[ubuntu/precise-security] openjdk-7 7u121-2.6.8-1ubuntu0.12.04.3 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Wed Feb 8 22:20:31 UTC 2017 

openjdk-7 (7u121-2.6.8-1ubuntu0.12.04.3) precise-security; urgency=medium

  * Backport to 12.04

openjdk-7 (7u121-2.6.8-1ubuntu0.14.04.3) trusty-security; urgency=medium

  * Security fixes from 8u121:
    - S8167104, CVE-2017-3289: Custom class constructor code can bypass the
      required call to super.init allowing for uninitialized objects to be
      created.
    - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
      dispose() on a CMenuComponentmultiple times.
    - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
      extraneous bytes added to them whereas the signature is supposed to be
      unique.
    - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
      sections to be 2^32-1 bytes long so these should not be uncompressed
      unless the user explicitly requests it.
    - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
      leak information about k.
    - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
      deserialize responses from an LDAP server when an LDAP context is
      expected.
    - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
      users or external applications would interpret them leading to possible
      security issues.
    - S8168705, CVE-2016-5547: A value from an InputStream is read directly
      into the size argument of a new byte[] without validation.
    - S8164147, CVE-2017-3261: An integer overflow exists in
      SocketOutputStream which can lead to memorydisclosure.
    - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
      dispatch HTTP GET requests where the invoker does not have permission.
    - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
      long running sessions are allowed.
    - S8165344, CVE-2017-3272: A protected field can be leveraged into type
      confusion.
    - S8156802, CVE-2017-3241: RMI deserialization should limit the types
      deserialized to prevent attacks that could escape the sandbox.

openjdk-7 (7u121-2.6.8-1ubuntu0.14.04.1) trusty-security; urgency=medium

  * Backport to Ubuntu 14.04.
  * IcedTea release 2.6.8 (based on 7u121):
  * Security fixes
    - S8151921: Improved page resolution
    - S8155968: Update command line options
    - S8155973, CVE-2016-5542: Tighten jar checks
    - S8157176: Improved classfile parsing
    - S8157739, CVE-2016-5554: Classloader Consistency Checking
    - S8157749: Improve handling of DNS error replies
    - S8157753: Audio replay enhancement
    - S8157759: LCMS Transform Sampling Enhancement
    - S8157764: Better handling of interpolation plugins
    - S8158302: Handle contextual glyph substitutions
    - S8158993, CVE-2016-5568: Service Menu services
    - S8159495: Fix index offsets
    - S8159503: Amend Annotation Actions
    - S8159511: Stack map validation
    - S8159515: Improve indy validation
    - S8159519, CVE-2016-5573: Reformat JDWP messages
    - S8160090: Better signature handling in pack200
    - S8160094: Improve pack200 layout
    - S8160098: Clean up color profiles
    - S8160591, CVE-2016-5582: Improve internal array handling
    - S8160838, CVE-2016-5597: Better HTTP service
    - PR3207, RH1367357: lcms2: Out-of-bounds read in Type_MLU_Read()

Date: 2017-02-07 18:01:14.368903+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Maintainer: OpenJDK <openjdk at lists.launchpad.net>
Signed-By: Steve Beattie <sbeattie at ubuntu.com>
https://launchpad.net/ubuntu/+source/openjdk-7/7u121-2.6.8-1ubuntu0.12.04.3
-------------- next part --------------
Sorry, changesfile not available.

More information about the Precise-changes mailing list