[ubuntu/xenial-security] openjdk-8 8u111-b14-2ubuntu0.16.04.2 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Wed Nov 2 21:31:46 UTC 2016

openjdk-8 (8u111-b14-2ubuntu0.16.04.2) xenial-security; urgency=medium

  * Backport to 16.04.

openjdk-8 (8u111-b14-2ubuntu0.16.10.2) yakkety-security; urgency=medium

  * debian/rules: remove samevm/othervm options from jtreg tests.
  * debian/buildwatch.sh: noisy and quiet logic blocks were swapped.

openjdk-8 (8u111-b14-2ubuntu0.16.10.1) yakkety-security; urgency=medium

  * Security fixes in 8u111:
    - CVE-2016-5568, S8158993: Service Menu services.
    - CVE-2016-5582, S8160591: Improve internal array handling.
    - CVE-2016-5573, S8159519: Reformat JDWP messages.
    - CVE-2016-5597, S8160838: Better HTTP service.
    - CVE-2016-5554, S8157739: Classloader Consistency Checking.
    - CVE-2016-5542, S8155973: Tighten jar checks.
  * debian/rules: removed all mauve and cacao references, updated jtreg tests
    to use agentvm and auto concurrency, use autoconf 2.68 for precise.
  * debian/buildwatch.sh: updated to stop it if no 'make' process is running,
    as it probably means that the build failed - otherwise buildwatch keeps
    the builder alive until it exits after the timer (3 hours by default)
  * debian/control.in: removed mauve and cacao references.
  * debian/copyright.cacao: deleted file.
  * debian/README.source: removed caco and mauve references.
  * debian/patches/aarch64.diff: removed cacao vm reference.
  * debian/patches/autoconf-2.68.diff: reduce minimum autoconf requirement to
  * debian/patches/autoconf-select.diff: deleted file as it has been replaced
    by autoconf 2.68 changes for precise.
  * debian/patches/cacao-armv4.diff: deleted file.
  * debian/tests/control: added autopkgtest to run jtreg testsuite.
  * debian/tests/jtreg-autopkgtest: run jtreg tests on autopkgtest.

openjdk-8 (8u111-b14-2) unstable; urgency=high

  * Apply the kfreebsd patches conditionally.

openjdk-8 (8u111-b14-1) unstable; urgency=high

  * Update to 8u111-b14, including security fixes.
  * Enable hotspot builds for sparc64. Closes: #835973.

openjdk-8 (8u102-b14.1-2) unstable; urgency=medium

  * Fix build failure with GCC 6. Closes: #811694.
  * Fix JamVM, lacking JVM_GetResourceLookupCacheURLs (Xerxes Rånby).
    Closes: #826206.
  * Explicitly build using GCC 6.

openjdk-8 (8u102-b14.1-1) unstable; urgency=medium

  * Use the 8u101 tarballs instead of the 8u102 tarballs (inventing a fake
    version number).

openjdk-8 (8u102-b14-2) unstable; urgency=medium

  * Update AArch64 and KFreeBSD patches.

openjdk-8 (8u102-b14-1) unstable; urgency=medium

  * Update to 8u101-b14, including security fixes:
  * IIOP Input Stream Hooking. CVE-2016-3458:
    defaultReadObject is not forbidden in readObject in subclasses of
    InputStreamHook which provides leverage to deserialize malicious objects
    if a reference to the input stream can be obtained separately.
  * Complete name checking. S8148872, CVE-2016-3500:
    In some cases raw names in XML data are not checked for length limits
    allowing for DoS attacks.
  * Better delineation of XML processing. S8149962, CVE-2016-3508:
    Denial of service measures do not take newline characters into account.
    This can be used to conduct attacks like the billion laughs DoS.
  * Coded byte streams. S8152479, CVE-2016-3550:
    A fuzzed class file triggers an integer overflow in array access.
  * Clean up lookup visibility. S8154475, CVE-2016-3587:
    A fast path change allowed access to MH.invokeBasic via the public lookup
    object. MH.iB does not do full type checking which can be used to create
    type confusion.
  * Bolster bytecode verification. S8155981, CVE-2016-3606:
    The bytecode verifier checks that any classes' <init> method calls
    super.<init> before returning. There is a way to bypass this requirement
    which allows creating subclasses of classes that are not intended to be
  * Persistent Parameter Processing. S8155985, CVE-2016-3598:
    TOCTOU issue with types List passed into dropArguments() which can be used
    to cause type confusion.
  * Additional method handle validation. S8158571, CVE-2016-3610:
    MHs.filterReturnValue does not check the filter parameter list size.
    The single expected parameter is put in the last parameter position for
    the filter MH allowing for type confusion.
  * Enforce GCM limits. S8146514:
    In GCM the counter should not be allowed to wrap (per the spec), since that
    plus exposing the encrypted data could lead to leaking information.
  * Construction of static protection domains. S8147771:
    SubjectDomainCombiner does not honor the staticPermission field and will
    create ProtectionDomains that vary with the system policy which may allow
    unexpected permission sets.
  * Share Class Data. S8150752:
    Additional verification of AppCDS archives is required to prevent an
    attacker from creating a type confusion situation.
  * Enforce update ordering. S8149070:
    If the GCM methods update() and updateAAD() are used out of order, the
    security of the system can be weakened and an exception should be thrown
    to warn the developer.
  * Constrain AppCDS behavior. S8153312:
    AppCDS does not create classloader constraints upon reloading classes
    which could allow class spoofing under some circumstances.

Date: 2016-10-27 14:35:14.498946+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Maintainer: OpenJDK <openjdk at lists.launchpad.net>
Signed-By: Steve Beattie <sbeattie at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list