SUSE 5001 Published by

A java-17-openjdk security update has been released for openSUSE Leap 15.4/15.5 and SUSE Linux Enterprise SP4/5.

SUSE-SU-2023:3023-1: important: Security update for java-17-openjdk

# Security update for java-17-openjdk

Announcement ID: SUSE-SU-2023:3023-1
Rating: important

* #1207922
* #1213473
* #1213474
* #1213475
* #1213479
* #1213481
* #1213482


* CVE-2023-22006
* CVE-2023-22036
* CVE-2023-22041
* CVE-2023-22044
* CVE-2023-22045
* CVE-2023-22049
* CVE-2023-25193

CVSS scores:

* CVE-2023-22006 ( SUSE ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2023-22006 ( NVD ): 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
* CVE-2023-22036 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-22036 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
* CVE-2023-22041 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-22041 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-22044 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-22044 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-22045 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2023-22049 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2023-25193 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2023-25193 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Basesystem Module 15-SP4
* Basesystem Module 15-SP5
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3

An update that solves seven vulnerabilities can now be installed.

## Description:

This update for java-17-openjdk fixes the following issues:

Updated to version jdk-17.0.8+7 (July 2023 CPU):

* CVE-2023-22006: Fixed vulnerability in the network component (bsc#1213473).
* CVE-2023-22036: Fixed vulnerability in the utility component (bsc#1213474).
* CVE-2023-22041: Fixed vulnerability in the hotspot component (bsc#1213475).
* CVE-2023-22044: Fixed vulnerability in the hotspot component (bsc#1213479).
* CVE-2023-22045: Fixed vulnerability in the hotspot component (bsc#1213481).
* CVE-2023-22049: Fixed vulnerability in the libraries component
* CVE-2023-25193: Fixed vulnerability in the embedded harfbuzz module

* JDK-8294323: Improve Shared Class Data

* JDK-8296565: Enhanced archival support
* JDK-8298676, JDK-8300891: Enhanced Look and Feel
* JDK-8300285: Enhance TLS data handling
* JDK-8300596: Enhance Jar Signature validation
* JDK-8301998, JDK-8302084: Update HarfBuzz to 7.0.1
* JDK-8302475: Enhance HTTP client file downloading
* JDK-8302483: Enhance ZIP performance
* JDK-8303376: Better launching of JDI
* JDK-8304460: Improve array usages
* JDK-8304468: Better array usages
* JDK-8305312: Enhanced path handling
* JDK-8308682: Enhance AES performance


