Security update for java-1_8_0-openjdk

Announcement ID:	SUSE-SU-2019:2021-1
Rating:	important
References:	bsc#1115375 bsc#1141780 bsc#1141782 bsc#1141783 bsc#1141784 bsc#1141785 bsc#1141786 bsc#1141787 bsc#1141789
Cross-References:	CVE-2019-2745 CVE-2019-2762 CVE-2019-2766 CVE-2019-2769 CVE-2019-2786 CVE-2019-2816 CVE-2019-2842 CVE-2019-7317
CVSS scores:	CVE-2019-2745 ( SUSE ): 5.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-2745 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-2745 ( NVD ): 5.1 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2019-2762 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2762 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2762 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2766 ( SUSE ): 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-2766 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-2766 ( NVD ): 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-2769 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2769 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2769 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2786 ( SUSE ): 3.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2019-2786 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2019-2786 ( NVD ): 3.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2019-2816 ( SUSE ): 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2019-2816 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2019-2816 ( NVD ): 4.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2019-2842 ( SUSE ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2842 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-2842 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2019-7317 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-7317 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2019-7317 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:	Legacy Module 15-SP1 Legacy Module 15 SUSE Linux Enterprise Desktop 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0 SUSE Package Hub 15

An update that solves eight vulnerabilities and has one security fix can now be installed.

Description:

This update for java-1_8_0-openjdk to version 8u222 fixes the following issues:

Security issues fixed:

CVE-2019-2745: Improved ECC Implementation (bsc#1141784).
CVE-2019-2762: Exceptional throw cases (bsc#1141782).
CVE-2019-2766: Improve file protocol handling (bsc#1141789).
CVE-2019-2769: Better copies of CopiesList (bsc#1141783).
CVE-2019-2786: More limited privilege usage (bsc#1141787).
CVE-2019-2816: Normalize normalization (bsc#1141785).
CVE-2019-2842: Extended AES support (bsc#1141786).
CVE-2019-7317: Improve PNG support (bsc#1141780).
Certificate validation improvements

Non-security issue fixed:

Fixed an issue where the installation failed when the manpages are not present (bsc#1115375)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

Legacy Module 15
zypper in -t patch SUSE-SLE-Module-Legacy-15-2019-2021=1
Legacy Module 15-SP1
zypper in -t patch SUSE-SLE-Module-Legacy-15-SP1-2019-2021=1
SUSE Package Hub 15
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-2019-2021=1

Package List:

Legacy Module 15 (aarch64 ppc64le s390x x86_64)
- java-1_8_0-openjdk-demo-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-demo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-1.8.0.222-3.24.2
- java-1_8_0-openjdk-headless-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-devel-1.8.0.222-3.24.2
- java-1_8_0-openjdk-devel-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-debugsource-1.8.0.222-3.24.2
- java-1_8_0-openjdk-headless-1.8.0.222-3.24.2
Legacy Module 15-SP1 (aarch64 ppc64le s390x x86_64)
- java-1_8_0-openjdk-demo-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-demo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-1.8.0.222-3.24.2
- java-1_8_0-openjdk-headless-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-devel-1.8.0.222-3.24.2
- java-1_8_0-openjdk-devel-debuginfo-1.8.0.222-3.24.2
- java-1_8_0-openjdk-debugsource-1.8.0.222-3.24.2
- java-1_8_0-openjdk-headless-1.8.0.222-3.24.2
SUSE Package Hub 15 (noarch)
- java-1_8_0-openjdk-javadoc-1.8.0.222-3.24.2

Security update for java-1_8_0-openjdk

Description:

Patch Instructions:

Package List:

References: