or hash algorithm. (CVE-2016-5542) (Note:
After this update, MD2 hash algorithm and RSA keys with less than 1024
bits are no longer allowed to be used for Jar integrity verification
by default. MD5 hash algorithm is expected to be disabled by default
in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.)
A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 94341 | published | 2016-10-28 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94341 | title | Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2016-759) |
NASL family | AIX Local Security Checks | NASL id | AIX_JAVA_OCT2016_ADVISORY.NASL | description | The version of Java SDK installed on the remote AIX host is affected
by multiple vulnerabilities in the following subcomponents :
- An unspecified flaw exists in the Libraries subcomponent
that allows an unauthenticated, remote attacker to
impact integrity. (CVE-2016-5542)
- An unspecified flaw exists in the JMX subcomponent that
allows an unauthenticated, remote attacker to impact
integrity. (CVE-2016-5554)
- An unspecified flaw exists in the 2D subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5556)
- An unspecified flaw exists in the AWT subcomponent that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2016-5568)
- An unspecified flaw exists in the Networking
subcomponent that allows an unauthenticated, remote
attacker to disclose sensitive information.
(CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-07-17 | plugin id | 97051 | published | 2017-02-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=97051 | title | AIX Java Advisory : java_oct2016_advisory.asc (October 2016 CPU) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2016-771.NASL | description | It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for JAR integrity verification.
This flaw could allow an attacker to modify content of the JAR file
that used weak signing key or hash algorithm. (CVE-2016-5542)
A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582) | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 94977 | published | 2016-11-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94977 | title | Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2016-771) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2088.NASL | description | An update for java-1.8.0-oracle is now available for Oracle Java for
Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Oracle Java SE version 8 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update upgrades Oracle Java SE 8 to version 8 Update 111.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the Oracle Java
Runtime Environment and the Oracle Java Software Development Kit.
Further information about these flaws can be found on the Oracle Java
SE Critical Patch Update Advisory page, listed in the References
section. (CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5573,
CVE-2016-5582, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94188 | published | 2016-10-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94188 | title | RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2016:2088) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3078-1.NASL | description | This update for java-1_8_0-ibm fixes the following issues :
- CVE-2016-5568: Unspecified vulnerability allowed remote
attackers to affect confidentiality, integrity, and
availability via vectors related to AWT
- CVE-2016-5556: Unspecified vulnerability allowed remote
attackers to affect confidentiality, integrity, and
availability via vectors related to 2D
- CVE-2016-5573: Unspecified vulnerability allowed remote
attackers to affect confidentiality, integrity, and
availability via vectors related to Hotspot
- CVE-2016-5597: Unspecified vulnerability allowed remote
attackers to affect confidentiality via vectors related
to Networking
- CVE-2016-5554: Unspecified vulnerability allowed remote
attackers to affect integrity via vectors related to JMX
- CVE-2016-5542: Unspecified vulnerability allowed remote
attackers to affect integrity via vectors related to
Libraries
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 95711 | published | 2016-12-12 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95711 | title | SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2016:3078-1) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1357.NASL | description | This update for java-1_7_0-openjdk fixes the following issues :
- Update to 2.6.8 - OpenJDK 7u121
- Security fixes
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(boo#1005522)
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (boo#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(boo#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(boo#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(boo#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(boo#1005528)
+ PR3207, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (boo#1005524)
- Import of OpenJDK 7 u121 build 0
+ S6624200: Regression test fails:
test/closed/javax/swing/JMenuItem/4654927/bug4654927.jav
a
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S7090158: Networking Libraries don't build with javac
-Werror
+ S7125055: ContentHandler.getContent API changed in error
+ S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing
on windows
+ S7187051: ShortRSAKeynnn.sh tests should do cleanup
before start test
+ S8000626: Implement dead key detection for KeyEvent on
Linux
+ S8003890: corelibs test scripts should pass TESTVMOPTS
+ S8005629: javac warnings compiling
java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
+ S8010297: Missing isLoggable() checks in logging code
+ S8010782: clean up source files containing carriage
return characters
+ S8014431: cleanup warnings indicated by the
-Wunused-value compiler option on linux
+ S8015265: revise the fix for 8007037
+ S8016747: Replace deprecated PlatformLogger
isLoggable(int) with isLoggable(Level)
+ S8020708: NLS mnemonics missing in
SwingSet2/JInternalFrame demo
+ S8024756: method grouping tabs are not selectable
+ S8026741: jdk8 l10n resource file translation update 5
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048357: PKCS basic tests
+ S8049171: Additional tests for jarsigner's warnings
+ S8059177: jdk8u40 l10n resource file translation update
1
+ S8075584: test for 8067364 depends on hardwired text
advance
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8077953: [TEST_BUG]
com/sun/management/OperatingSystemMXBean/TestTotalSwap.j
ava Compilation failed after JDK-8077387
