SUSE-CU-2023:2642-1: Security update of bci/openjdk

sle-security-updates at sle-security-updates at
Sun Aug 13 07:18:17 UTC 2023

SUSE Container Update Advisory: bci/openjdk
Container Advisory ID : SUSE-CU-2023:2642-1
Container Tags        : bci/openjdk:11 , bci/openjdk:11-9.27
Container Release     : 9.27
Severity              : important
Type                  : security
References            : 1206627 1207922 1213189 1213473 1213474 1213475 1213479 1213481
                        1213482 CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044
                        CVE-2023-22045 CVE-2023-22049 CVE-2023-25193 

The container bci/openjdk was updated. The following patches have been included in this update:

Advisory ID: SUSE-RU-2023:3285-1
Released:    Fri Aug 11 10:30:38 2023
Summary:     Recommended update for shadow
Type:        recommended
Severity:    moderate
References:  1206627,1213189
This update for shadow fixes the following issues:

- Prevent lock files from remaining after power interruptions (bsc#1213189)
- Add --prefix support to passwd, chpasswd and chage (bsc#1206627)

Advisory ID: SUSE-SU-2023:3287-1
Released:    Fri Aug 11 12:27:11 2023
Summary:     Security update for java-11-openjdk
Type:        security
Severity:    important
References:  1207922,1213473,1213474,1213475,1213479,1213481,1213482,CVE-2023-22006,CVE-2023-22036,CVE-2023-22041,CVE-2023-22044,CVE-2023-22045,CVE-2023-22049,CVE-2023-25193
This update for java-11-openjdk fixes the following issues:

  Updated to jdk-11.0.20+8 (July 2023 CPU):

  - CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
  - CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
  - CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
  - CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
  - CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
  - CVE-2023-22049: Fixed vulnerability in the libraries component (bsc#1213482).
  - CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module (bsc#1207922).

  - JDK-8298676: Enhanced Look and Feel
  - JDK-8300285: Enhance TLS data handling
  - JDK-8300596: Enhance Jar Signature validation
  - JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
  - JDK-8302475: Enhance HTTP client file downloading
  - JDK-8302483: Enhance ZIP performance
  - JDK-8303376: Better launching of JDI
  - JDK-8304468: Better array usages
  - JDK-8305312: Enhanced path handling
  - JDK-8308682: Enhance AES performance


  - JDK-8171426: java/lang/ProcessBuilder/ failed with
    Stream closed
  - JDK-8178806: Better exception logging in crypto code
  - JDK-8187522: test/sun/net/ftp/ timed
  - JDK-8209167: Use CLDR's time zone mappings for Windows
  - JDK-8209546: Make sun/security/tools/keytool/ to
    support macosx
  - JDK-8209880: tzdb.dat is not reproducibly built
  - JDK-8213531: Test javax/swing/border/
  - JDK-8214459: NSS source should be removed
  - JDK-8214807: Improve handling of very old class files
  - JDK-8215015: [TESTBUG] remove unneeded -Xfuture option from
  - JDK-8215575: C2 crash: assert(get_instanceKlass()->is_loaded())
    failed: must be at least loaded
  - JDK-8220093: Change to GCC 8.2 for building on Linux at Oracle
  - JDK-8227257: javax/swing/JFileChooser/4847375/
    fails with AssertionError
  - JDK-8232853: AuthenticationFilter.Cache::remove may throw
  - JDK-8243936: NonWriteable system properties are actually
  - JDK-8246383: NullPointerException in
    JceSecurity.getVerificationResult when using Entrust provider
  - JDK-8248701: On Windows generated modules-deps.gmk can
    contain backslash-r (CR) characters
  - JDK-8257856: Make robust to JDK
    version updates
  - JDK-8259530: Generated docs contain MIT/GPL-licenced works
    without reproducing the licence
  - JDK-8263420: Incorrect function name in
    NSAccessibilityStaticText native peer implementation
  - JDK-8264290: Create implementation for
    NSAccessibilityComponentGroup protocol peer
  - JDK-8264304: Create implementation for NSAccessibilityToolbar
    protocol peer
  - JDK-8265486: ProblemList javax/sound/midi/Sequencer/
    / on macosx-aarch64
  - JDK-8268558: [TESTBUG] Case 2 in
    TestP11KeyFactoryGetRSAKeySpec is skipped
  - JDK-8269746: C2: assert(!in->is_CFG()) failed: CFG Node with
    no controlling input?
  - JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
  - JDK-8275233: Incorrect line number reported in exception
    stack trace thrown from a lambda expression
  - JDK-8275721: Name of UTC timezone in a locale changes
    depending on previous code
  - JDK-8275735: [linux] Remove deprecated Metrics api (kernel
    memory limit)
  - JDK-8276880: Remove java/lang/RuntimeTests/exec/ExecWithDir
    as unnecessary
  - JDK-8277775: Fixup bugids in -
    add 4357905
  - JDK-8278434: timeouts in test java/time/test/java/time/format/
  - JDK-8280703: CipherCore.doFinal(...) causes potentially
    massive byte[] allocations during decryption
  - JDK-8282077: PKCS11 provider C_sign() impl should handle
  - JDK-8282201: Consider removal of expiry check in test
  - JDK-8282467: add extra diagnostics for JDK-8268184
  - JDK-8282600: SSLSocketImpl should not use user_canceled
    workaround when not necessary
  - JDK-8283059: Uninitialized warning in check_code.c with GCC
  - JDK-8285497: Add system property for Java SE specification
    maintenance version
  - JDK-8286398: Address possibly lossy conversions in
  - JDK-8287007: [cgroups] Consistently use stringStream
    throughout parsing code
  - JDK-8287246: DSAKeyValue should check for missing params
    instead of relying on KeyFactory provider
  - JDK-8287876: The recently de-problemlisted
    TestTitledBorderLeak test is unstable
  - JDK-8287897: Augment src/jdk.internal.le/share/legal/
    with information on 4th party dependencies
  - JDK-8289301: P11Cipher should not throw out of bounds
    exception during padding
  - JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
  - JDK-8291226: Create Test Cases to cover scenarios for
  - JDK-8291637: HttpClient default keep alive timeout not
    followed if server sends invalid value
  - JDK-8291638: Keep-Alive timeout of 0 should close connection
  - JDK-8292206: fails as getMemoryUsage()
    is lower than expected
  - JDK-8293232: Fix race condition in pkcs11 SessionManager
  - JDK-8293815: P11PSSSignature.engineUpdate should not print
    debug messages during normal operation
  - JDK-8294548: Problem list SA core file tests on macosx-x64
    due to JDK-8294316
  - JDK-8294906: Memory leak in PKCS11 NSS TLS server
  - JDK-8295974: jni_FatalError and Xcheck:jni warnings should
    print the native stack when there are no Java frames
  - JDK-8296934: Write a test to verify whether Undecorated Frame
    can be iconified or not
  - JDK-8297000: [jib] Add more friendly warning for proxy issues
  - JDK-8297450: fails when run
    with -show parameter
  - JDK-8298887: On the latest macOS+XCode the Robot API may
    report wrong colors
  - JDK-8299259: C2: Div/Mod nodes without zero check could be
    split through iv phi of loop resulting in SIGFPE
  - JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy
    due to constant NULL src argument
  - JDK-8300205: Swing test bug8078268 make latch timeout
  - JDK-8300490: Spaces in name of MacOS Code Signing Identity
    are not correctly handled after JDK-8293550
  - JDK-8301119: Support for GB18030-2022
  - JDK-8301170: perfMemory_windows.cpp add free_security_attr to
    early returns
  - JDK-8301401: Allow additional characters for GB18030-2022
  - JDK-8302151: BMPImageReader throws an exception reading BMP
  - JDK-8302791: Add specific ClassLoader object to Proxy
    IllegalArgumentException message
  - JDK-8303102: jcmd: ManagementAgent.status truncates the text
    longer than O_BUFLEN
  - JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m
    needs CFRelease call in early potential CHECK_NULL return
  - JDK-8303432: Bump update version for OpenJDK: jdk-11.0.20
  - JDK-8303440: The 'ZonedDateTime.parse' may not accept the
    'UTC+XX' zone id
  - JDK-8303465: KeyStore of type KeychainStore, provider Apple
    does not show all trusted certificates
  - JDK-8303476: Add the runtime version in the release file of a
    JDK image
  - JDK-8303482: Update LCMS to 2.15
  - JDK-8303564: C2: 'Bad graph detected in build_loop_late'
    after a CMove is wrongly split thru phi
  - JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs
    CFRelease call in early potential CHECK_NULL return
  - JDK-8303822: gtestMain should give more helpful output
  - JDK-8303861: Error handling step timeouts should never be
    blocked by OnError and others
  - JDK-8303937: Corrupted heap dumps due to missing retries for
  - JDK-8304134: jib bootstrapper fails to quote filename when
    checking download filetype
  - JDK-8304291: [AIX] Broken build after JDK-8301998
  - JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
  - JDK-8304350: Font.getStringBounds calculates wrong width for
    TextAttribute.TRACKING other than 0.0
  - JDK-8304760: Add 2 Microsoft TLS roots
  - JDK-8305113: (tz) Update Timezone Data to 2023c
  - JDK-8305400: ISO 4217 Amendment 175 Update
  - JDK-8305528: [11u] Backport of JDK-8259530 breaks build with
    JDK10 bootstrap VM
  - JDK-8305682: Update the javadoc in the Character class to
    state support for GB 18030-2022 Implementation Level 2
  - JDK-8305711: Arm: C2 always enters slowpath for monitorexit
  - JDK-8305721: add `make compile-commands` artifacts to
  - JDK-8305975: Add TWCA Global Root CA
  - JDK-8306543: GHA: MSVC installation is failing
  - JDK-8306658: GHA: MSVC installation could be optional since
    it might already be pre-installed
  - JDK-8306664: GHA: Update MSVC version to latest stepping
  - JDK-8306768: CodeCache Analytics reports wrong threshold
  - JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
  - JDK-8307134: Add GTS root CAs
  - JDK-8307811: [TEST] compilation of TimeoutInErrorHandlingTest
    fails after backport of JDK-8303861
  - JDK-8308006: Missing NMT memory tagging in CMS
  - JDK-8308884: [17u/11u] Backout JDK-8297951
  - JDK-8309476: [11u] tools/jmod/hashes/
    fails intermittently
  - JDK-8311465: [11u] Remove designator
    DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.20

The following package changes have been done:

- login_defs-4.8.1-150400.10.9.1 updated
- shadow-4.8.1-150400.10.9.1 updated
- java-11-openjdk-headless- updated
- java-11-openjdk- updated
- container:sles15-image-15.0.0-36.5.24 updated

More information about the sle-security-updates mailing list