[ubuntu/artful-updates] openjdk-8 8u151-b12-0ubuntu0.17.10.2 (Accepted)
Ubuntu Archive Robot
cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Wed Nov 8 08:58:33 UTC 2017
openjdk-8 (8u151-b12-0ubuntu0.17.10.2) artful-security; urgency=medium
* Update to 8u151-b12. Hotspot 8u144-b01 for aarch32 with 8u151 hotspot
* Security patches:
- CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
CardImpl can be recovered via finalization, then separate instances
pointing to the same device can be created.
- CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
readObject allocates an array based on data in the stream which could
cause an OOM.
- CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
thread can be used as the root of a Trusted Method Chain.
- CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
possibly other Linux flavors) CR-NL in the host field are ignored and
can be used to inject headers in an HTTP request stream.
- CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
implementations can incorrectly take information from the unencrypted
portion of the ticket from the KDC. This can lead to an MITM attack
impersonating Kerberos services.
- CVE-2017-10346, S8180711: Better alignment of special invocations. A
missing load constraint for some invokespecial cases can allow invoking
a method from an unrelated class.
- CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
based on data in the serial stream without a limit onthe size.
- CVE-2017-10347, S8181323: Better timezone processing. An array is
allocated based on data in the serial stream without a limit on the
- CVE-2017-10349, S8181327: Better Node predications. An array is
allocated based on data in the serial stream without a limit onthe size.
- CVE-2017-10345, S8181370: Better keystore handling. A malicious
serialized object in a keystore can cause a DoS when using keytool.
- CVE-2017-10348, S8181432: Better processing of unresolved permissions.
An array is allocated based on data in the serial stream without a limit
- CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
serialized stream could cause an OOM due to lack on checking on the
number of interfaces read from the stream for a Proxy.
- CVE-2017-10355, S8181612: More stable connection processing. If an
attack can cause an application to open a connection to a malicious FTP
server (e.g., via XML), then a thread can be tied up indefinitely in
- CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
keystores should be retired from common use in favor of more modern
- CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
check could lead to leaked memory contents.
- CVE-2016-9841, S8184682: Upgrade compression library. There were four
off by one errors found in the zlib library. Two of them are long typed
which could lead to RCE.
- own /usr/share/man/man1 since we use it in the postinst script.
- openjdk8 now ships limited and unlimited policy.jar files (S8157561)
into their own directories under jre/lib/security/policy, thus we
must to copy those directories instead of the policy.jar files.
* debian/rules, debian/patches/sec-webrev-8u151-hotspot-8179084.patch,
hotspot security updates to both aarch32 and aarch64.
* debian/patches/gcc6.diff, debian/patches/aarch64.diff,
debian/patches/system-libjpeg.diff: removed hunks related to
the common/autoconf/generated-configure.sh file as we regenerate
it, no need to keep maintaining those.
* debian/patches/hotspot-ppc64el-S8168318-cmpldi.patch: use cmpldi instead
of li/cmpld. LP: #1723893.
* debian/patches/hotspot-ppc64el-S8170328-andis.patch: use andis instead of
lis/and. LP: #1723862.
add Montgomery multiply intrinsic. LP: #1723860.
* debian/patches/hotspot-ppc64el-S8181810-leverage-extrdi.patch: leverage
extrdi for bitfield extract is absent in OpenJDK 8. LP: #1723861.
* debian/patches/jdk-S8165852-overlayfs.patch: mount point not found for a
file which is present in overlayfs.
Date: 2017-10-27 21:42:47.140683+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
-------------- next part --------------
Sorry, changesfile not available.
More information about the Artful-changes