Security update for java-11-openjdk

Announcement ID:	SUSE-SU-2021:3528-1
Rating:	important
References:	bsc#1191901 bsc#1191903 bsc#1191904 bsc#1191906 bsc#1191909 bsc#1191910 bsc#1191911 bsc#1191912 bsc#1191913 bsc#1191914
Cross-References:	CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603
CVSS scores:	CVE-2021-35550 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-35550 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2021-35556 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35556 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35559 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35559 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35561 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35561 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35564 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-35564 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2021-35565 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35565 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35567 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2021-35567 ( NVD ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVE-2021-35578 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35578 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35586 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35586 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2021-35603 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2021-35603 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves 10 vulnerabilities can now be installed.

Description:

This update for java-11-openjdk fixes the following issues:

Update to 11.0.13+8 (October 2021 CPU)

• CVE-2021-35550, bsc#1191901: Update the default enabled cipher suites preference
• CVE-2021-35565, bsc#1191909: com.sun.net.HttpsServer spins on TLS session close
• CVE-2021-35556, bsc#1191910: Richer Text Editors
• CVE-2021-35559, bsc#1191911: Enhanced style for RTF kit
• CVE-2021-35561, bsc#1191912: Better hashing support
• CVE-2021-35564, bsc#1191913: Improve Keystore integrity
• CVE-2021-35567, bsc#1191903: More Constrained Delegation
• CVE-2021-35578, bsc#1191904: Improve TLS client handshaking
• CVE-2021-35586, bsc#1191914: Better BMP support
• CVE-2021-35603, bsc#1191906: Better session identification
• Improve Stream handling for SSL
• Improve requests of certificates
• Correct certificate requests
• Enhance DTLS client handshake

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3528=1
• SUSE Linux Enterprise Server 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3528=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP5
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3528=1

Package List:

• SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
  • java-11-openjdk-debugsource-11.0.13.0-3.33.2
  • java-11-openjdk-devel-11.0.13.0-3.33.2
  • java-11-openjdk-11.0.13.0-3.33.2
  • java-11-openjdk-headless-11.0.13.0-3.33.2
  • java-11-openjdk-demo-11.0.13.0-3.33.2
• SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
  • java-11-openjdk-debugsource-11.0.13.0-3.33.2
  • java-11-openjdk-devel-11.0.13.0-3.33.2
  • java-11-openjdk-11.0.13.0-3.33.2
  • java-11-openjdk-headless-11.0.13.0-3.33.2
  • java-11-openjdk-demo-11.0.13.0-3.33.2
• SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
  • java-11-openjdk-debugsource-11.0.13.0-3.33.2
  • java-11-openjdk-devel-11.0.13.0-3.33.2
  • java-11-openjdk-11.0.13.0-3.33.2
  • java-11-openjdk-headless-11.0.13.0-3.33.2
  • java-11-openjdk-demo-11.0.13.0-3.33.2

References:

• https://www.suse.com/security/cve/CVE-2021-35550.html
• https://www.suse.com/security/cve/CVE-2021-35556.html
• https://www.suse.com/security/cve/CVE-2021-35559.html
• https://www.suse.com/security/cve/CVE-2021-35561.html
• https://www.suse.com/security/cve/CVE-2021-35564.html
• https://www.suse.com/security/cve/CVE-2021-35565.html
• https://www.suse.com/security/cve/CVE-2021-35567.html
• https://www.suse.com/security/cve/CVE-2021-35578.html
• https://www.suse.com/security/cve/CVE-2021-35586.html
• https://www.suse.com/security/cve/CVE-2021-35603.html
• https://bugzilla.suse.com/show_bug.cgi?id=1191901
• https://bugzilla.suse.com/show_bug.cgi?id=1191903
• https://bugzilla.suse.com/show_bug.cgi?id=1191904
• https://bugzilla.suse.com/show_bug.cgi?id=1191906
• https://bugzilla.suse.com/show_bug.cgi?id=1191909
• https://bugzilla.suse.com/show_bug.cgi?id=1191910
• https://bugzilla.suse.com/show_bug.cgi?id=1191911
• https://bugzilla.suse.com/show_bug.cgi?id=1191912
• https://bugzilla.suse.com/show_bug.cgi?id=1191913
• https://bugzilla.suse.com/show_bug.cgi?id=1191914