+ S8080628: No mnemonics on Open and Save buttons in
JFileChooser
+ S8083601: jdk8u60 l10n resource file translation update
2
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8143134: L10n resource file translation update
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8159684: (tz) Support tzdata2016f
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize < 1024 from
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S6604109, PR3162:
javax.print.PrintServiceLookup.lookupPrintServices fails
SOMETIMES for Cups
+ S6907252, PR3162: ZipFileInputStream Not Thread-Safe
+ S8024046, PR3162: Test
sun/security/krb5/runNameEquals.sh failed on 7u45
Embedded linux-ppc*
+ S8028479, PR3162: runNameEquals still cannot precisely
detect if a usable native krb5 is available
+ S8034057, PR3162: Files.getFileStore and
Files.isWritable do not work with SUBST'ed drives (win)
+ S8038491, PR3162: Improve synchronization in
ZipFile.read()
+ S8038502, PR3162: Deflater.needsInput() should use
synchronization
+ S8059411, PR3162: RowSetWarning does not correctly chain
warnings
+ S8062198, PR3162: Add RowSetMetaDataImpl Tests and add
column range validation to isdefinitlyWritable
+ S8066188, PR3162: BaseRowSet returns the wrong default
value for escape processing
+ S8072466, PR3162: Deadlock when initializing
MulticastSocket and DatagramSocket
+ S8075118, PR3162: JVM stuck in infinite loop during
verification
+ S8076579, PR3162: Popping a stack frame after exception
breakpoint sets last method param to exception
+ S8078495, PR3162: End time checking for native TGT is
wrong
+ S8078668, PR3162: jar usage string mentions unsupported
option '-n'
+ S8080115, PR3162: (fs) Crash in libgio when calling
Files.probeContentType(path) from parallel threads
+ S8081794, PR3162: ParsePosition getErrorIndex returns 0
for TimeZone parsing problem
+ S8129957, PR3162: Deadlock in JNDI LDAP implementation
when closing the LDAP context
+ S8130136, PR3162: Swing window sometimes fails to
repaint partially when it becomes exposed
+ S8130274, PR3162: java/nio/file/FileStore/Basic.java
fails when two successive stores in an iteration are
determined to be equal
+ S8132551, PR3162: Initialize local variables before
returning them in p11_convert.c
+ S8133207, PR3162: [TEST_BUG] ParallelProbes.java test
fails after changes for JDK-8080115
+ S8133666, PR3162: OperatingSystemMXBean reports
abnormally high machine CPU consumption on Linux
+ S8135002, PR3162: Fix or remove broken links in
objectMonitor.cpp comments
+ S8137121, PR3162: (fc) Infinite loop
FileChannel.truncate
+ S8137230, PR3162: TEST_BUG:
java/nio/channels/FileChannel/LoopingTruncate.java timed
out
+ S8139373, PR3162: [TEST_BUG]
java/net/MulticastSocket/MultiDead.java failed with
timeout
+ S8140249, PR3162: JVM Crashing During startUp If Flight
Recording is enabled
+ S8141491, PR3160, G592292: Unaligned memory access in
Bits.c
+ S8144483, PR3162: One long Safepoint pause directly
after each GC log rotation
+ S8149611, PR3160, G592292: Add tests for
Unsafe.copySwapMemory
- Bug fixes
+ S8078628, PR3151: Zero build fails with pre-compiled
headers disabled
+ PR3128: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3131: PaX marking fails on filesystems which don't
support extended attributes
+ PR3135: Makefile.am rule
stamps/add/tzdata-support-debug.stamp has a typo in
add-tzdata dependency
+ PR3141: Pass $(CC) and $(CXX) to OpenJDK build
+ PR3166: invalid zip timestamp handling leads to error
building bootstrap-javac
+ PR3202: Update infinality configure test
+ PR3212: Disable ARM32 JIT by default
- CACAO
+ PR3136: CACAO is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- JamVM
+ PR3134: JamVM is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- AArch64 port
+ S8167200, PR3204: AArch64: Broken stack pointer
adjustment in interpreter
+ S8168888: Port 8160591: Improve internal array handling
to AArch64.
+ PR3211: AArch64 build fails with pre-compiled headers
disabled
- Changed patch :
- java-1_7_0-openjdk-gcc6.patch
+ Rediff to changed context
- Disable arm32 JIT, since its build broken
(http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2
942) | last seen | 2019-01-16 | modified | 2018-11-19 | plugin id | 95311 | published | 2016-11-25 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95311 | title | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-1357) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2017-0061.NASL | description | An update for java-1.6.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 96480 | published | 2017-01-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96480 | title | RHEL 5 / 6 / 7 : java-1.6.0-openjdk (RHSA-2017:0061) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2138.NASL | description | An update for java-1.7.0-ibm is now available for Red Hat Enterprise
Linux 5 Supplementary.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
IBM Java SE version 7 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.
This update upgrades IBM Java SE 7 to version 7 SR9-FP60.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-5542,
CVE-2016-5554, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94501 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94501 | title | RHEL 5 : java-1.7.0-ibm (RHSA-2016:2138) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3040-1.NASL | description | This update for java-1_6_0-ibm fixes the following issues :
- Version update to 6.0-16.35 (bsc#1009280) fixing the
following CVE's: CVE-2016-5568, CVE-2016-5556,
CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
CVE-2016-5542
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-30 | plugin id | 95607 | published | 2016-12-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95607 | title | SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:3040-1) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2136.NASL | description | An update for java-1.8.0-ibm is now available for Red Hat Enterprise
Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
IBM Java SE version 8 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR3-FP20.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-5542,
CVE-2016-5554, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94499 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94499 | title | RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2016:2136) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3121-1.NASL | description | It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An attacker could use this to bypass Java sandbox restrictions.
(CVE-2016-5582)
It was discovered that OpenJDK did not restrict the set of algorithms
used for Jar integrity verification. An attacker could use this to
modify without detection the content of a JAR file, affecting system
integrity. (CVE-2016-5542)
It was discovered that the JMX component of OpenJDK did not
sufficiently perform classloader consistency checks. An attacker could
use this to bypass Java sandbox restrictions. (CVE-2016-5554)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could use this to send debugging commands to a Java
application with debugging enabled. (CVE-2016-5573)
It was discovered that OpenJDK did not properly handle HTTP proxy
authentication. An attacker could use this to expose HTTPS server
authentication credentials. (CVE-2016-5597).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 94510 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94510 | title | Ubuntu 16.04 LTS / 16.10 : openjdk-8 vulnerabilities (USN-3121-1) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-2887-1.NASL | description | OpenJDK Java was updated to jdk8u111 (icedtea 3.2.0) to fix the
following issues :
- Security fixes
+ S8146490: Direct indirect CRL checks
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(bsc#1005522)
+ S8156794: Extend data sharing
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (bsc#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(bsc#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(bsc#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(bsc#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(bsc#1005528)
+ PR3206, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (bsc#1005524)
- New features
+ PR1370: Provide option to build without debugging
+ PR1375: Provide option to strip and link debugging info
after build
+ PR1537: Handle alternative Kerberos credential cache
locations
+ PR1978: Allow use of system PCSC
+ PR2445: Support system libsctp
+ PR3182: Support building without pre-compiled headers
+ PR3183: Support Fedora/RHEL system crypto policy
+ PR3221: Use pkgconfig to detect Kerberos CFLAGS and
libraries
- Import of OpenJDK 8 u102 build 14
+ S4515292: ReferenceType.isStatic() returns true for
arrays
+ S4858370: JDWP: Memory Leak: GlobalRefs never deleted
when processing invokeMethod command
+ S6976636: JVM/TI test ex03t001 fails assertion
+ S7185591: jcmd-big-script.sh ERROR: could not find app's
Java pid.
+ S8017462: G1: guarantee fails with
UseDynamicNumberOfGCThreads
+ S8034168: ThreadMXBean/Locks.java failed, blocked on
wrong object
+ S8036006: [TESTBUG]
sun/tools/native2ascii/NativeErrors.java fails: Process
exit code was 0, but error was expected.
+ S8041781: Need new regression tests for PBE keys
+ S8041787: Need new regressions tests for buffer handling
for PBE algorithms
+ S8043836: Need new tests for AES cipher
+ S8044199: Tests for RSA keys and key specifications
+ S8044772: TempDirTest.java still times out with -Xcomp
+ S8046339: sun.rmi.transport.DGCAckHandler leaks memory
+ S8047031: Add SocketPermission tests for legacy socket
types
+ S8048052: Permission tests for setFactory
+ S8048138: Tests for JAAS callbacks
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048356: SecureRandom default provider tests
+ S8048357: PKCS basic tests
+ S8048360: Test signed jar files
+ S8048362: Tests for doPrivileged with accomplice
+ S8048596: Tests for AEAD ciphers
+ S8048599: Tests for key wrap and unwrap operations
+ S8048603: Additional tests for MAC algorithms
+ S8048604: Tests for strong crypto ciphers
+ S8048607: Test key generation of DES and DESEDE
+ S8048610: Implement regression test for bug fix of
4686632 in JCE
+ S8048617: Tests for PKCS12 read operations
+ S8048618: Tests for PKCS12 write operations.
+ S8048619: Implement tests for converting PKCS12
keystores
+ S8048624: Tests for SealedObject
+ S8048819: Implement reliability test for DH algorithm
+ S8048820: Implement tests for SecretKeyFactory
+ S8048830: Implement tests for new functionality provided
in JEP 166
+ S8049237: Need new tests for X509V3 certificates
+ S8049321: Support SHA256WithDSA in JSSE
+ S8049429: Tests for java client server communications
with various TLS/SSL combinations.
+ S8049432: New tests for TLS property
jdk.tls.client.protocols
+ S8049814: Additional SASL client-server tests
+ S8050281: New permission tests for JEP 140
+ S8050370: Need new regressions tests for messageDigest
with DigestIOStream
+ S8050371: More MessageDigest tests
+ S8050374: More Signature tests
+ S8050427: LoginContext tests to cover JDK-4703361
+ S8050460: JAAS login/logout tests with LoginContext
+ S8050461: Tests for syntax checking of JAAS
configuration file
+ S8054278: Refactor jps utility tests
+ S8055530: assert(_exits.control()->is_top() ||
!_gvn.type(ret_phi)->empty()) failed: return value must
be well defined
+ S8055844: [TESTBUG]
test/runtime/NMT/VirtualAllocCommitUncommitRecommit.java
fails on Solaris Sparc due to incorrect page size being
used
+ S8059677: Thread.getName() instantiates Strings
+ S8061464: A typo in CipherTestUtils test
+ S8062536: [TESTBUG] Conflicting GC combinations in jdk
tests
+ S8065076:
java/net/SocketPermission/SocketPermissionTest.java
fails intermittently
+ S8065078: NetworkInterface.getNetworkInterfaces()
triggers intermittent test failures