* JDK-8178806: Better exception logging in crypto code
* JDK-8201516: DebugNonSafepoints generates incorrect information
* JDK-8224768: Test fails
* JDK-8227060: Optimize safepoint cleanup subtask order
* JDK-8227257: javax/swing/JFileChooser/4847375/ fails with
* JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
* JDK-8244976: vmTestbase/nsk/jdi/Event/request/ doesn'
initialize eName
* JDK-8245877: assert(_value != __null) failed: resolving NULL _value in
* JDK-8248001: javadoc generates invalid HTML pages whose ftp:// links are
* JDK-8252990: Intrinsify Unsafe.storeStoreFence
* JDK-8254711: Add JFR Event
* JDK-8257856: Make robust to JDK version updates
* JDK-8261495: Shenandoah: reconsider update references memory ordering
* JDK-8268288: jdk/jfr/api/consumer/streaming/ /
fails with "Error: ShouldNotReachHere()"
* JDK-8268298: jdk/jfr/api/consumer/log/ fails: unexpected
log message
* JDK-8268582: javadoc throws NPE with --ignore-source-errors option
* JDK-8269821: Remove is-queue-active check in inner loop of
* JDK-8270434: JDI+UT: Unexpected event in JDI tests
* JDK-8270859: Post JEP 411 refactoring: client libs with maximum covering >
* JDK-8270869: G1ServiceThread may not terminate
* JDK-8271519: java/awt/event/SequencedEvent/
/ failed with "Total [200]
* Expected [400]"
* JDK-8273909: vmTestbase/nsk/jdi/Event/request/request001 can still fail with
"ERROR: new event is not ThreadStartEvent"
* JDK-8274243: Implement fast-path for ASCII-compatible CharsetEncoders on
* JDK-8274615: Support relaxed atomic add for linux-aarch64
* JDK-8274864: Remove Amman/Cairo hacks in ZoneInfoFile
* JDK-8275233: Incorrect line number reported in exception stack trace thrown
from a lambda expression
* JDK-8275287: Relax memory ordering constraints on updating instance class
and array class counters
* JDK-8275721: Name of UTC timezone in a locale changes depending on previous
* JDK-8275735: [linux] Remove deprecated Metrics api (kernel memory limit)
* JDK-8276058: Some swing test fails on specific CI macos system
* JDK-8277407: javax/swing/plaf/synth/SynthButtonUI/6276188/ /
fails to compile after JDK-8276058
* JDK-8277775: Fixup bugids in - add 4357905
* JDK-8278146: G1: Rework VM_G1Concurrent VMOp to clearly identify it as pause
* JDK-8278434: timeouts in test java/time/test/java/time/
* JDK-8278834: Error "Cannot read field "sym" because "this.lvar[od]" is null"
when compiling
* JDK-8282077: PKCS11 provider C_sign() impl should handle
* JDK-8282201: Consider removal of expiry check in test
* JDK-8282227: Locale information for nb is not working properly
* JDK-8282704: runtime/Thread/ may leak memory
* JDK-8283057: Update GCC to version 11.2.0 for Oracle builds on Linux
* JDK-8283062: Uninitialized warnings in libgtest with GCC 11.2
* JDK-8283520: JFR: Memory leak in dcmd_arena
* JDK-8283566: G1: Improve G1BarrierSet::enqueue performance
* JDK-8284331: Add sanity check for signal handler modification warning.
* JDK-8285635: javax/swing/JRootPane/ failed with
Default Button not pressed for L&F:
* JDK-8285987: executing shell scripts without #! fails on Alpine linux
* JDK-8286191: misc tests fail due to JDK-8285987
* JDK-8286287: Reading file as UTF-16 causes Error which "shouldn't happen"
* JDK-8286331: jni_GetStringUTFChars() uses wrong heap allocator
* JDK-8286346: 3-parameter version of AllocateHeap should not ignore
* JDK-8286398: Address possibly lossy conversions in jdk.internal.le
* JDK-8287007: [cgroups] Consistently use stringStream throughout parsing code
* JDK-8287246: DSAKeyValue should check for missing params instead of relying
on KeyFactory provider
* JDK-8287541: Files.writeString fails to throw IOException for charset
* JDK-8287854: Dangling reference in ClassVerifier::verify_class
* JDK-8287876: The recently de-problemlisted TestTitledBorderLeak test is
* JDK-8287897: Augment src/jdk.internal.le/share/legal/ with
information on 4th party dependencies
* JDK-8288589: Files.readString ignores encoding errors for UTF-16
* JDK-8289509: Improve test coverage for XPath Axes: descendant, descendant-
or-self, following, following-sibling
* JDK-8289735: UTIL_LOOKUP_PROGS fails on pathes with space
* JDK-8289949: Improve test coverage for XPath: operators
* JDK-8290822: C2: assert in PhaseIdealLoop::do_unroll() is subject to
undefined behavior
* JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
* JDK-8291637: HttpClient default keep alive timeout not followed if server
sends invalid value
* JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
* JDK-8292206: fails as getMemoryUsage() is lower than
* JDK-8292301: [REDO v2] C2 crash when allocating array of size too large
* JDK-8292407: Improve Weak CAS VarHandle/Unsafe tests resilience under
spurious failures
* JDK-8292713: Unsafe.allocateInstance should be intrinsified without
