SUSE-CU-2023:2505-1: Security update of bci/openjdk-devel
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Aug 2 10:09:51 UTC 2023
SUSE Container Update Advisory: bci/openjdk-devel
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2505-1
Container Tags : bci/openjdk-devel:17 , bci/openjdk-devel:17-10.40 , bci/openjdk-devel:latest
Container Release : 10.40
Severity : important
Type : security
References : 1179926 1207922 1212401 1213473 1213474 1213475 1213479 1213481
1213482 1213517 CVE-2020-8908 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041
CVE-2023-22044 CVE-2023-22045 CVE-2023-22049 CVE-2023-25193 CVE-2023-2976
-----------------------------------------------------------------
The container bci/openjdk-devel was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3023-1
Released: Fri Jul 28 21:59:48 2023
Summary: Security update for java-17-openjdk
Type: security
Severity: important
References: 1207922,1213473,1213474,1213475,1213479,1213481,1213482,CVE-2023-22006,CVE-2023-22036,CVE-2023-22041,CVE-2023-22044,CVE-2023-22045,CVE-2023-22049,CVE-2023-25193
This update for java-17-openjdk fixes the following issues:
Updated to version jdk-17.0.8+7 (July 2023 CPU):
- CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
- CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
- CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
- CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
- CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
- CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482).
- CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).
- JDK-8294323: Improve Shared Class Data
- JDK-8296565: Enhanced archival support
- JDK-8298676, JDK-8300891: Enhanced Look and Feel
- JDK-8300285: Enhance TLS data handling
- JDK-8300596: Enhance Jar Signature validation
- JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
- JDK-8302475: Enhance HTTP client file downloading
- JDK-8302483: Enhance ZIP performance
- JDK-8303376: Better launching of JDI
- JDK-8304460: Improve array usages
- JDK-8304468: Better array usages
- JDK-8305312: Enhanced path handling
- JDK-8308682: Enhance AES performance
Bugfixes:
- JDK-8178806: Better exception logging in crypto code
- JDK-8201516: DebugNonSafepoints generates incorrect
information
- JDK-8224768: Test ActalisCA.java fails
- JDK-8227060: Optimize safepoint cleanup subtask order
- JDK-8227257: javax/swing/JFileChooser/4847375/bug4847375.java
fails with AssertionError
- JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
- JDK-8244976: vmTestbase/nsk/jdi/Event/request/request001.java
doesn' initialize eName
- JDK-8245877: assert(_value != __null) failed: resolving NULL
_value in JvmtiExport::post_compiled_method_load
- JDK-8248001: javadoc generates invalid HTML pages whose
ftp:// links are broken
- JDK-8252990: Intrinsify Unsafe.storeStoreFence
- JDK-8254711: Add java.security.Provider.getService JFR Event
- JDK-8257856: Make ClassFileVersionsTest.java robust to JDK
version updates
- JDK-8261495: Shenandoah: reconsider update references memory
ordering
- JDK-8268288: jdk/jfr/api/consumer/streaming/
/TestOutOfProcessMigration.java fails with 'Error:
ShouldNotReachHere()'
- JDK-8268298: jdk/jfr/api/consumer/log/TestVerbosity.java
fails: unexpected log message
- JDK-8268582: javadoc throws NPE with --ignore-source-errors
option
- JDK-8269821: Remove is-queue-active check in inner loop of
write_ref_array_pre_work
- JDK-8270434: JDI+UT: Unexpected event in JDI tests
- JDK-8270859: Post JEP 411 refactoring: client libs with
maximum covering > 10K
- JDK-8270869: G1ServiceThread may not terminate
- JDK-8271519: java/awt/event/SequencedEvent/
/MultipleContextsFunctionalTest.java failed with 'Total [200]
- Expected [400]'
- JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can
