Oracle Linux 6277 Published by

The following updates has been released for Oracle Linux:

ELSA-2018-2942 Critical: Oracle Linux 7 java-1.8.0-openjdk security update
ELSA-2018-2943 Critical: Oracle Linux 6 java-1.8.0-openjdk security update
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELBA-2018-4252)
New openssl updates available via Ksplice (ELSA-2018-4248)
New openssl updates available via Ksplice (ELSA-2018-4249)



ELSA-2018-2942 Critical: Oracle Linux 7 java-1.8.0-openjdk security update

Oracle Linux Security Advisory ELSA-2018-2942

http://linux.oracle.com/errata/ELSA-2018-2942.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.src.rpm



Description of changes:

[1:1.8.0.191.b12-0]
- Update to aarch64-shenandoah-jdk8u191-b12.
- Resolves: rhbz#1633817

[1:1.8.0.191.b10-0]
- Update to aarch64-shenandoah-jdk8u191-b10.
- Drop 8146115/PR3508/RH1463098 applied upstream.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Add new Shenandoah patch PR3634 as upstream still fails on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Update to aarch64-shenandoah-jdk8u181-b16.
- Drop PR3619 & PR3620 Shenandoah patches which should now be fixed
upstream.
- Resolves: rhbz#1633817

[1:1.8.0.181.b15-0]
- Move to single OpenJDK tarball build, based on aarch64/shenandoah-jdk8u.
- Update to aarch64-shenandoah-jdk8u181-b15.
- Drop 8165489-pr3589.patch which was only applied to aarch64/jdk8u builds.
- Move buildver to where it should be in the OpenJDK version.
- Split ppc64 Shenandoah fix into separate patch file with its own bug
ID (PR3620).
- Update pr3539-rh1548475.patch to apply after 8187045.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Remove unneeded functions from ppc shenandoahBarrierSet.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add missing shenandoahBarrierSet implementation for ppc64{be,le}.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Fix wrong format specifiers in Shenandoah code.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Avoid changing variable types to fix size_t, at least for now.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- More size_t fixes for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add additional s390 size_t case for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Actually add the patch...
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Attempt to fix Shenandoah build issues on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Use the Shenandoah HotSpot on all architectures.
- Resolves: rhbz#1633817

ELSA-2018-2943 Critical: Oracle Linux 6 java-1.8.0-openjdk security update

Oracle Linux Security Advisory ELSA-2018-2943

http://linux.oracle.com/errata/ELSA-2018-2943.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

i386:
java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.i686.rpm

x86_64:
java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el6_10.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el6_10.noarch.rpm
java-1.8.0-openjdk-src-1.8.0.191.b12-0.el6_10.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el6_10.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.src.rpm



Description of changes:

[1:1.8.0.191.b12-0]
- Update to aarch64-shenandoah-jdk8u191-b12.
- Resolves: rhbz#1633817

[1:1.8.0.191.b10-0]
- Update to aarch64-shenandoah-jdk8u191-b10.
- Drop 8146115/PR3508/RH1463098 applied upstream.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Add new Shenandoah patch PR3634 as upstream still fails on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Update to aarch64-shenandoah-jdk8u181-b16.
- Drop PR3619 & PR3620 Shenandoah patches which should now be fixed
upstream.
- Drop Shenandoah signedness fix as it appears in the new upstream tarball.
- Resolves: rhbz#1633817

[1:1.8.0.181.b15-0]
- Move to single OpenJDK tarball build, based on aarch64/shenandoah-jdk8u.
- Update to aarch64-shenandoah-jdk8u181-b15.
- Drop 8165489-pr3589.patch which was only applied to aarch64/jdk8u builds.
- Move buildver to where it should be in the OpenJDK version.
- Split ppc64 Shenandoah fix into separate patch file with its own bug
ID (PR3620).
- Update pr3539-rh1548475.patch to apply after 8187045.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Fix signedness build failure in shenandoahHeapRegion.cpp (upstream
patch from mvala)
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Remove unneeded functions from ppc shenandoahBarrierSet.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add missing shenandoahBarrierSet implementation for ppc64{be,le}.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Fix wrong format specifiers in Shenandoah code.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Avoid changing variable types to fix size_t, at least for now.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- More size_t fixes for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add additional s390 size_t case for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Actually add the patch...
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Attempt to fix Shenandoah build issues on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Use the Shenandoah HotSpot on all architectures
(aarch64-shenandoah-jdk8u181-b13).
- Resolves: rhbz#1633817


New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELBA-2018-4252)

Synopsis: ELBA-2018-4252 can now be patched using Ksplice

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2018-4252.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Performance degradation with IBRS on sibling threads.

Incorrect IBRS disabling logic could result in a performance degradation
when a thread entered the idle loop with IBRS enabled. This could cause
the sibling thread to suffer reduced performance.

Orabug: 28782729

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New openssl updates available via Ksplice (ELSA-2018-4248)

Synopsis: ELSA-2018-4248 can now be patched using Ksplice
CVEs: CVE-2018-0732 CVE-2018-0737

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4248.

INSTALLING THE UPDATES

We recommend that all users of Ksplice on OL 6 install these updates.

You can install these updates by running:

# ksplice -y user upgrade

32-bit applications should be restarted after upgrading the on-disk
openssl RPMs and statically linked applications using
openssl should be rebuilt to include these fixes.

Ksplice user-space patching requires installation of Ksplice-aware
packages and the system must be rebooted after the first installation of
these packages. Refer to the installation instructions for the Enhanced
Ksplice Client in the Ksplice User's Guide for more details. Systems
may be prepared for Ksplice patching by installing the Ksplice aware
packages in advance, prior to installing the enhanced Ksplice client.

DESCRIPTION

* CVE-2018-0732: Denial-of-service in Diffie Hellman key exchange.

A missing range check when performing a Diffie Hellman key exchange
handshake could result in excessive processing and a hang. A malicious
server could use this flaw to hang the client.


* CVE-2018-0737: Side channel information leak in RSA key generation.

Missing constant time operations when generating an RSA key could allow
a malicious local user to determine the private key being generated by
another process.

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New openssl updates available via Ksplice (ELSA-2018-4249)

Synopsis: ELSA-2018-4249 can now be patched using Ksplice
CVEs: CVE-2018-0732 CVE-2018-0737

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4249.

INSTALLING THE UPDATES

We recommend that all users of Ksplice on OL 7 install these updates.

You can install these updates by running:

# ksplice -y user upgrade

32-bit applications should be restarted after upgrading the on-disk
openssl RPMs and statically linked applications using
openssl should be rebuilt to include these fixes.

Ksplice user-space patching requires installation of Ksplice-aware
packages and the system must be rebooted after the first installation of
these packages. Refer to the installation instructions for the Enhanced
Ksplice Client in the Ksplice User's Guide for more details. Systems
may be prepared for Ksplice patching by installing the Ksplice aware
packages in advance, prior to installing the enhanced Ksplice client.

DESCRIPTION

* CVE-2018-0732: Denial-of-service in Diffie Hellman key exchange.

A missing range check when performing a Diffie Hellman key exchange
handshake could result in excessive processing and a hang. A malicious
server could use this flaw to hang the client.


* CVE-2018-0737: Side channel information leak in RSA key generation.

Missing constant time operations when generating an RSA key could allow
a malicious local user to determine the private key being generated by
another process.

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.