* JDK-8292755: Non-default method in interface leads to a stack overflow in
* JDK-8292990: Improve test coverage for XPath Axes: parent
* JDK-8293295: Add type check asserts to java_lang_ref_Reference accessors
* JDK-8293492: ShenandoahControlThread missing from hs-err log and thread dump
* JDK-8293858: Change PKCS7 code to use default SecureRandom impl instead of
* JDK-8293887: AArch64 build failure with GCC 12 due to maybe-uninitialized
warning in libfdlibm k_rem_pio2.c
* JDK-8294183: AArch64: Wrong macro check in
* JDK-8294281: Allow warnings to be disabled on a per-file basis
* JDK-8294673: JFR: Add SecurityProviderService#threshold to
* JDK-8294717: (bf) DirectByteBuffer constructor will leak if allocating
Deallocator or Cleaner fails with OOME
* JDK-8294906: Memory leak in PKCS11 NSS TLS server
* JDK-8295564: Norwegian Nynorsk Locale is missing formatting
* JDK-8295974: jni_FatalError and Xcheck:jni warnings should print the native
stack when there are no Java frames
* JDK-8296084: javax/swing/JSpinner/4788637/ fails
intermittently on a VM
* JDK-8296318: use-def assert: special case undetected loops nested in
infinite loops
* JDK-8296343: CPVE thrown on missing content-length in OCSP response
* JDK-8296412: Special case infinite loops with unmerged backedges in
* JDK-8296545: C2 Blackholes should allow load optimizations
* JDK-8296934: Write a test to verify whether Undecorated Frame can be
iconified or not
* JDK-8297000: [jib] Add more friendly warning for proxy issues
* JDK-8297154: Improve safepoint cleanup logging
* JDK-8297450: fails when run with -show
* JDK-8297587: Upgrade JLine to 3.22.0
* JDK-8297730: C2: Arraycopy intrinsic throws incorrect exception
* JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
* JDK-8298488: [macos13] tools/jpackage tests failing with "Exit code: 137" on
* JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
* JDK-8299179: ArrayFill with store on backedge needs to reduce length by 1
* JDK-8299259: C2: Div/Mod nodes without zero check could be split through iv
phi of loop resulting in SIGFPE
* JDK-8299544: Improve performance of CRC32C intrinsics (non-AVX-512) for
small inputs
* JDK-8299570: [JVMCI] Insufficient error handling when CodeBuffer is
* JDK-8299959: C2: CmpU::Value must filter overflow computation against local
sub computation
* JDK-8300042: Improve CPU related JFR events descriptions
* JDK-8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant
NULL src argument
* JDK-8300823: UB: Compile::_phase_optimize_finished is initialized too late
* JDK-8300939: sun/security/provider/certpath/OCSP/ /
fails due to network errors
* JDK-8301050: Detect Xen Virtualization on Linux aarch64
* JDK-8301119: Support for GB18030-2022
* JDK-8301123: Enable Symbol refcounting underflow checks in PRODUCT
* JDK-8301190: [vectorapi] The typeChar of LaneType is incorrect when default
locale is tr
* JDK-8301216: ForkJoinPool invokeAll() ignores timeout
* JDK-8301338: Identical branch conditions in CompileBroker::print_heapinfo
* JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic called with
negative character argument
* JDK-8301637: ThreadLocalRandom.current().doubles().parallel() contention
* JDK-8301661: Enhance os::pd_print_cpu_info on macOS and Windows
* JDK-8302151: BMPImageReader throws an exception reading BMP images
* JDK-8302172: [JVMCI] HotSpotResolvedJavaMethodImpl.canBeInlined must respect
* JDK-8302320: AsyncGetCallTrace obtains too few frames in sanity test
* JDK-8302491: NoClassDefFoundError omits the original cause of an error
* JDK-8302508: Add timestamp to the output TraceCompilerThreads
* JDK-8302594: use-after-free in Node::destruct
* JDK-8302595: use-after-free related to GraphKit::clone_map
* JDK-8302791: Add specific ClassLoader object to Proxy
IllegalArgumentException message
* JDK-8302849: SurfaceManager might expose partially constructed object
* JDK-8303069: Memory leak in CompilerOracle::parse_from_line
* JDK-8303102: jcmd: ManagementAgent.status truncates the text longer than
* JDK-8303130: Document required Accessibility permissions on macOS
* JDK-8303354: addCertificatesToKeystore in KeystoreImpl.m needs CFRelease
call in early potential CHECK_NULL return
* JDK-8303433: Bump update version for OpenJDK: jdk-17.0.8
* JDK-8303440: The "ZonedDateTime.parse" may not accept the "UTC+XX" zone id
* JDK-8303465: KeyStore of type KeychainStore, provider Apple does not show
all trusted certificates
* JDK-8303476: Add the runtime version in the release file of a JDK image
* JDK-8303482: Update LCMS to 2.15
* JDK-8303508: Vector.lane() gets wrong value on x86
* JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during unrolling
* JDK-8303564: C2: "Bad graph detected in build_loop_late" after a CMove is
wrongly split thru phi
* JDK-8303575: adjust Xen handling on Linux aarch64
* JDK-8303576: addIdentitiesToKeystore in KeystoreImpl.m needs CFRelease call
