Security update for java-11-openjdk (important)

An update that fixes three vulnerabilities is now available.

Description:

This update for java-11-openjdk to version 11.0.2+7 fixes the following
issues:

Security issues fixed:

• CVE-2019-2422: Better FileChannel transfer performance (bsc#1122293)
• CVE-2019-2426: Improve web server connections
• CVE-2018-11212: Improve JPEG processing (bsc#1122299)
• Better route routing
• Better interface enumeration
• Better interface lists
• Improve BigDecimal support
• Improve robot support
• Better icon support
• Choose printer defaults
• Proper allocation handling
• Initial class initialization
• More reliable p11 transactions
• Improve NIO stability
• Better loading of classloader classes
• Strengthen Windows Access Bridge Support
• Improved data set handling
• Improved LSA authentication
• Libsunmscapi improved interactions

Non-security issues fix:

• Do not resolve by default the added JavaEE modules (bsc#1120431)
• ~2.5% regression on compression benchmark starting with 12-b11
• java.net.http.HttpClient hangs on 204 reply without Content-length 0
• Add additional TeliaSonera root certificate
• Add more ld preloading related info to hs_error file on Linux
• Add test to exercise server-side client hello processing
• AES encrypt performance regression in jdk11b11
• AIX: ProcessBuilder: Piping between created processes does not work.
• AIX: Some class library files are missing the Classpath exception
• AppCDS crashes for some uses with JRuby
• Automate vtable/itable stub size calculation
• BarrierSetC1::generate_referent_check() confuses register allocator
• Better HTTP Redirection
• Catastrophic size_t underflow in BitMap::*_large methods
• Clip.isRunning() may return true after Clip.stop() was called
• Compiler thread creation should be bounded by available space in memory
  and Code Cache
• com.sun.net.httpserver.HttpServer returns Content-length header for 204
  response code
• Default mask register for avx512 instructions
• Delayed starting of debugging via jcmd
• Disable all DES cipher suites
• Disable anon and NULL cipher suites
• Disable unsupported GCs for Zero
• Epsilon alignment adjustments can overflow max TLAB size
• Epsilon elastic TLAB sizing may cause misalignment
• HotSpot update for vm_version.cpp to recognise updated VS2017
• HttpClient does not retrieve files with large sizes over HTTP/1.1
• IIOException “tEXt chunk length is not proper” on opening png file
• Improve TLS connection stability again
• InitialDirContext ctor sometimes throws NPE if the server has sent a
  disconnection
• Inspect stack during error reporting
• Instead of circle rendered in appl window, but ellipse is produced
  JEditor Pane
• Introduce diagnostic flag to abort VM on failed JIT compilation
• Invalid assert(HeapBaseMinAddress > 0) in
  ReservedHeapSpace::initialize_compressed_heap
• jar has issues with UNC-path arguments for the jar -C parameter [windows]
• java.net.http HTTP client should allow specifying Origin and Referer
  headers
• java.nio.file.Files.writeString writes garbled UTF-16 instead of UTF-8
• JDK 11.0.1 l10n resource file update
• JDWP Transport Listener: dt_socket thread crash
• JVMTI ResourceExhausted should not be posted in CompilerThread
• LDAPS communication failure with jdk 1.8.0_181
• linux: Poor StrictMath performance due to non-optimized compilation
• Missing synchronization when reading counters for live threads and peak
  thread count
• NPE in SupportedGroupsExtension
• OpenDataException thrown when constructing CompositeData for
  StackTraceElement
• Parent class loader may not have a referred ClassLoaderData instance
  when obtained in Klass::class_in_module_of_loader
• Populate handlers while holding streamHandlerLock
• ppc64: Enable POWER9 CPU detection
• print_location is not reliable enough (printing register info)
• Reconsider default option for ClassPathURLCheck change done in
  JDK-8195874
• Register to register spill may use AVX 512 move instruction on
  unsupported platform.
• s390: Use of shift operators not covered by cpp standard
• serviceability/sa/TestUniverse.java#id0 intermittently fails with
  assert(get_instanceKlass()->is_loaded()) failed: must be at least loaded
• SIGBUS in CodeHeapState::print_names()
• SIGSEGV in MethodArityHistogram() with -XX:+CountCompiledCalls
• Soft reference reclamation race in
  com.sun.xml.internal.stream.util.ThreadLocalBufferAllocator
• Swing apps are slow if displaying from a remote source to many local
  displays
• switch jtreg to 4.2b13
• Test library OSInfo.getSolarisVersion cannot determine Solaris version
• TestOptionsWithRanges.java is very slow
• TestOptionsWithRanges.java of ‘-XX:TLABSize=2147483648’ fails
  intermittently
• The Japanese message of FileNotFoundException garbled
• The “supported_groups” extension in ServerHellos
• ThreadInfoCompositeData.toCompositeData fails to map ThreadInfo to
  CompositeData
• TimeZone.getDisplayName given Locale.US doesn’t always honor the Locale.
• TLS 1.2 Support algorithm in SunPKCS11 provider
• TLS 1.3 handshake server name indication is missing on a session resume
• TLS 1.3 server fails if ClientHello doesn’t have pre_shared_key and
  psk_key_exchange_modes
• TLS 1.3 interop problems with OpenSSL 1.1.1 when used on the client side
  with mutual auth
• tz: Upgrade time-zone data to tzdata2018g
• Undefined behaviour in ADLC
• Update avx512 implementation
• URLStreamHandler initialization race
• UseCompressedOops requirement check fails fails on 32-bit system
• windows: Update OS detection code to recognize Windows Server 2019
• x86: assert on unbound assembler Labels used as branch targets
• x86: jck tests for ldc2_w bytecode fail
• x86: sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
• “-XX:OnOutOfMemoryError” uses fork instead of vfork

This update was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.0:

  zypper in -t patch openSUSE-2019-161=1