+ S8066871: java.lang.VerifyError: Bad local variable type
- local final String
+ S8068427: Hashtable deserialization reconstitutes table
with wrong capacity
+ S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java
needs to be updated for JDK-8061210
+ S8069253: javax/net/ssl/TLS/TestJSSE.java failed on Mac
+ S8071125: Improve exception messages in URLPermission
+ S8072081: Supplementary characters are rejected in
comments
+ S8072463: Remove requirement that AKID and SKID have to
match when building certificate chain
+ S8072725: Provide more granular levels for GC
verification
+ S8073400: Some Monospaced logical fonts have a different
width
+ S8073872: Schemagen fails with StackOverflowError if
element references containing class
+ S8074931: Additional tests for CertPath API
+ S8075286: Additional tests for signature algorithm OIDs
and transformation string
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8076545: Text size is twice bigger under Windows L&F on
Win 8.1 with HiDPI display
+ S8076995:
gc/ergonomics/TestDynamicNumberOfGCThreads.java failed
with java.lang.RuntimeException: 'new_active_workers'
missing from stdout/stderr
+ S8079138: Additional negative tests for XML signature
processing
+ S8081512: Remove sun.invoke.anon classes, or move /
co-locate them with tests
+ S8081771: ProcessTool.createJavaProcessBuilder() needs
new addTestVmAndJavaOptions argument
+ S8129419: heapDumper.cpp: assert(length_in_bytes > 0)
failed: nothing to copy
+ S8130150: Implement BigInteger.montgomeryMultiply
intrinsic
+ S8130242: DataFlavorComparator transitivity exception
+ S8130304: Inference: NodeNotFoundException thrown with
deep generic method call chain
+ S8130425: libjvm crash due to stack overflow in
executables with 32k tbss/tdata
+ S8133023: ParallelGCThreads is not calculated correctly
+ S8134111: Unmarshaller unmarshalls XML element which
doesn't have the expected namespace
+ S8135259: InetAddress.getAllByName only reports 'unknown
error' instead of actual cause
+ S8136506: Include sun.arch.data.model as a property that
can be queried by jtreg
+ S8137068: Tests added in JDK-8048604 fail to compile
+ S8139040: Fix initializations before
ShouldNotReachHere() etc. and enable -Wuninitialized on
linux.
+ S8139581: AWT components are not drawn after removal and
addition to a container
+ S8141243: Unexpected timezone returned after parsing a
date
+ S8141420: Compiler runtime entries don't hold Klass*
from being GCed
+ S8141445: Use of Solaris/SPARC M7 libadimalloc.so can
generate unknown signal in hs_err file
+ S8141551: C2 can not handle returns with inccompatible
interface arrays
+ S8143377: Test PKCS8Test.java fails
+ S8143647: Javac compiles method reference that allows
results in an IllegalAccessError
+ S8144144: ORB destroy() leaks filedescriptors after
unsuccessful connection
+ S8144593: Suppress not recognized property/feature
warning messages from SAXParser
+ S8144957: Remove PICL warning message
+ S8145039: JAXB marshaller fails with ClassCastException
on classes generated by xjc
+ S8145228: Java Access Bridge,
getAccessibleStatesStringFromContext doesn't wrap the
call to getAccessibleRole
+ S8145388: URLConnection.guessContentTypeFromStream
returns image/jpg for some JPEG images
+ S8145974: XMLStreamWriter produces invalid XML for
surrogate pairs on OutputStreamWriter
+ S8146035: Windows - With LCD antialiasing, some glyphs
are not rendered correctly
+ S8146192: Add test for JDK-8049321
+ S8146274: Thread spinning on WeakHashMap.getEntry() with
concurrent use of nashorn
+ S8147468: Allow users to bound the size of buffers
cached in the per-thread buffer caches
+ S8147645: get_ctrl_no_update() code is wrong
+ S8147807: crash in libkcms.so on linux-sparc
+ S8148379: jdk.nashorn.api.scripting spec. adjustments,
clarifications
+ S8148627: RestrictTestMaxCachedBufferSize.java to 64-bit
platforms
+ S8148820: Missing @since Javadoc tag in
Logger.log(Level, Supplier)
+ S8148926: Call site profiling fails on braces-wrapped
anonymous function
+ S8149017: Delayed provider selection broken in RSA
client key exchange
+ S8149029: Secure validation of XML based digital
signature always enabled when checking wrapping attacks
+ S8149330: Capacity of StringBuilder should not get close
to Integer.MAX_VALUE unless necessary
+ S8149334: JSON.parse(JSON.stringify([])).push(10)
creates an array containing two elements
+ S8149368: [hidpi] JLabel font is twice bigger than
JTextArea font on Windows 7,HiDPI, Windows L&F
+ S8149411: PKCS12KeyStore cannot extract AES Secret Keys
+ S8149417: Use final restricted flag
+ S8149450: LdapCtx.processReturnCode() throwing NULL
pointer Exception
+ S8149453: [hidpi] JFileChooser does not scale properly
on Windows with HiDPI display and Windows L&F
+ S8149543: range check CastII nodes should not be split
through Phi
+ S8149743: JVM crash after debugger hotswap with lambdas
+ S8149744: fix testng.jar delivery in Nashorn build.xml
+ S8149915: enabling validate-annotations feature for xsd
schema with annotation causes NPE
+ S8150002: Check for the validity of oop before printing
it in verify_remembered_set
+ S8150470: JCK: api/xsl/conf/copy/copy19 test failure
+ S8150518: G1 GC crashes at
G1CollectedHeap::do_collection_pause_at_safepoint(double
)
+ S8150533: Test
java/util/logging/LogManagerAppContextDeadlock.java
times out intermittently.