still fail with 'ERROR: new event is not ThreadStartEvent'
- JDK-8274243: Implement fast-path for ASCII-compatible
CharsetEncoders on aarch64
- JDK-8274615: Support relaxed atomic add for linux-aarch64
- JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
- JDK-8275233: Incorrect line number reported in exception
stack trace thrown from a lambda expression
- JDK-8275287: Relax memory ordering constraints on updating
instance class and array class counters
- JDK-8275721: Name of UTC timezone in a locale changes
depending on previous code
- JDK-8275735: [linux] Remove deprecated Metrics api (kernel
memory limit)
- JDK-8276058: Some swing test fails on specific CI macos system
- JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/
/bug6276188.java fails to compile after JDK-8276058
- JDK-8277775: Fixup bugids in RemoveDropTargetCrashTest.java -
add 4357905
- JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly
identify it as pause
- JDK-8278434: timeouts in test java/time/test/java/time/
/format/TestZoneTextPrinterParser.java
- JDK-8278834: Error 'Cannot read field 'sym' because
'this.lvar[od]' is null' when compiling
- JDK-8282077: PKCS11 provider C_sign() impl should handle
CKR_BUFFER_TOO_SMALL error
- JDK-8282201: Consider removal of expiry check in
VerifyCACerts.java test
- JDK-8282227: Locale information for nb is not working properly
- JDK-8282704: runtime/Thread/StopAtExit.java may leak memory
- JDK-8283057: Update GCC to version 11.2.0 for Oracle builds
on Linux
- JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2
- JDK-8283520: JFR: Memory leak in dcmd_arena
- JDK-8283566: G1: Improve G1BarrierSet::enqueue performance
- JDK-8284331: Add sanity check for signal handler modification
warning.
- JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java
failed with Default Button not pressed for L&F:
com.sun.java.swing.plaf.motif.MotifLookAndFeel
- JDK-8285987: executing shell scripts without #! fails on
Alpine linux
- JDK-8286191: misc tests fail due to JDK-8285987
- JDK-8286287: Reading file as UTF-16 causes Error which
'shouldn't happen'
- JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator
- JDK-8286346: 3-parameter version of AllocateHeap should not
ignore AllocFailType
- JDK-8286398: Address possibly lossy conversions in
jdk.internal.le
- JDK-8287007: [cgroups] Consistently use stringStream
throughout parsing code
- JDK-8287246: DSAKeyValue should check for missing params
instead of relying on KeyFactory provider
- JDK-8287541: Files.writeString fails to throw IOException for
charset 'windows-1252'
- JDK-8287854: Dangling reference in ClassVerifier::verify_class
- JDK-8287876: The recently de-problemlisted
TestTitledBorderLeak test is unstable
- JDK-8287897: Augment src/jdk.internal.le/share/legal/jline.md
with information on 4th party dependencies
- JDK-8288589: Files.readString ignores encoding errors for
UTF-16
- JDK-8289509: Improve test coverage for XPath Axes:
descendant, descendant-or-self, following, following-sibling
- JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
- JDK-8289949: Improve test coverage for XPath: operators
- JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is
subject to undefined behavior
- JDK-8291226: Create Test Cases to cover scenarios for
JDK-8278067
- JDK-8291637: HttpClient default keep alive timeout not
followed if server sends invalid value
- JDK-8291638: Keep-Alive timeout of 0 should close connection
immediately
- JDK-8292206: TestCgroupMetrics.java fails as getMemoryUsage()
is lower than expected
- JDK-8292301: [REDO v2] C2 crash when allocating array of size
too large
- JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests
resilience under spurious failures
- JDK-8292713: Unsafe.allocateInstance should be intrinsified
without UseUnalignedAccesses
