[ubuntu/trusty-updates] openjdk-7 7u151-2.6.11-2ubuntu0.14.04.1 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Wed Nov 29 08:58:11 UTC 2017

openjdk-7 (7u151-2.6.11-2ubuntu0.14.04.1) trusty-security; urgency=medium

  * Backport to 14.04.
  * debian/patches/hotspot-aarch64-S8145438-fix-field-too-big-for-insn.patch:
    the S8144028 fix was incomplete and followed up by S8145438; without it
    aarch64 JVM can fail with "Internal Error, failed: Field too big for

openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium

  [ Tiago Stürmer Daitx ]
  * Backport of 8u151 security fixes. Closes: #881764.
  * Security patches:
    - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
      CardImpl can be recovered via finalization, then separate instances
      pointing to the same device can be created.
    - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
      readObject allocates an array based on data in the stream which could
      cause an OOM.
    - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
      thread can be used as the root of a Trusted Method Chain.
    - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
      possibly other Linux flavors) CR-NL in the host field are ignored and
      can be used to inject headers in an HTTP request stream.
    - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
      implementations can incorrectly take information from the unencrypted
      portion of the ticket from the KDC. This can lead to an MITM attack
      impersonating Kerberos services.
    - CVE-2017-10346, S8180711: Better alignment of special invocations. A
      missing load constraint for some invokespecial cases can allow invoking
      a method from an unrelated class.
    - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
      based on data in the serial stream without a limit onthe size.
    - CVE-2017-10347, S8181323: Better timezone processing. An array is
      allocated based on data in the serial stream without a limit on the
    - CVE-2017-10349, S8181327: Better Node predications. An array is
      allocated based on data in the serial stream without a limit onthe size.
    - CVE-2017-10345, S8181370: Better keystore handling. A malicious
      serialized object in a keystore can cause a DoS when using keytool.
    - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
      An array is allocated based on data in the serial stream without a limit
      onthe size.
    - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
      serialized stream could cause an OOM due to lack on checking on the
      number of interfaces read from the stream for a Proxy.
    - CVE-2017-10355, S8181612: More stable connection processing. If an
      attack can cause an application to open a connection to a malicious FTP
      server (e.g., via XML), then a thread can be tied up indefinitely in
    - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
      keystores should be retired from common use in favor of more modern
      keystore protections.
    - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
      check could lead to leaked memory contents.
    - CVE-2016-9841, S8184682: Upgrade compression library. There were four
      off by one errors found in the zlib library. Two of them are long typed
      which could lead to RCE.
  * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused
    template breaks builds with gcc-6 due to macro conflict.
  * debian/rules: try /etc/os-release before lsb-release; allows one to check
    if patches still apply cleanly across distros from the command line by
    setting distrel.

openjdk-7 (7u151-2.6.11-1) experimental; urgency=medium

  * IcedTea release 2.6.11 (based on 7u151). Closes: #869816.
  * Security fixes:
    - S8163958, CVE-2017-10102: Improved garbage collection.
    - S8167228: Update to libpng 1.6.28.
    - S8169209, CVE-2017-10053: Improved image post-processing steps.
    - S8169392, CVE-2017-10067: Additional jar validation steps.
    - S8170966, CVE-2017-10081: Right parenthesis issue.
    - S8172204, CVE-2017-10087: Better Thread Pool execution.
    - S8172461, CVE-2017-10089: Service Registration Lifecycle.
    - S8172465, CVE-2017-10090: Better handling of channel groups.
    - S8172469, CVE-2017-10096: Transform Transformer Exceptions.
    - S8173286, CVE-2017-10101: Better reading of text catalogs.
    - S8173697, CVE-2017-10107: Less Active Activations.
    - S8173770, CVE-2017-10074: Image conversion improvements.
    - S8174098, CVE-2017-10110: Better image fetching.
    - S8174105, CVE-2017-10108: Better naming attribution.
    - S8174113, CVE-2017-10109: Better sourcing of code.
    - S8174770: Check registry registration location.
    - S8174873: Improved certificate processing.
    - S8175106, CVE-2017-10115: Higher quality DSA operations.
    - S8175110, CVE-2017-10118: Higher quality ECDSA operations.
    - S8176055: JMX diagnostic improvements.
    - S8176067, CVE-2017-10116: Proper directory lookup processing.
    - S8176760, CVE-2017-10135: Better handling of PKCS8 material.
    - S8178135, CVE-2017-10176: Additional elliptic curve support.
    - S8181420, CVE-2017-10074: PPC: Image conversion improvements.
    - S8182054, CVE-2017-10243: Improve wsdl support.
    - S8183551, CVE-2017-10074, PR3423: AArch64: Image conversion improvements.
    - S8184119, CVE-2017-10111: Incorrect return processing for the LF editor
      of MethodHandles.permuteArguments.

  [ Tiago Stürmer Daitx ]
  * d/control.in:
    - remove @bd_compress@ dependency.
    - replace @bd_autotools@ with fixed dependencies.
  * d/control.tests: package to hold all tests artifacts and logs.
  * d/repack: fixed and simplified download script.
  * d/rules:
    - include openjdk-7-tests package on Ubuntu derivatives only.
    - only save the full jtreg results when the openjdk-7-tests package
      is being built, otherwise stick to old behaviour (keep compressed
      test summaries + failed test results). Closes: #863007, #865533.
    - only run the long jdk testsuite when default vm is a hotspot.
    - only run the full testsuite for zero alternative vm on very fast
      systems, otherwise stick to the hotspot testsuite to avoid long
      build times.
    - remove with_nss as all supported releases have it now.
    - remove gcc/g++ configurations for EOL releases.
    - keep libjpeg8 dependency on wheezy, replace it with libjpeg62-turbo
      on other Debian releases and libjpeg-turbo8 on Ubuntu. Closes: #766601.
    - remove old logic to depend on libcupsys2.
    - always set rhino_source, all supported releases have dpkg > 1.16.2.
    - remove bd_compress and pkg_compress as they haven't been used for
      quite a while.
    - remove with_wgy_zenhai logic, lenny is EOL.
    - remove bd_autotools logic if/then, call dh_autoreconf and
    - simplify bootstrap dependency logic and remove EOL releases.
    - remove EOL releases from gcc/g++ dependency logic.
    - remove unused jamvm_defaults and simplify jamvm_archs logic.
    - use ttf-indic-fonts for trusty, otherwise stick to fonts-indic.
    - patch configure after dh_autoreconf call to include additional
      /usr/lib/jvm directories; setting DEB_HOST_ARCH=alpha to check
      if patches apply correctly fails because alpha requires a jdk for
      bootstrap and IcedTea does not look into our usual directories.
  * d/p/fontconfig-arphic-uming.diff: removed, not used since lenny.
  * d/p/jdk-getAccessibleValue.diff: libatk-wrapper-java: File selection
    dialog not refreshed when changing directory. Kindly provided by
    Samuel Thibault. Closes: #827741.
  * d/p/jdk-S8173783-fix-illegalargumentexception-regression.patch:
    deleted, included in IcedTea 2.6.10.
  * d/p/kfreebsd-support-jdk.diff: updated, was failing to apply due to
    jdk changes in NetworkInterface.c.
  * d/p/sec-webrev-8u131-*.patch: deleted, included in IcedTea 2.6.10.
  * d/p/zero-sparc.diff: commented out chaitin.hpp hunk #1 as that #ifdef
    has been removed by JDK-8011621 (backported by IcedTea 2.6.10); this 
    was also backported to 7u131 through JDK-8160961 but then backed out,
    better keep the hunk in case IcedTea decides to back it out as well.

  [ Matthias Klose ]
  * Build using gcc-6 on recent releases.
  * Fix libjvm.so's .debug file names. Closes: #865749. LP: #1548434.

Date: 2017-11-23 14:42:17.339521+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list