in early potential CHECK_NULL return
* JDK-8303588: [JVMCI] make JVMCI source directories conform with standard
* JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
* JDK-8303822: gtestMain should give more helpful output
* JDK-8303861: Error handling step timeouts should never be blocked by OnError
and others
* JDK-8303937: Corrupted heap dumps due to missing retries for os::write()
* JDK-8303949: gcc10 warning Linux ppc64le - note: the layout of aggregates
containing vectors with 8-byte alignment has changed in GCC 5
* JDK-8304054: Linux: NullPointerException from FontConfiguration.getVersion
in case no fonts are installed
* JDK-8304063: tools/jpackage/share/ fails when
* JDK-8304134: jib bootstrapper fails to quote filename when checking download
* JDK-8304291: [AIX] Broken build after JDK-8301998
* JDK-8304295: harfbuzz build fails with GCC 7 after JDK-8301998
* JDK-8304350: Font.getStringBounds calculates wrong width for
TextAttribute.TRACKING other than 0.0
* JDK-8304671: javac regression: Compilation with --release 8 fails on
underscore in enum identifiers
* JDK-8304683: Memory leak in WB_IsMethodCompatible
* JDK-8304760: Add 2 Microsoft TLS roots
* JDK-8304867: Explicitly disable dtrace for ppc builds
* JDK-8304880: [PPC64] VerifyOops code in C1 doesn't work with ZGC
* JDK-8305088: SIGSEGV in Method::is_method_handle_intrinsic
* JDK-8305113: (tz) Update Timezone Data to 2023c
* JDK-8305400: ISO 4217 Amendment 175 Update
* JDK-8305403: Shenandoah evacuation workers may deadlock
* JDK-8305481: gtest is_first_C_frame failing on ARM
* JDK-8305690: [X86] Do not emit two REX prefixes in Assembler::prefix
* JDK-8305711: Arm: C2 always enters slowpath for monitorexit
* JDK-8305721: add `make compile-commands` artifacts to .gitignore
* JDK-8305975: Add TWCA Global Root CA
* JDK-8305993: Add handleSocketErrorWithMessage to extend nio Net.c exception
* JDK-8305994: Guarantee eventual async monitor deflation
* JDK-8306072: Open source several AWT MouseInfo related tests
* JDK-8306133: Open source few AWT Drag & Drop related tests
* JDK-8306409: Open source AWT KeyBoardFocusManger, LightWeightComponent
related tests
* JDK-8306432: Open source several AWT Text Component related tests
* JDK-8306466: Open source more AWT Drag & Drop related tests
* JDK-8306489: Open source AWT List related tests
* JDK-8306543: GHA: MSVC installation is failing
* JDK-8306640: Open source several AWT TextArea related tests
* JDK-8306652: Open source AWT MenuItem related tests
* JDK-8306658: GHA: MSVC installation could be optional since it might already
be pre-installed
* JDK-8306664: GHA: Update MSVC version to latest stepping
* JDK-8306681: Open source more AWT DnD related tests
* JDK-8306683: Open source several clipboard and color AWT tests
* JDK-8306752: Open source several container and component AWT tests
* JDK-8306753: Open source several container AWT tests
* JDK-8306755: Open source few Swing JComponent and AbstractButton tests
* JDK-8306768: CodeCache Analytics reports wrong threshold
* JDK-8306774: Make runtime/Monitor/
/ more reliable
* JDK-8306825: Monitor deflation might be accidentally disabled by zero
* JDK-8306850: Open source AWT Modal related tests
* JDK-8306871: Open source more AWT Drag & Drop tests
* JDK-8306883: Thread stacksize is reported with wrong units in
os::create_thread logging
* JDK-8306941: Open source several datatransfer and dnd AWT tests
* JDK-8306943: Open source several dnd AWT tests
* JDK-8306954: Open source five Focus related tests
* JDK-8306955: Open source several JComboBox jtreg tests
* JDK-8306976: UTIL_REQUIRE_SPECIAL warning on grep
* JDK-8306996: Open source Swing MenuItem related tests
* JDK-8307080: Open source some more JComboBox jtreg tests
* JDK-8307128: Open source some drag and drop tests 4
* JDK-8307130: Open source few Swing JMenu tests
* JDK-8307133: Open source some JTable jtreg tests
* JDK-8307134: Add GTS root CAs
* JDK-8307135: java/awt/dnd/NotReallySerializableTest/
/ failed
* JDK-8307331: Correctly update line maps when class redefine rewrites
* JDK-8307346: Add missing gc+phases logging for ObjectCount(AfterGC) JFR
event collection code
* JDK-8307347: serviceability/sa/ could leave files owned
by root on macOS
* JDK-8307378: Allow collectors to provide specific values for GC
notifications' actions
* JDK-8307381: Open Source JFrame, JIF related Swing Tests
* JDK-8307425: Socket input stream read burns CPU cycles with back-to-back
poll(0) calls
* JDK-8307799: Newly added java/awt/dnd/ has invalid jtreg
`@requires` clause
* JDK-8308554: [17u] Fix commit of 8286191. vm.musl was not removed from
* JDK-8308880: [17u] micro bench ZoneStrings missed in backport of 8278434
* JDK-8308884: [17u/11u] Backout JDK-8297951
* JDK-8311467: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for
release 17.0.8