- JDK-8292755: Non-default method in interface leads to a stack
overflow in JShell
- JDK-8292990: Improve test coverage for XPath Axes: parent
- JDK-8293295: Add type check asserts to
java_lang_ref_Reference accessors
- JDK-8293492: ShenandoahControlThread missing from hs-err log
and thread dump
- JDK-8293858: Change PKCS7 code to use default SecureRandom
impl instead of SHA1PRNG
- JDK-8293887: AArch64 build failure with GCC 12 due to
maybe-uninitialized warning in libfdlibm k_rem_pio2.c
- JDK-8294183: AArch64: Wrong macro check in
SharedRuntime::generate_deopt_blob
- JDK-8294281: Allow warnings to be disabled on a per-file basis
- JDK-8294673: JFR: Add SecurityProviderService#threshold to
TestActiveSettingEvent.java
- JDK-8294717: (bf) DirectByteBuffer constructor will leak if
allocating Deallocator or Cleaner fails with OOME
- JDK-8294906: Memory leak in PKCS11 NSS TLS server
- JDK-8295564: Norwegian Nynorsk Locale is missing formatting
- JDK-8295974: jni_FatalError and Xcheck:jni warnings should
print the native stack when there are no Java frames
- JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java
fails intermittently on a VM
- JDK-8296318: use-def assert: special case undetected loops
nested in infinite loops
- JDK-8296343: CPVE thrown on missing content-length in OCSP
response
- JDK-8296412: Special case infinite loops with unmerged
backedges in IdealLoopTree::check_safepts
- JDK-8296545: C2 Blackholes should allow load optimizations
- JDK-8296934: Write a test to verify whether Undecorated Frame
can be iconified or not
- JDK-8297000: [jib] Add more friendly warning for proxy issues
- JDK-8297154: Improve safepoint cleanup logging
- JDK-8297450: ScaledTextFieldBorderTest.java fails when run
with -show parameter
- JDK-8297587: Upgrade JLine to 3.22.0
- JDK-8297730: C2: Arraycopy intrinsic throws incorrect
exception
- JDK-8297955: LDAP CertStore should use LdapName and not
String for DNs
- JDK-8298488: [macos13] tools/jpackage tests failing with
'Exit code: 137' on macOS
- JDK-8298887: On the latest macOS+XCode the Robot API may
report wrong colors
- JDK-8299179: ArrayFill with store on backedge needs to reduce
length by 1
- JDK-8299259: C2: Div/Mod nodes without zero check could be
split through iv phi of loop resulting in SIGFPE
- JDK-8299544: Improve performance of CRC32C intrinsics
(non-AVX-512) for small inputs
- JDK-8299570: [JVMCI] Insufficient error handling when
CodeBuffer is exhausted
- JDK-8299959: C2: CmpU::Value must filter overflow computation
against local sub computation
- JDK-8300042: Improve CPU related JFR events descriptions
- JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
due to constant NULL src argument
- JDK-8300823: UB: Compile::_phase_optimize_finished is
initialized too late
- JDK-8300939: sun/security/provider/certpath/OCSP/
/OCSPNoContentLength.java fails due to network errors
- JDK-8301050: Detect Xen Virtualization on Linux aarch64
- JDK-8301119: Support for GB18030-2022
- JDK-8301123: Enable Symbol refcounting underflow checks in
PRODUCT
- JDK-8301190: [vectorapi] The typeChar of LaneType is
incorrect when default locale is tr
- JDK-8301216: ForkJoinPool invokeAll() ignores timeout
- JDK-8301338: Identical branch conditions in
CompileBroker::print_heapinfo
- JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic
called with negative character argument
- JDK-8301637: ThreadLocalRandom.current().doubles().parallel()
contention
- JDK-8301661: Enhance os::pd_print_cpu_info on macOS and
Windows
- JDK-8302151: BMPImageReader throws an exception reading BMP
images
- JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined
must respect ForceInline
- JDK-8302320: AsyncGetCallTrace obtains too few frames in
sanity test
- JDK-8302491: NoClassDefFoundError omits the original cause of
an error
- JDK-8302508: Add timestamp to the output TraceCompilerThreads
- JDK-8302594: use-after-free in Node::destruct
- JDK-8302595: use-after-free related to GraphKit::clone_map
- JDK-8302791: Add specific ClassLoader object to Proxy
IllegalArgumentException message
- JDK-8302849: SurfaceManager might expose partially
constructed object
- JDK-8303069: Memory leak in CompilerOracle::parse_from_line
- JDK-8303102: jcmd: ManagementAgent.status truncates the text
longer than O_BUFLEN
- JDK-8303130: Document required Accessibility permissions on
macOS
- JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
needs CFRelease call in early potential CHECK_NULL return
- JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8
- JDK-8303440: The 'ZonedDateTime.parse' may not accept the
'UTC+XX' zone id
- JDK-8303465: KeyStore of type KeychainStore, provider Apple
does not show all trusted certificates
- JDK-8303476: Add the runtime version in the release file of a
JDK image
- JDK-8303482: Update LCMS to 2.15
- JDK-8303508: Vector.lane() gets wrong value on x86
- JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during
unrolling
- JDK-8303564: C2: 'Bad graph detected in build_loop_late'
after a CMove is wrongly split thru phi
- JDK-8303575: adjust Xen handling on Linux aarch64
- JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
CFRelease call in early potential CHECK_NULL return
- JDK-8303588: [JVMCI] make JVMCI source directories conform
with standard layout
- JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
- JDK-8303822: gtestMain should give more helpful output
- JDK-8303861: Error handling step timeouts should never be
blocked by OnError and others
- JDK-8303937: Corrupted heap dumps due to missing retries for
os::write()
- JDK-8303949: gcc10 warning Linux ppc64le - note: the layout
of aggregates containing vectors with 8-byte alignment has
changed in GCC 5
- JDK-8304054: Linux: NullPointerException from
FontConfiguration.getVersion in case no fonts are installed
- JDK-8304063: tools/jpackage/share/AppLauncherEnvTest.java
fails when checking LD_LIBRARY_PATH
- JDK-8304134: jib bootstrapper fails to quote filename when
checking download filetype
- JDK-8304291: [AIX] Broken build after JDK-8301998
- JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
- JDK-8304350: Font.getStringBounds calculates wrong width for
TextAttribute.TRACKING other than 0.0
- JDK-8304671: javac regression: Compilation with --release 8
fails on underscore in enum identifiers
- JDK-8304683: Memory leak in WB_IsMethodCompatible
- JDK-8304760: Add 2 Microsoft TLS roots
- JDK-8304867: Explicitly disable dtrace for ppc builds
- JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with
ZGC
- JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic
- JDK-8305113: (tz) Update Timezone Data to 2023c
- JDK-8305400: ISO 4217 Amendment 175 Update
- JDK-8305403: Shenandoah evacuation workers may deadlock
- JDK-8305481: gtest is_first_C_frame failing on ARM
- JDK-8305690: [X86] Do not emit two REX prefixes in
Assembler::prefix
- JDK-8305711: Arm: C2 always enters slowpath for monitorexit
- JDK-8305721: add `make compile-commands` artifacts to
.gitignore
- JDK-8305975: Add TWCA Global Root CA
- JDK-8305993: Add handleSocketErrorWithMessage to extend nio
Net.c exception message
- JDK-8305994: Guarantee eventual async monitor deflation
- JDK-8306072: Open source several AWT MouseInfo related tests
- JDK-8306133: Open source few AWT Drag & Drop related tests
- JDK-8306409: Open source AWT KeyBoardFocusManger,
LightWeightComponent related tests
- JDK-8306432: Open source several AWT Text Component related
tests
- JDK-8306466: Open source more AWT Drag & Drop related tests
- JDK-8306489: Open source AWT List related tests
- JDK-8306543: GHA: MSVC installation is failing
- JDK-8306640: Open source several AWT TextArea related tests
- JDK-8306652: Open source AWT MenuItem related tests
- JDK-8306658: GHA: MSVC installation could be optional since
it might already be pre-installed
- JDK-8306664: GHA: Update MSVC version to latest stepping
- JDK-8306681: Open source more AWT DnD related tests
- JDK-8306683: Open source several clipboard and color AWT tests
- JDK-8306752: Open source several container and component AWT
tests
- JDK-8306753: Open source several container AWT tests
- JDK-8306755: Open source few Swing JComponent and
AbstractButton tests
- JDK-8306768: CodeCache Analytics reports wrong threshold
- JDK-8306774: Make runtime/Monitor/
/GuaranteedAsyncDeflationIntervalTest.java more reliable
- JDK-8306825: Monitor deflation might be accidentally disabled
by zero intervals
- JDK-8306850: Open source AWT Modal related tests
- JDK-8306871: Open source more AWT Drag & Drop tests
- JDK-8306883: Thread stacksize is reported with wrong units in
os::create_thread logging
- JDK-8306941: Open source several datatransfer and dnd AWT
tests
- JDK-8306943: Open source several dnd AWT tests
- JDK-8306954: Open source five Focus related tests
- JDK-8306955: Open source several JComboBox jtreg tests
- JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
- JDK-8306996: Open source Swing MenuItem related tests
- JDK-8307080: Open source some more JComboBox jtreg tests
- JDK-8307128: Open source some drag and drop tests 4
- JDK-8307130: Open source few Swing JMenu tests
- JDK-8307133: Open source some JTable jtreg tests
- JDK-8307134: Add GTS root CAs
- JDK-8307135: java/awt/dnd/NotReallySerializableTest/
/NotReallySerializableTest.java failed
- JDK-8307331: Correctly update line maps when class redefine
rewrites bytecodes
- JDK-8307346: Add missing gc+phases logging for
ObjectCount(AfterGC) JFR event collection code
- JDK-8307347: serviceability/sa/ClhsdbDumpclass.java could
leave files owned by root on macOS
- JDK-8307378: Allow collectors to provide specific values for
GC notifications' actions
- JDK-8307381: Open Source JFrame, JIF related Swing Tests
- JDK-8307425: Socket input stream read burns CPU cycles with
back-to-back poll(0) calls
- JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has
invalid jtreg `@requires` clause
- JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not
removed from ExternalEditorTest
- JDK-8308880: [17u] micro bench ZoneStrings missed in backport
of 8278434
- JDK-8308884: [17u/11u] Backout JDK-8297951
- JDK-8311467: [17u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.8
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:3090-1
Released: Tue Aug 1 10:24:13 2023
Summary: Security update for guava
Type: security
Severity: moderate
References: 1179926,1212401,CVE-2020-8908,CVE-2023-2976
This update for guava fixes the following issues:
Upgrade to guava 32.0.1:
- CVE-2020-8908: Fixed predictable temporary files and directories used in FileBackedOutputStream (bsc#1179926).
- CVE-2023-2976: Fixed a temp directory creation vulnerability (bsc#1212401).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:3102-1
Released: Tue Aug 1 14:11:53 2023
Summary: Recommended update for openssl-1_1
Type: recommended
Severity: moderate
References: 1213517
This update for openssl-1_1 fixes the following issues:
- Dont pass zero length input to EVP_Cipher (bsc#1213517)
The following package changes have been done:
- libopenssl1_1-1.1.1l-150500.17.12.1 updated
- libopenssl1_1-hmac-1.1.1l-150500.17.12.1 updated
- openssl-1_1-1.1.1l-150500.17.12.1 updated
- java-17-openjdk-headless-17.0.8.0-150400.3.27.1 updated
- java-17-openjdk-17.0.8.0-150400.3.27.1 updated
- java-17-openjdk-devel-17.0.8.0-150400.3.27.1 updated
- guava-32.0.1-150200.3.7.1 updated
- container:bci-openjdk-17-15.5.17-10.21 updated
More information about the sle-security-updates
mailing list