+ S8150704: XALAN: ERROR: 'No more DTM IDs are available'
when transforming with lots of temporary result trees
+ S8150780: Repeated offer and remove on
ConcurrentLinkedQueue lead to an OutOfMemoryError
+ S8151064: com/sun/jdi/RedefineAddPrivateMethod.sh fails
intermittently
+ S8151197: [TEST_BUG] Need to backport fix for
test/javax/net/ssl/TLS/TestJSSE.java
+ S8151352: jdk/test/sample fails with 'effective library
path is outside the test suite'
+ S8151431: DateFormatSymbols triggers this.clone() in the
constructor
+ S8151535: TESTBUG:
java/lang/invoke/AccessControlTest.java should be
modified to run with JTREG 4.1 b13
+ S8151731: Add new jtreg keywords to jdk 8
+ S8151998: VS2010 ThemeReader.cpp(758) : error C3861:
'round': identifier not found
+ S8152927: Incorrect GPL header in
StubFactoryDynamicBase.java reported
+ S8153252: SA: Hotspot build on Windows fails if
make/closed folder does not exist
+ S8153531: Improve exception messaging for
RSAClientKeyExchange
+ S8153641: assert(thread_state == _thread_in_native)
failed: Assumed thread_in_native while heap dump
+ S8153673: [BACKOUT] JDWP: Memory Leak: GlobalRefs never
deleted when processing invokeMethod command
+ S8154304: NullpointerException at
LdapReferralException.getReferralContext
+ S8154722: Test
gc/ergonomics/TestDynamicNumberOfGCThreads.java fails
+ S8157078: 8u102 L10n resource file updates
+ S8157838: Personalized Windows Font Size is not taken
into account in Java8u102
- Import of OpenJDK 8 u111 build 14
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S8049171: Additional tests for jarsigner's warnings
+ S8063086: Math.pow yields different results upon
repeated calls
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8153399: Constrain AppCDS behavior (back port)
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8158994: Service Menu services
+ S8159684: (tz) Support tzdata2016f
+ S8160904: Typo in code from 8079718 fix :
enableCustomValueHanlde
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8161141: correct bugId for JDK-8158994 fix push
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S8078628, PR3208: Zero build fails with pre-compiled
headers disabled
+ S8141491, PR3159, G592292: Unaligned memory access in
Bits.c
+ S8157306, PR3121: Random infrequent NULL pointer
exceptions in javac (enabled on AArch64 only)
+ S8162384, PR3122: Performance regression: bimorphic
inlining may be bypassed by type speculation
- Bug fixes
+ PR3123: Some object files built without -fPIC on x86
only
+ PR3126: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3127, G590348: Only apply PaX markings by default on
running PaX kernels
+ PR3199: Invalid nashorn URL
+ PR3201: Update infinality configure test
+ PR3218: PR3159 leads to build failure on clean tree
- AArch64 port
+ S8131779, PR3220: AARCH64: add Montgomery multiply
intrinsic
+ S8167200, PR3220: AArch64: Broken stack pointer
adjustment in interpreter
+ S8167421, PR3220: AArch64: in one core system, fatal
error: Illegal threadstate encountered
+ S8167595, PR3220: AArch64: SEGV in stub code
cipherBlockChaining_decryptAESCrypt
+ S8168888, PR3220: Port 8160591: Improve internal array
handling to AArch64.
- Shenandoah
+ PR3224: Shenandoah broken when building without
pre-compiled headers
- Build against system kerberos
- Build against system pcsc and sctp
- S8158260, PR2991, RH1341258: PPC64: unaligned
Unsafe.getInt can lead to the generation of illegal
instructions (bsc#988651)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-29 | plugin id | 95294 | published | 2016-11-23 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95294 | title | SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2016:2887-1) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-1444.NASL | description | This update for java-1_7_0-openjdk fixes the following issues :
- Update to 2.6.8 - OpenJDK 7u121
- Security fixes
+ S8151921: Improved page resolution
+ S8155968: Update command line options
+ S8155973, CVE-2016-5542: Tighten jar checks
(bsc#1005522)
+ S8157176: Improved classfile parsing
+ S8157739, CVE-2016-5554: Classloader Consistency
Checking (bsc#1005523)
+ S8157749: Improve handling of DNS error replies
+ S8157753: Audio replay enhancement
+ S8157759: LCMS Transform Sampling Enhancement
+ S8157764: Better handling of interpolation plugins
+ S8158302: Handle contextual glyph substitutions
+ S8158993, CVE-2016-5568: Service Menu services
(bsc#1005525)
+ S8159495: Fix index offsets
+ S8159503: Amend Annotation Actions
+ S8159511: Stack map validation
+ S8159515: Improve indy validation
+ S8159519, CVE-2016-5573: Reformat JDWP messages
(bsc#1005526)
+ S8160090: Better signature handling in pack200
+ S8160094: Improve pack200 layout
+ S8160098: Clean up color profiles
+ S8160591, CVE-2016-5582: Improve internal array handling
(bsc#1005527)
+ S8160838, CVE-2016-5597: Better HTTP service
(bsc#1005528)
+ PR3207, RH1367357: lcms2: Out-of-bounds read in
Type_MLU_Read()
+ CVE-2016-5556 (bsc#1005524)
- Import of OpenJDK 7 u121 build 0
+ S6624200: Regression test fails:
