Security update for java-17-openjdk

Announcement ID:	SUSE-SU-2023:2110-1
Rating:	important
References:	bsc#1209333 bsc#1210628 bsc#1210631 bsc#1210632 bsc#1210634 bsc#1210635 bsc#1210636 bsc#1210637
Cross-References:	CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968
CVSS scores:	CVE-2023-21930 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-21930 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2023-21937 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21937 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21938 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21938 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21939 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21939 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21954 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-21954 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2023-21967 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-21967 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-21968 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2023-21968 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	Basesystem Module 15-SP4 openSUSE Leap 15.4 SUSE Linux Enterprise Desktop 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Real Time 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3

An update that solves seven vulnerabilities and has one security fix can now be installed.

Description:

This update for java-17-openjdk fixes the following issues:

Update to upstrem tag jdk-17.0.7+7 (April 2023 CPU)

Security fixes:

CVE-2023-21930: Fixed AES support (bsc#1210628).
CVE-2023-21937: Fixed String platform support (bsc#1210631).
CVE-2023-21938: Fixed runtime support (bsc#1210632).
CVE-2023-21939: Fixed Swing platform support (bsc#1210634).
CVE-2023-21954: Fixed object reclamation process (bsc#1210635).
CVE-2023-21967: Fixed TLS session negotiation (bsc#1210636).
CVE-2023-21968: Fixed path handling (bsc#1210637).

Other fixes:

Fixed socket setTrafficClass not working for IPv4 connections when IPv6 is enabled (bsc#1209333).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-2110=1
Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2110=1

Package List:

openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
- java-17-openjdk-17.0.7.0-150400.3.18.2
- java-17-openjdk-jmods-17.0.7.0-150400.3.18.2
- java-17-openjdk-headless-17.0.7.0-150400.3.18.2
- java-17-openjdk-debuginfo-17.0.7.0-150400.3.18.2
- java-17-openjdk-demo-17.0.7.0-150400.3.18.2
- java-17-openjdk-headless-debuginfo-17.0.7.0-150400.3.18.2
- java-17-openjdk-debugsource-17.0.7.0-150400.3.18.2
- java-17-openjdk-devel-17.0.7.0-150400.3.18.2
- java-17-openjdk-devel-debuginfo-17.0.7.0-150400.3.18.2
- java-17-openjdk-src-17.0.7.0-150400.3.18.2
openSUSE Leap 15.4 (noarch)
- java-17-openjdk-javadoc-17.0.7.0-150400.3.18.2
Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
- java-17-openjdk-17.0.7.0-150400.3.18.2
- java-17-openjdk-headless-17.0.7.0-150400.3.18.2
- java-17-openjdk-debuginfo-17.0.7.0-150400.3.18.2
- java-17-openjdk-demo-17.0.7.0-150400.3.18.2
- java-17-openjdk-headless-debuginfo-17.0.7.0-150400.3.18.2
- java-17-openjdk-debugsource-17.0.7.0-150400.3.18.2
- java-17-openjdk-devel-17.0.7.0-150400.3.18.2
- java-17-openjdk-devel-debuginfo-17.0.7.0-150400.3.18.2

Security update for java-17-openjdk

Description:

Patch Instructions:

Package List:

References: