[ubuntu/oneiric-security] openjdk-7 7u9-2.3.3-0ubuntu1~11.10.1 (Accepted)

Jamie Strandboge jamie at ubuntu.com
Fri Oct 26 14:40:37 UTC 2012

openjdk-7 (7u9-2.3.3-0ubuntu1~11.10.1) oneiric-security; urgency=low

  * Build IcedTea7 2.3.3 for oneiric.

openjdk-7 (7u9-2.3.3-0ubuntu1) quantal-security; urgency=low

  * IcedTea7 2.3.3 release.
  * Security fixes
    - S6631398, CVE-2012-3216: FilePermission improved path checking.
    - S7093490: adjust package access in rmiregistry.
    - S7143535, CVE-2012-5068: ScriptEngine corrected permissions.
    - S7158796, CVE-2012-5070: Tighten properties checking in EnvHelp.
    - S7158807: Revise stack management with volatile call sites.
    - S7163198, CVE-2012-5076: Tightened package accessibility.
    - S7167656, CVE-2012-5077: Multiple Seeders are being created.
    - S7169884, CVE-2012-5073: LogManager checks do not work correctly for
    - S7169887, CVE-2012-5074: Tightened package accessibility.
    - S7169888, CVE-2012-5075: Narrowing resource definitions in JMX RMI
    - S7172522, CVE-2012-5072: Improve DomainCombiner checking.
    - S7186286, CVE-2012-5081: TLS implementation to better adhere to RFC.
    - S7189103, CVE-2012-5069: Executors needs to maintain state.
    - S7189490: More improvements to DomainCombiner checking.
    - S7189567, CVE-2012-5085: java net obselete protocol.
    - S7192975, CVE-2012-5071: Issue with JMX reflection.
    - S7195194, CVE-2012-5084: Better data validation for Swing.
    - S7195549, CVE-2012-5087: Better bean object persistence.
    - S7195917, CVE-2012-5086: XMLDecoder parsing at close-time should be
    - S7195919, CVE-2012-5079: (sl) ServiceLoader can throw CCE without
      needing to create instance.
    - S7196190, CVE-2012-5088: Improve method of handling MethodHandles.
    - S7198296, CVE-2012-5089: Refactor classloader usage.
    - S7158800: Improve storage of symbol tables.
    - S7158801: Improve VM CompileOnly option.
    - S7158804: Improve config file parsing.
    - S7198606, CVE-2012-4416: Improve VM optimization.

openjdk-7 (7u7-2.3.2a-1ubuntu1) quantal; urgency=low

  * Build a transitional icedtea-7-jre-cacao package to ease upgrades.

openjdk-7 (7u7-2.3.2a-1) experimental; urgency=low

  * Upload to experimental.

openjdk-7 (7u7-2.3.2a-0ubuntu1) quantal; urgency=low

  * Repackage the source to drop the cacao tarball (and packaging files).
  * Depend again on system provided tzdata-java and restore the zi
    symlink on upgrade. LP: #1050404.
  * libgnome2-0, libgnomevfs2-0, libgconf2-4 are not prepared for multiarch.
    Don't depend on these so that openjdk-7 can be installed as a multiarch

openjdk-7 (7u7-2.3.2-1ubuntu2) quantal; urgency=low

  * Make the avian VM a known runtime.

openjdk-7 (7u7-2.3.2-1ubuntu1) quantal; urgency=low

  * Fix 32bit hotspot build, don't set maximal heap space lower than
    minimal heap space for the docs build.
  * d/p/sane-library-paths.patch, d/p/ant-diagnostics.diff,
    d/p/fix-race-cond-print.diff, d/p/gcc-hotspot-opt-O[02].diff,
    d/p/gcc-mtune-generic.diff, d/p/openjdk-6986968.diff: Remove, not used.
  * Remove unused shark/llvm-3.0 patches.
  * d/p/zero-only-use-floating-point-if-floating-poi.patch: Remove, applied
  * Don't explicitly build with -march=i586 on i386 architectures.
  * Re-apply zero-missing-headers.diff.
  * Disable cacao builds, needs update for 7u7.
  * For Ubuntu quantal, set priorities for alternatives higher than for
    OpenJDK 6.
  * Call update-alternatives when the existing priority for the alternative
    is lower than the current one.
  * Configure with --disable-downloading.
  * Pass -avoid-version to libtool to create a JamVM libjvm.so without SONAME
    version numbers to match the Hotspot Server/Client libjvm.so. LP: #850433.
  * Revert the following change: Move libgnome2-0, libgnomevfs2-0, libgconf2-4
    from Depends of JRE package to Recommends (#661465).
    The proper fix is to create a -jdk-headless package, or not depending on
    these gnome packages at all (e.g. using XDG libraries).

openjdk-7 (7u7-2.3.2-1) experimental; urgency=low

  * New upstream IcedTea7 2.3.2 release.
  * Security fixes:
    - CVE-2012-4681: Reintroduce PackageAccessible checks removed in 6788531.
    - S7079902, CVE-2012-1711: Refine CORBA data models.
    - S7143606, CVE-2012-1717: File.createTempFile should be improved
      for temporary files created by the platform.
    - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement.
    - S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations.
    - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC.
    - S7143872, CVE-2012-1718: Improve certificate extension processing.
    - S7152811, CVE-2012-1723: Issues in client compiler.
    - S7157609, CVE-2012-1724: Issues with loop.
    - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile.
    - S7165628, CVE-2012-1726: Issues with java.lang.invoke.MethodHandles.Lookup.
  * Bump version to 7u7 (OpenJDK), 2.3.2 (IcedTea). Closes: #685276.
  * d/p/icedtea7-forest-jdk_7104625-XEvent_wrap_logging_calls_with_if.patch,
    d/p/hotspot-sparc.diff: Remove, integrated upstream.
  * d/p/{deb-multiarch,fix_extra_flags,hotspot-no-werror}.diff:
    Add variants for hotspot and zero builds.
  * d/p/default-jvm-cfg.diff, d/p/icedtea-4953367.patch,
    d/p/icedtea-patch.diff, d/p/icedtea-pretend-memory.diff,
    d/p/libpcsclite-dlopen.diff, d/p/nonreparenting-wm.diff:
    Update for 2.3.2.
  * Remove build support for Ubuntu releases earlier than hardy.
  * d/update-shasum.sh: Only update the shasums of the -dfsg tarballs.
  * Don't apply shark patches (not built anyway).

openjdk-7 (7~u3-2.1.1-3) unstable; urgency=low

  * d/rules: Ensure we don't remove -02 (default) when -03 is disabled
    (fix jamvm FTBFS on armhf without -02).
  * d/patches/gcc-jdk-opt-O0.diff, d/patches/gcc-jdk-opt-O2.diff,
    d/patches/gcc-no-hardening.diff, d/patches/gcc-opt-O2.diff: removed.

openjdk-7 (7~u3-2.1.1-2) unstable; urgency=low

  * d/rules: On Debian Wheezy/Sid bump Build-Depends on libnss3-dev
    (>= 2:3.13.4) and Depends on libnss3 (>= 2:3.13.4) (ie. with epoch).
    (Closes: #679465).
  * d/control: Suggests icedtea-7-plugin instead of icedtea6-plugin
    (Closes: #680284).
  * d/patches/7130140-MouseEvent-systemout.diff: Remove "MEvent. CASE!" from
    console output. (Closes: #679036).
  * Disable -O3 compile: cause wrong Math.* computations.
    (Closes: #679292 and Closes: #678228). LP: #1044857.
  * debian/patches/FreetypeFontScaler_getFontMetricsNative.diff:
    Fix "OpenJDK returns the text height greater than font size".
    (Closes: #657854)

openjdk-7 (7~u3-2.1.1-1) unstable; urgency=medium

  * New upstream release with security fixes (Closes: #677486):
    - S7079902, CVE-2012-1711: Refine CORBA data models
    - S7110720: Issue with vm config file loadingIssue with
      vm config file loading
    - S7143606, CVE-2012-1717: File.createTempFile should be improved
      for temporary files created by the platform.
    - S7143614, CVE-2012-1716: SynthLookAndFeel stability improvement
    - S7143617, CVE-2012-1713: Improve fontmanager layout lookup operations
    - S7143851, CVE-2012-1719: Improve IIOP stub and tie generation in RMIC
    - S7143872, CVE-2012-1718: Improve certificate extension processing
    - S7145239: Finetune package definition restriction
    - S7152811, CVE-2012-1723: Issues in client compiler
    - S7157609, CVE-2012-1724: Issues with loop
    - S7160677: missing else in fix for 7152811
    - S7160757, CVE-2012-1725: Problem with hotspot/runtime_classfile
    - S7165628, CVE-2012-1726: Issues with
  * Patches merged upstream:
    - debian/patches/arm-thumb-fix.diff
    - debian/patches/gcc-4.7.diff

  [ James Page ]
  * Cherry picked patch from openjdk-6 to fix handling of 
    ICC profiles (LP: #888123, #888129) (Closes: #676351).

  [ Damien Raude-Morvan ]
  * Move libgnome2-0, libgnomevfs2-0, libgconf2-4 from Depends of JRE package
    to Recommends (Closes: #661465).
  * New jni_md_h_JNIEXPORT_visibility.patch to allow JNIEXPORT definition
    to work with -fvisibility=hidden. (Closes: #670896).

openjdk-7 (7~u3-2.1.1~pre1-2) unstable; urgency=low

  * Don't mark the -demo package as Multi-Arch same. Closes: #670038.
  * Build using gcc-4.4 on mips, mipsel.
  * Build again with older gcj version on s390 (4.6).

openjdk-7 (7~u3-2.1.1~pre1-1ubuntu3) precise-proposed; urgency=low

  * Default to the ARM assembler interpreter instead to JamVM on
    ARM. LP: #993380.

openjdk-7 (7~u3-2.1.1~pre1-1ubuntu2) precise; urgency=low

  * Use the /usr/bin path for the policytool desktop file. LP: #980205.
    Closes: #670037.

openjdk-7 (7~u3-2.1.1~pre1-1ubuntu1) precise; urgency=low

  * Regenerate the control file.

openjdk-7 (7~u3-2.1.1~pre1-1) unstable; urgency=low

  * Update from the IcedTea7-2.1 release branch (20110410).
  * Install desktop files again, using the common /usr/bin/java
    interpreter name.
  * Build-depend on libpng-dev for newer releases. Closes: #662452.
  * Let dlopen handle finding the libpcsclite library. LP: #898689.
  * Build-depend on fonts-ipafont-mincho, fixing a build failure in the
    fontconfig compiler (find out why it breaks ...).
  * Build using gcc-4.7/gcj-4.7 for sid/wheezy, fix build failure.
  * Remove `-icedtea' suffix from the release identification.
  * Fix arm thumb build, update taken from IcedTea6.

openjdk-7 (7~u3-2.1-4) unstable; urgency=low

  [ Matthias Klose ]
  * Don't install the binary fontconfig file. LP: #964303.

  [ Damien Raude-Morvan ]
  * Remove libxp-dev check in configure.ac, it's not needed anymore
    (Closes: #657260) and so drop build dependency on libxp-dev.
  * Fix FTBFS with glib 2.32 by adding explicit dependency gthread-2.0.pc
    (Closes: #665666).
  * Use libpng-dev instead of libpng12-dev for wheezy/sid (Closes: #662453).

openjdk-7 (7~u3-2.1-3) unstable; urgency=low

  * d/rules,Makefile.am: Improve handling of dpkg-buildflags: don't overwrite
    CFLAGS of hotspot but use EXTRA_* flags into icedtea and openjdk Makefile.
    (Closes: #661695).
  * d/rules: Build everything with -03 opt level (jamvm, cacao and jdk)
  * d/patches/kfreebsd-support-*.diff: Refresh kfreebsd patches and
    fix FTBFS on k-i386 (ie. at least on a sid VM).
  * Backport S7104625 as d/patches/icedtea7-forest-jdk_7104625*.patch
    to check for logging to prevent wasted CPU (Closes: #651423).

openjdk-7 (7~u3-2.1-2) unstable; urgency=low

  [ Matthias Klose ]
  * Use NanumMyeongjo as the preferred korean font. LP: #792471.
  * Fix crash in java.net.NetworkInterface.getNetworkInterfaces() when 
    ifr_ifindex exceeds 255. LP: #925218. S7078386.
  * Use IPAfont as the preferred japanesse font. Closes: #646054.
  * Build using gcj on alpha and armel. Closes: #655750.

  [ Damien Raude-Morvan ]
  * d/patches/sparc-stubgenerator.diff: Fix FTBFS on sparc on
    stubGenerator_sparc.cpp by using explicit class typedef
    (Closes: #660871).
  * d/patches/fix_extra_flags.diff: Improve support for hardened build,
    also send flags to jdk build and send -Wl,-z,relro during hotspot link.
  * Bump Standards-Version to 3.9.3: no changes needed.
  * d/control: Don't use nonexistent dlopenjl:Recommends substvar,
    replaced by dlopenhl:Recommends.
  * d/*.{prerm,postrm}: Use set -e inside script instead of sh -e shebang.
  * Cleanup lintian-overrides.

openjdk-7 (7~u3-2.1-1ubuntu2) precise; urgency=low

  * Make sure that the nss.cfg doesn't mention any library path.
    LP: #939361, #939419.
  * Disable the accessibility wrapper, doesn't work yet. LP: #935296.

openjdk-7 (7~u3-2.1-1ubuntu1) precise; urgency=low

  [ Damien Raude-Morvan ]
  * d/patches/jexec.diff: Dropped, uneeded and not compatible with multi-arch.
  * d/rules: Use dpkg-buildflags to enable hardened build.
    (Closes: #660021).

  [ Matthias Klose ]
  * Merge r522 from openjdk6:
    - Make upgrades from non-multiarch to multiarch builds more silent.
    - Fix order of grant decls in java.policy.
    - Make doc files multi-arch installable.
    - JB-archive.applications.in: Use /usr/bin/java by default. Maybe
      should be moved to the default-jdk package.
  * Explicitly look for the gthread-2.0 pkgconfig module.

openjdk-7 (7~u3-2.1-1) unstable; urgency=low

  * Update icedtea7 2.1 (OpenJDK7 ~u3 release):
    - Check for logging to prevent wasted CPU (Closes: #651423).
  * Fix following security issues:
    - S7082299, CVE-2011-3571: Fix in AtomicReferenceArray
    - S7088367, CVE-2011-3563: Fix issues in java sound
    - S7110683, CVE-2012-0502: Issues with some KeyboardFocusManager method
    - S7110687, CVE-2012-0503: Issues with TimeZone class
    - S7110700, CVE-2012-0505: Enhance exception throwing mechanism in
    - S7110704, CVE-2012-0506: Issues with some method in corba
    - S7112642, CVE-2012-0497: Incorrect checking for graphics rendering object
    - S7118283, CVE-2012-0501: Better input parameter checking in zip file
    - S7126960, CVE-2011-5035: Add property to limit number of request headers
      to the HTTP Server

  [ Matthias Klose ]
  * openjdk-7-jre-lib: Mark as Multi-Arch: foreign.

  [ Damien Raude-Morvan ]
  * Merge r501-521 from openjdk6:
    - Fix plugin name in jinfo file.
    - Fix build flags for cppInterpreter_arm.o.
    - Use java-atk-wrapper instead of java-access-bridge for accessibility.
    - Make the java.policy file multi-arch installable.
    - Don't install desktop and menu files for multiarch builds.
      Needs a better solution.
    - Don't install an alternative for the deprecated apt tool.
    - Make the upgrade from a non-multiarch installation location more
      robust; don't depend on version numbers, but check the path of the
    - Disable test for armel and powerpc (broken on buildd)
  * d/rules: Make symbolic links to src.zip on /usr/lib/jvm/java-7-openjdk-amd64
    like openjdk-6-jdk (Closes: #649618).
  * d/rules: Pass -n to gzip when compressing manpages to be Multi-Arch: same safe.
  * d/rules: Add build-arch/build-indep target.
  * d/rules: Re-enable Cacao VM!
  * d/{rules,control}: Only rhino 1.7R3 is supported by openjdk7, update B-D.
  * d/patches/hotspot-s390.diff: Update for latest Hotspot.
  * d/patches/icedtea-patch.diff: Move nssLibraryDirectory handling to d/rules.
  * d/rules: Remove --with-*-drop-zip options, as code drops are embedded.
  * d/patches/hsx23-zero.patch, patches/shark-compiler-fixes.patch:
    Fix FTBFS for Zero under Hotspot >= v22.
  * d/patches/kfreebsd-*: Refreshed.
  * d/control: Make openjdk-7-source:all package binNMU-able by using
    Depends ">=" on openjdk-7-jre (ie. src.zip won't change).

openjdk-7 (7~b147-2.0-1) unstable; urgency=low

  * New upstream IcedTea7 release.
    - S7000600, CVE-2011-3547: InputStream skip() information leak.
    - S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor.
    - S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow.
    - S7032417, CVE-2011-3552: excessive default UDP socket limit under
    - S7046794, CVE-2011-3553: JAX-WS stack-traces information leak.
    - S7046823, CVE-2011-3544: missing SecurityManager checks in scripting
    - S7055902, CVE-2011-3521: IIOP deserialization code execution.
    - S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error
    - S7064341, CVE-2011-3389: HTTPS: block-wise chosen-plaintext attack
      against SSL/TLS (BEAST).
    - S7070134, CVE-2011-3558: HotSpot crashes with sigsegv from PorterStemmer.
    - S7077466, CVE-2011-3556: RMI DGC server remote code execution.
    - S7083012, CVE-2011-3557: RMI registry privileged code execution.
    - S7096936, CVE-2011-3560: missing checkSetFactory calls in

  [ Matthias Klose ]
  * Merge debian packaging r501 from openjdk-6:
    - Tighten inter-package dependencies for Debian builds. Closes: #641240.
  * Build-depend on wdiff.

Date: 2012-10-24 21:10:15.015054+00:00
Changed-By: Matthias Klose <doko at ubuntu.com>
Maintainer: OpenJDK <openjdk at lists.launchpad.net>
Signed-By: Jamie Strandboge <jamie at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Oneiric-changes mailing list