test/closed/javax/swing/JMenuItem/4654927/bug4654927.jav
a
+ S6882559: new JEditorPane('text/plain','') fails for
null context class loader
+ S7090158: Networking Libraries don't build with javac
-Werror
+ S7125055: ContentHandler.getContent API changed in error
+ S7145960: sun/security/mscapi/ShortRSAKey1024.sh failing
on windows
+ S7187051: ShortRSAKeynnn.sh tests should do cleanup
before start test
+ S8000626: Implement dead key detection for KeyEvent on
Linux
+ S8003890: corelibs test scripts should pass TESTVMOPTS
+ S8005629: javac warnings compiling
java.awt.EventDispatchThread and sun.awt.X11.XIconWindow
+ S8010297: Missing isLoggable() checks in logging code
+ S8010782: clean up source files containing carriage
return characters
+ S8014431: cleanup warnings indicated by the
-Wunused-value compiler option on linux
+ S8015265: revise the fix for 8007037
+ S8016747: Replace deprecated PlatformLogger
isLoggable(int) with isLoggable(Level)
+ S8020708: NLS mnemonics missing in
SwingSet2/JInternalFrame demo
+ S8024756: method grouping tabs are not selectable
+ S8026741: jdk8 l10n resource file translation update 5
+ S8048147: Privilege tests with JAAS Subject.doAs
+ S8048357: PKCS basic tests
+ S8049171: Additional tests for jarsigner's warnings
+ S8059177: jdk8u40 l10n resource file translation update
1
+ S8075584: test for 8067364 depends on hardwired text
advance
+ S8076486: [TESTBUG]
javax/security/auth/Subject/doAs/NestedActions.java
fails if extra VM options are given
+ S8077953: [TEST_BUG]
com/sun/management/OperatingSystemMXBean/TestTotalSwap.j
ava Compilation failed after JDK-8077387
+ S8080628: No mnemonics on Open and Save buttons in
JFileChooser
+ S8083601: jdk8u60 l10n resource file translation update
2
+ S8140530: Creating a VolatileImage with size 0,0 results
in no longer working g2d.drawString
+ S8142926: OutputAnalyzer's shouldXXX() calls return this
+ S8143134: L10n resource file translation update
+ S8147077: IllegalArgumentException thrown by
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al
+ S8148127: IllegalArgumentException thrown by JCK test
api/java_awt/Component/FlipBufferStrategy/indexTGF_Gener
al in opengl pipeline
+ S8150611: Security problem on
sun.misc.resources.Messages*
+ S8157653: [Parfait] Uninitialised variable in
awt_Font.cpp
+ S8158734: JEditorPane.createEditorKitForContentType
throws NPE after 6882559
+ S8159684: (tz) Support tzdata2016f
+ S8160934: isnan() is not available on older MSVC
compilers
+ S8162411: Service Menu services 2
+ S8162419:
closed/com/oracle/jfr/runtime/TestVMInfoEvent.sh failing
after JDK-8155968
+ S8162511: 8u111 L10n resource file updates
+ S8162792: Remove constraint DSA keySize < 1024 from
jdk.jar.disabledAlgorithms in jdk8
+ S8164452: 8u111 L10n resource file update - msgdrop 20
+ S8165816: jarsigner -verify shows jar unsigned if it was
signed with a weak algorithm
+ S8166381: Back out changes to the java.security file to
not disable MD5
- Backports
+ S6604109, PR3162:
javax.print.PrintServiceLookup.lookupPrintServices fails
SOMETIMES for Cups
+ S6907252, PR3162: ZipFileInputStream Not Thread-Safe
+ S8024046, PR3162: Test
sun/security/krb5/runNameEquals.sh failed on 7u45
Embedded linux-ppc*
+ S8028479, PR3162: runNameEquals still cannot precisely
detect if a usable native krb5 is available
+ S8034057, PR3162: Files.getFileStore and
Files.isWritable do not work with SUBST'ed drives (win)
+ S8038491, PR3162: Improve synchronization in
ZipFile.read()
+ S8038502, PR3162: Deflater.needsInput() should use
synchronization
+ S8059411, PR3162: RowSetWarning does not correctly chain
warnings
+ S8062198, PR3162: Add RowSetMetaDataImpl Tests and add
column range validation to isdefinitlyWritable
+ S8066188, PR3162: BaseRowSet returns the wrong default
value for escape processing
+ S8072466, PR3162: Deadlock when initializing
MulticastSocket and DatagramSocket
+ S8075118, PR3162: JVM stuck in infinite loop during
verification
+ S8076579, PR3162: Popping a stack frame after exception
breakpoint sets last method param to exception
+ S8078495, PR3162: End time checking for native TGT is
wrong
+ S8078668, PR3162: jar usage string mentions unsupported
option '-n'
+ S8080115, PR3162: (fs) Crash in libgio when calling
Files.probeContentType(path) from parallel threads
+ S8081794, PR3162: ParsePosition getErrorIndex returns 0
for TimeZone parsing problem
+ S8129957, PR3162: Deadlock in JNDI LDAP implementation
when closing the LDAP context
+ S8130136, PR3162: Swing window sometimes fails to
repaint partially when it becomes exposed
+ S8130274, PR3162: java/nio/file/FileStore/Basic.java
fails when two successive stores in an iteration are
determined to be equal
+ S8132551, PR3162: Initialize local variables before
returning them in p11_convert.c
+ S8133207, PR3162: [TEST_BUG] ParallelProbes.java test
fails after changes for JDK-8080115
+ S8133666, PR3162: OperatingSystemMXBean reports
abnormally high machine CPU consumption on Linux
+ S8135002, PR3162: Fix or remove broken links in
objectMonitor.cpp comments
+ S8137121, PR3162: (fc) Infinite loop
FileChannel.truncate
+ S8137230, PR3162: TEST_BUG:
java/nio/channels/FileChannel/LoopingTruncate.java timed
out
+ S8139373, PR3162: [TEST_BUG]
java/net/MulticastSocket/MultiDead.java failed with
timeout
+ S8140249, PR3162: JVM Crashing During startUp If Flight
Recording is enabled
+ S8141491, PR3160, G592292: Unaligned memory access in
Bits.c
+ S8144483, PR3162: One long Safepoint pause directly
after each GC log rotation
+ S8149611, PR3160, G592292: Add tests for
Unsafe.copySwapMemory
- Bug fixes
+ S8078628, PR3151: Zero build fails with pre-compiled
headers disabled
+ PR3128: pax-mark-vm script calls 'exit -1' which is
invalid in dash
+ PR3131: PaX marking fails on filesystems which don't
support extended attributes
+ PR3135: Makefile.am rule
stamps/add/tzdata-support-debug.stamp has a typo in
add-tzdata dependency
+ PR3141: Pass $(CC) and $(CXX) to OpenJDK build
+ PR3166: invalid zip timestamp handling leads to error
building bootstrap-javac
+ PR3202: Update infinality configure test
+ PR3212: Disable ARM32 JIT by default
- CACAO
+ PR3136: CACAO is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- JamVM
+ PR3134: JamVM is broken due to 2 new native methods in
sun.misc.Unsafe (from S8158260)
- AArch64 port
+ S8167200, PR3204: AArch64: Broken stack pointer
adjustment in interpreter
+ S8168888: Port 8160591: Improve internal array handling
to AArch64.
+ PR3211: AArch64 build fails with pre-compiled headers
disabled
- Changed patch :
- java-1_7_0-openjdk-gcc6.patch
+ Rediff to changed context
- Disable arm32 JIT, since its build broken
(http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2
942)
This update was imported from the SUSE:SLE-12:Update update project. | last seen | 2019-01-16 | modified | 2018-11-19 | plugin id | 95750 | published | 2016-12-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95750 | title | openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2016-1444) |
NASL family | Virtuozzo Local Security Checks | NASL id | VIRTUOZZO_VZLSA-2017-0061.NASL | description | An update for java-1.6.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively.
Note that Tenable Network Security has attempted to extract the
preceding description block directly from the corresponding Red Hat
security advisory. Virtuozzo provides no description for VZLSA
advisories. Tenable has attempted to automatically clean and format
it as much as possible without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-20 | plugin id | 101406 | published | 2017-07-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=101406 | title | Virtuozzo 7 : java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc (VZLSA-2017-0061) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20161019_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL | description | Security Fix(es) :
- It was discovered that the Hotspot component of OpenJDK
did not properly check arguments of the
System.arraycopy() function in certain cases. An
untrusted Java application or applet could use this flaw
to corrupt virtual machine's memory and completely
bypass Java sandbox restrictions. (CVE-2016-5582)
- It was discovered that the Hotspot component of OpenJDK
did not properly check received Java Debug Wire Protocol
(JDWP) packets. An attacker could possibly use this flaw
to send debugging commands to a Java program running
with debugging enabled if they could make victim's
browser send HTTP requests to the JDWP port of the
debugged application. (CVE-2016-5573)
- It was discovered that the Libraries component of
OpenJDK did not restrict the set of algorithms used for
Jar integrity verification. This flaw could allow an
attacker to modify content of the Jar file that used
weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
- A flaw was found in the way the JMX component of OpenJDK
handled classloaders. An untrusted Java application or
applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2016-5554)
- A flaw was found in the way the Networking component of
OpenJDK handled HTTP proxy authentication. A Java
application could possibly expose HTTPS server
authentication credentials via a plain text network
connection to an HTTP proxy if proxy asked for
authentication. (CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively.
Note: If the web browser plug-in provided by the icedtea-web package
was installed, the issues exposed via Java applets could have been
exploited without user interaction if a user visited a malicious
website. | last seen | 2019-01-16 | modified | 2018-12-28 | plugin id | 94151 | published | 2016-10-20 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94151 | title | Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64 |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2659.NASL | description | An update for java-1.6.0-ibm is now available for Red Hat Enterprise
Linux 5 Supplementary and Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
IBM Java SE version 6 includes the IBM Java Runtime Environment and
the IBM Java Software Development Kit.
