Bug 972468 (CVE-2016-0636) - VUL-0: CVE-2016-0636: java-1_7_0-openjdk, java-1_8_0-openjdk: out-of-band urgent security fix (Hotspot, 8151666)
Summary: VUL-0: CVE-2016-0636: java-1_7_0-openjdk, java-1_8_0-openjdk: out-of-band urg...
Status: RESOLVED FIXED
Alias: CVE-2016-0636
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Fridrich Strba
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/164067/
Whiteboard: CVSSv2:RedHat:CVE-2013-5838:6.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-24 08:08 UTC by Victor Pereira
Modified: 2017-05-11 00:55 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-03-24 23:00:22 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2016-03-28 19:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (972468) was mentioned in
https://build.opensuse.org/request/show/380700 Factory / java-1_7_0-openjdk
Comment 5 Bernhard Wiedemann 2016-03-29 08:00:23 UTC 
This is an autogenerated message for OBS integration:
This bug (972468) was mentioned in
https://build.opensuse.org/request/show/380907 13.1 / java-1_7_0-openjdk
https://build.opensuse.org/request/show/380925 13.2 / java-1_7_0-openjdk
Comment 6 Bernhard Wiedemann 2016-03-30 07:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (972468) was mentioned in
https://build.opensuse.org/request/show/381447 Factory / java-1_8_0-openjdk
https://build.opensuse.org/request/show/381450 13.2 / java-1_8_0-openjdk
Comment 8 Marcus Meissner 2016-04-01 13:00:35 UTC 
QA saw that libcups.so.2 was no longer required.

I think CUPS support is broken by this update.

reason:
SYSTEM_CUPS changed from true -> yes  if enabled.

but lots of makefiles or almost all places still use
 ifneq ($(SYSTEM_CUPS), true)
ifeq ($(SYSTEM_CUPS), true)


Can you report this upstream?
Comment 9 Marcus Meissner 2016-04-01 13:04:06 UTC 
https://docs.oracle.com/javase/tutorial/2d/printing/examples/HelloWorldPrinter.java


javac HelloWorldPrinter.java
java HelloWorldPrinter

will open a window with a button ... Press this button.
Comment 10 Marcus Meissner 2016-04-01 13:53:41 UTC 
(it still seems able to print, and loads libcups.so.2 dynamically apparently.)

so it seems not buggy
Comment 11 Swamp Workflow Management 2016-04-05 16:07:57 UTC 
SUSE-SU-2016:0956-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
SUSE Linux Enterprise Desktop 11-SP4 (src):    java-1_7_0-openjdk-1.7.0.99-0.20.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    java-1_7_0-openjdk-1.7.0.99-0.20.2
Comment 12 Swamp Workflow Management 2016-04-05 16:08:14 UTC 
SUSE-SU-2016:0957-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.77-6.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_8_0-openjdk-1.8.0.77-6.1
Comment 13 Swamp Workflow Management 2016-04-05 16:08:50 UTC 
SUSE-SU-2016:0959-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.99-27.1
SUSE Linux Enterprise Server 12 (src):    java-1_7_0-openjdk-1.7.0.99-27.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    java-1_7_0-openjdk-1.7.0.99-27.1
SUSE Linux Enterprise Desktop 12 (src):    java-1_7_0-openjdk-1.7.0.99-27.1
Comment 14 Swamp Workflow Management 2016-04-07 13:08:09 UTC 
openSUSE-SU-2016:0971-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
openSUSE 13.2 (src):    java-1_7_0-openjdk-1.7.0.99-19.1, java-1_7_0-openjdk-bootstrap-1.7.0.99-19.1
Comment 15 Swamp Workflow Management 2016-04-08 10:08:48 UTC 
openSUSE-SU-2016:0983-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
openSUSE 13.2 (src):    java-1_8_0-openjdk-1.8.0.77-24.1
Comment 16 Andreas Osterburg 2016-04-11 15:40:15 UTC 
Is there an update for leap available?
Comment 17 Swamp Workflow Management 2016-04-11 19:07:43 UTC 
openSUSE-SU-2016:1004-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
openSUSE Leap 42.1 (src):    java-1_7_0-openjdk-1.7.0.99-28.1, java-1_7_0-openjdk-bootstrap-1.7.0.99-28.1
Comment 18 Swamp Workflow Management 2016-04-11 19:07:53 UTC 
openSUSE-SU-2016:1005-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
openSUSE Leap 42.1 (src):    java-1_8_0-openjdk-1.8.0.77-9.1
Comment 19 Marcus Meissner 2016-04-12 07:22:43 UTC 
released yesterday :)
Comment 20 Andreas Osterburg 2016-04-12 07:36:52 UTC 
(In reply to Marcus Meissner from comment #19)
> released yesterday :)

Thank you. I'd suggest a button for from SLE-inheritet patches :-)
Comment 21 Swamp Workflow Management 2016-04-14 19:08:00 UTC 
openSUSE-SU-2016:1042-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 972468
CVE References: CVE-2016-0636
Sources used:
openSUSE 13.1 (src):    java-1_7_0-openjdk-1.7.0.99-24.33.2