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-3023=1 SUSE-2023-3023=1

* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-3023=1

* Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-3023=1

* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-3023=1

## Package List:

* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 i586)
* java-17-openjdk-headless-debuginfo-
* java-17-openjdk-debuginfo-
* java-17-openjdk-jmods-
* java-17-openjdk-devel-debuginfo-
* java-17-openjdk-headless-
* java-17-openjdk-debugsource-
* java-17-openjdk-src-
* java-17-openjdk-demo-
* java-17-openjdk-devel-
* java-17-openjdk-
* openSUSE Leap 15.4 (noarch)
* java-17-openjdk-javadoc-
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* java-17-openjdk-headless-debuginfo-
* java-17-openjdk-debuginfo-
* java-17-openjdk-jmods-
* java-17-openjdk-devel-debuginfo-
* java-17-openjdk-headless-
* java-17-openjdk-debugsource-
* java-17-openjdk-src-
* java-17-openjdk-demo-
* java-17-openjdk-devel-
* java-17-openjdk-
* openSUSE Leap 15.5 (noarch)
* java-17-openjdk-javadoc-
* Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* java-17-openjdk-headless-debuginfo-
* java-17-openjdk-debuginfo-
* java-17-openjdk-devel-debuginfo-
* java-17-openjdk-headless-
* java-17-openjdk-debugsource-
* java-17-openjdk-demo-
* java-17-openjdk-devel-
* java-17-openjdk-
* Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
* java-17-openjdk-headless-debuginfo-
* java-17-openjdk-debuginfo-
* java-17-openjdk-devel-debuginfo-
* java-17-openjdk-headless-
* java-17-openjdk-debugsource-
* java-17-openjdk-demo-
* java-17-openjdk-devel-
* java-17-openjdk-

## References: