SUSE 5154 Published by

The following updates has been released for openSUSE:

openSUSE-SU-2019:0159-1: moderate: Security update for python-urllib3
openSUSE-SU-2019:0161-1: important: Security update for java-11-openjdk



openSUSE-SU-2019:0159-1: moderate: Security update for python-urllib3

openSUSE Security Update: Security update for python-urllib3
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0159-1
Rating: moderate
References: #1024540 #1074247 #1110422
Cross-References: CVE-2016-9015
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for python-urllib3 fixes the following issues:

python-urllib3 was updated to version 1.22 (fate#326733, bsc#1110422) and
contains new features and lots of bugfixes:

The full changelog can be found on:

https://github.com/Lukasa/urllib3/blob/1.22/CHANGES.rst

Security issues fixed:

- CVE-2016-9015: TLS certificate validation vulnerability (bsc#1024540).
(This issue did not affect our previous version 1.16.)

Non security issues fixed:

- bsc#1074247: Fix test suite, use correct date (gh#shazow/urllib3#1303).

This update was imported from the SUSE:SLE-12-SP1:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2019-159=1



Package List:

- openSUSE Leap 42.3 (noarch):

python-urllib3-1.22-4.4.1
python3-urllib3-1.22-4.4.1


References:

https://www.suse.com/security/cve/CVE-2016-9015.html
https://bugzilla.suse.com/1024540
https://bugzilla.suse.com/1074247
https://bugzilla.suse.com/1110422

--


openSUSE-SU-2019:0161-1: important: Security update for java-11-openjdk

openSUSE Security Update: Security update for java-11-openjdk
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:0161-1
Rating: important
References: #1120431 #1122293 #1122299
Cross-References: CVE-2018-11212 CVE-2019-2422 CVE-2019-2426

Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for java-11-openjdk to version 11.0.2+7 fixes the following
issues:

Security issues fixed:

- CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
- CVE-2019-2426: Improve web server connections
- CVE-2018-11212: Improve JPEG processing (bsc#1122299)
- Better route routing
- Better interface enumeration
- Better interface lists
- Improve BigDecimal support
- Improve robot support
- Better icon support
- Choose printer defaults
- Proper allocation handling
- Initial class initialization
- More reliable p11 transactions
- Improve NIO stability
- Better loading of classloader classes
- Strengthen Windows Access Bridge Support
- Improved data set handling
- Improved LSA authentication
- Libsunmscapi improved interactions

Non-security issues fix:

- Do not resolve by default the added JavaEE modules (bsc#1120431)
- ~2.5% regression on compression benchmark starting with 12-b11
- java.net.http.HttpClient hangs on 204 reply without Content-length 0
- Add additional TeliaSonera root certificate
- Add more ld preloading related info to hs_error file on Linux
- Add test to exercise server-side client hello processing
- AES encrypt performance regression in jdk11b11
- AIX: ProcessBuilder: Piping between created processes does not work.
- AIX: Some class library files are missing the Classpath exception
- AppCDS crashes for some uses with JRuby
- Automate vtable/itable stub size calculation
- BarrierSetC1::generate_referent_check() confuses register allocator
- Better HTTP Redirection
- Catastrophic size_t underflow in BitMap::*_large methods
- Clip.isRunning() may return true after Clip.stop() was called
- Compiler thread creation should be bounded by available space in memory
and Code Cache
- com.sun.net.httpserver.HttpServer returns Content-length header for 204
response code
- Default mask register for avx512 instructions
- Delayed starting of debugging via jcmd
- Disable all DES cipher suites
- Disable anon and NULL cipher suites
- Disable unsupported GCs for Zero
- Epsilon alignment adjustments can overflow max TLAB size
- Epsilon elastic TLAB sizing may cause misalignment
- HotSpot update for vm_version.cpp to recognise updated VS2017
- HttpClient does not retrieve files with large sizes over HTTP/1.1
- IIOException "tEXt chunk length is not proper" on opening png file
- Improve TLS connection stability again
- InitialDirContext ctor sometimes throws NPE if the server has sent a
disconnection
- Inspect stack during error reporting
- Instead of circle rendered in appl window, but ellipse is produced
JEditor Pane
- Introduce diagnostic flag to abort VM on failed JIT compilation
- Invalid assert(HeapBaseMinAddress > 0) in
ReservedHeapSpace::initialize_compressed_heap
- jar has issues with UNC-path arguments for the jar -C parameter [windows]
- java.net.http HTTP client should allow specifying Origin and Referer
headers
- java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
- JDK 11.0.1 l10n resource file update
- JDWP Transport Listener: dt_socket thread crash
- JVMTI ResourceExhausted should not be posted in CompilerThread
- LDAPS communication failure with jdk 1.8.0_181
- linux: Poor StrictMath performance due to non-optimized compilation
- Missing synchronization when reading counters for live threads and peak
thread count
- NPE in SupportedGroupsExtension
- OpenDataException thrown when constructing CompositeData for
StackTraceElement
- Parent class loader may not have a referred ClassLoaderData instance
when obtained in Klass::class_in_module_of_loader
- Populate handlers while holding streamHandlerLock
- ppc64: Enable POWER9 CPU detection
- print_location is not reliable enough (printing register info)
- Reconsider default option for ClassPathURLCheck change done in
JDK-8195874
- Register to register spill may use AVX 512 move instruction on
unsupported platform.
- s390: Use of shift operators not covered by cpp standard
- serviceability/sa/TestUniverse.java#id0 intermittently fails with
assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
- SIGBUS in CodeHeapState::print_names()
- SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
- Soft reference reclamation race in
com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
- Swing apps are slow if displaying from a remote source to many local
displays
- switch jtreg to 4.2b13
- Test library OSInfo.getSolarisVersion cannot determine Solaris version
- TestOptionsWithRanges.java is very slow
- TestOptionsWithRanges.java of '-XX:TLABSize=2147483648' fails
intermittently
- The Japanese message of FileNotFoundException garbled
- The "supported_groups" extension in ServerHellos
- ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to
CompositeData
- TimeZone.getDisplayName given Locale.US doesn't always honor the Locale.
- TLS 1.2 Support algorithm in SunPKCS11 provider
- TLS 1.3 handshake server name indication is missing on a session resume
- TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and
psk_key_exchange_modes
- TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side
with mutual auth
- tz: Upgrade time-zone data to tzdata2018g
- Undefined behaviour in ADLC
- Update avx512 implementation
- URLStreamHandler initialization race
- UseCompressedOops requirement check fails fails on 32-bit system
- windows: Update OS detection code to recognize Windows Server 2019
- x86: assert on unbound assembler Labels used as branch targets
- x86: jck tests for ldc2_w bytecode fail
- x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
- "-XX:OnOutOfMemoryError" uses fork instead of vfork

This update was imported from the SUSE:SLE-15:Update update project.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-161=1



Package List:

- openSUSE Leap 15.0 (x86_64):

java-11-openjdk-11.0.2.0-lp150.2.12.1
java-11-openjdk-accessibility-11.0.2.0-lp150.2.12.1
java-11-openjdk-accessibility-debuginfo-11.0.2.0-lp150.2.12.1
java-11-openjdk-debuginfo-11.0.2.0-lp150.2.12.1
java-11-openjdk-debugsource-11.0.2.0-lp150.2.12.1
java-11-openjdk-demo-11.0.2.0-lp150.2.12.1
java-11-openjdk-devel-11.0.2.0-lp150.2.12.1
java-11-openjdk-headless-11.0.2.0-lp150.2.12.1
java-11-openjdk-jmods-11.0.2.0-lp150.2.12.1
java-11-openjdk-src-11.0.2.0-lp150.2.12.1

- openSUSE Leap 15.0 (noarch):

java-11-openjdk-javadoc-11.0.2.0-lp150.2.12.1


References:

https://www.suse.com/security/cve/CVE-2018-11212.html
https://www.suse.com/security/cve/CVE-2019-2422.html
https://www.suse.com/security/cve/CVE-2019-2426.html
https://bugzilla.suse.com/1120431
https://bugzilla.suse.com/1122293
https://bugzilla.suse.com/1122299

--