This update upgrades IBM Java SE 6 to version 6 SR16-FP35.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-5542,
CVE-2016-5554, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-12-27 | plugin id | 94624 | published | 2016-11-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94624 | title | RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:2659) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2017-795.NASL | description | It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 97025 | published | 2017-02-07 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=97025 | title | Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2017-795) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20161107_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL | description | Security Fix(es) :
- It was discovered that the Hotspot component of OpenJDK
did not properly check arguments of the
System.arraycopy() function in certain cases. An
untrusted Java application or applet could use this flaw
to corrupt virtual machine's memory and completely
bypass Java sandbox restrictions. (CVE-2016-5582)
- It was discovered that the Hotspot component of OpenJDK
did not properly check received Java Debug Wire Protocol
(JDWP) packets. An attacker could possibly use this flaw
to send debugging commands to a Java program running
with debugging enabled if they could make victim's
browser send HTTP requests to the JDWP port of the
debugged application. (CVE-2016-5573)
- It was discovered that the Libraries component of
OpenJDK did not restrict the set of algorithms used for
Jar integrity verification. This flaw could allow an
attacker to modify content of the Jar file that used
weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
- A flaw was found in the way the JMX component of OpenJDK
handled classloaders. An untrusted Java application or
applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2016-5554)
- A flaw was found in the way the Networking component of
OpenJDK handled HTTP proxy authentication. A Java
application could possibly expose HTTPS server
authentication credentials via a plain text network
connection to an HTTP proxy if proxy asked for
authentication. (CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-12-28 | plugin id | 94627 | published | 2016-11-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94627 | title | Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x i386/x86_64 |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3707.NASL | description | Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts of
the Java sandbox or denial of service. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94613 | published | 2016-11-08 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94613 | title | Debian DSA-3707-1 : openjdk-7 - security update |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2089.NASL | description | An update for java-1.7.0-oracle is now available for Oracle Java for
Red Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux
6, and Oracle Java for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Oracle Java SE version 7 includes the Oracle Java Runtime Environment
and the Oracle Java Software Development Kit.
This update upgrades Oracle Java SE 7 to version 7 Update 121.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the Oracle Java
Runtime Environment and the Oracle Java Software Development Kit.
Further information about these flaws can be found on the Oracle Java
SE Critical Patch Update Advisory page, listed in the References
section. (CVE-2016-5542, CVE-2016-5554, CVE-2016-5556, CVE-2016-5573,
CVE-2016-5582, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94189 | published | 2016-10-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94189 | title | RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2016:2089) |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2017-0061.NASL | description | From Red Hat Security Advisory 2017:0061 :
An update for java-1.6.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-07-24 | plugin id | 96476 | published | 2017-01-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96476 | title | Oracle Linux 5 / 6 / 7 : java-1.6.0-openjdk (ELSA-2017-0061) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2137.NASL | description | An update for java-1.7.1-ibm is now available for Red Hat Enterprise
Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary.
Red Hat Product Security has rated this update as having a security
impact of Critical. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
IBM Java SE version 7 Release 1 includes the IBM Java Runtime
Environment and the IBM Java Software Development Kit.
This update upgrades IBM Java SE 7 to version 7R1 SR3-FP60.
Security Fix(es) :
* This update fixes multiple vulnerabilities in the IBM Java Runtime
Environment and the IBM Java Software Development Kit. Further
information about these flaws can be found on the IBM Java Security
alerts page, listed in the References section. (CVE-2016-5542,
CVE-2016-5554, CVE-2016-5556, CVE-2016-5573, CVE-2016-5597) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94500 | published | 2016-11-03 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94500 | title | RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:2137) |
NASL family | SuSE Local Security Checks | NASL id | SUSE_SU-2016-3010-1.NASL | description | This update for java-1_6_0-ibm fixes the following issues :
- Version update to 6.0-16.35 (bsc#1009280) fixing the
following CVE's: CVE-2016-5568, CVE-2016-5556,
CVE-2016-5573, CVE-2016-5597, CVE-2016-5554,
CVE-2016-5542
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2019-01-02 | plugin id | 119988 | published | 2019-01-02 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=119988 | title | SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2016:3010-1) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2017-0061.NASL | description | An update for java-1.6.0-openjdk is now available for Red Hat
Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime
Environment and the OpenJDK 6 Java Software Development Kit.
Security Fix(es) :
* It was discovered that the Hotspot component of OpenJDK did not
properly check arguments of the System.arraycopy() function in certain
cases. An untrusted Java application or applet could use this flaw to
corrupt virtual machine's memory and completely bypass Java sandbox
restrictions. (CVE-2016-5582)
* It was discovered that the Hotspot component of OpenJDK did not
properly check received Java Debug Wire Protocol (JDWP) packets. An
attacker could possibly use this flaw to send debugging commands to a
Java program running with debugging enabled if they could make
victim's browser send HTTP requests to the JDWP port of the debugged
application. (CVE-2016-5573)
* It was discovered that the Libraries component of OpenJDK did not
restrict the set of algorithms used for Jar integrity verification.
This flaw could allow an attacker to modify content of the Jar file
that used weak signing key or hash algorithm. (CVE-2016-5542)
Note: After this update, MD2 hash algorithm and RSA keys with less
than 1024 bits are no longer allowed to be used for Jar integrity
verification by default. MD5 hash algorithm is expected to be disabled
by default in the future updates. A newly introduced security property
jdk.jar.disabledAlgorithms can be used to control the set of disabled
algorithms.
* A flaw was found in the way the JMX component of OpenJDK handled
classloaders. An untrusted Java application or applet could use this
flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)
* A flaw was found in the way the Networking component of OpenJDK
handled HTTP proxy authentication. A Java application could possibly
expose HTTPS server authentication credentials via a plain text
network connection to an HTTP proxy if proxy asked for authentication.
(CVE-2016-5597)
Note: After this update, Basic HTTP proxy authentication can no longer
be used when tunneling HTTPS connection through an HTTP proxy. Newly
introduced system properties jdk.http.auth.proxying.disabledSchemes
and jdk.http.auth.tunneling.disabledSchemes can be used to control
which authentication schemes can be requested by an HTTP proxy when
proxying HTTP and HTTPS connections respectively. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 96457 | published | 2017-01-13 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96457 | title | CentOS 5 / 6 / 7 : java-1.6.0-openjdk (CESA-2017:0061) |
|