[ubuntu/xenial-updates] openjdk-8 8u162-b12-0ubuntu0.16.04.2 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Mon Apr 2 17:58:21 UTC 2018 

openjdk-8 (8u162-b12-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * d/rules, d/control: revert GTK3 dependency to GTK 2.

openjdk-8 (8u162-b12-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Backport to 16.04.

openjdk-8 (8u162-b12-0ubuntu0.17.10.1) artful-security; urgency=medium

  * Update to 8u162-b12. Hotspot 8u162-b12 for aarch32 and 8u161-b16
    for aarch64 (wth 8u162-b12 patches).
  * Security updates:
    - CVE-2018-2633,S8186606: Improve LDAP lookup robustness.
    - CVE-2018-2637,S8186998: Improve JMX supportive features.
    - CVE-2018-2634,S8186600: Improve property negotiations.
    - CVE-2018-2582,S8174962: Better interface invocations.
    - CVE-2018-2641,S8185325: Improve GTK initialization.
    - CVE-2018-2618,S8185292: Stricter key generation.
    - CVE-2018-2629,S8186212: Improve GSS handling.
    - CVE-2018-2603,S8182387: Improve PKCS usage.
    - CVE-2018-2599,S8182125: Improve reliability of DNS lookups.
    - CVE-2018-2602,S8182601: Improve usage messages.
    - CVE-2018-2588,S8178449: Improve LDAP logins.
    - CVE-2018-2678,S8191142: More refactoring for naming deserialization
      cases.
    - CVE-2018-2677,S8190289: More refactoring for client deserialization
      cases.
    - CVE-2018-2663,S8189284: More refactoring for deserialization cases.
    - CVE-2018-2579,S8172525: Improve key keying case.
  * d/p/aarch64-hotspot-8u162-b12.patch: update aarch64 hotspot to 8u162-b12.
  * d/p/icedtea-4953367.patch: removed, fixed upstream by "S8136570: Stop
    changing user environment variables related to /usr/dt".
  * d/p/gcc6.diff: removed, fixed upstream.
  * d/p/jdk-getAccessibleValue.diff: updated, removed chunks fixed upstream
    by "S8076249: NPE in AccessBridge while editing JList model" and
    "S8145207: [macosx] JList, VO can't access non-visible list items".
  * d/p/openjdk-ppc64el-S8170153.patch, d/p/8164293.diff,
    d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch,
    d/p/hotspot-ppc64el-S8168318-cmpldi.patch,
    d/p/hotspot-ppc64el-S8170328-andis.patch,
    d/p/hotspot-ppc64el-S8175813-mbind-invalid-argument.patch,
    d/p/hotspot-ppc64el-S8181055-use-numa-v2-api.patch,
    d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: removed,
    applied upstream.
  * d/rules, d/control: depend on GKT3 instead of GTK2. LP: #1735482.
  * d/rules: wait 10 seconds before issuing SIGKILL to buildwatch.
  * d/buildwatch.sh: find hs_err files and cat them to help debugging build
    failures.
  * S8173853: IllegalArgumentException in java.awt.image.ReplicateScaleFilter.
    LP: #8173853.

openjdk-8 (8u151-b12-1) unstable; urgency=high

  * Update to 8u151-b12. Hotspot 8u144-b01 for aarch32 with 8u151 hotspot
    patches.

  [ Tiago Stürmer Daitx ]
  * Security patches:
    - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
      CardImpl can be recovered via finalization, then separate instances
      pointing to the same device can be created.
    - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
      readObject allocates an array based on data in the stream which could
      cause an OOM.
    - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
      thread can be used as the root of a Trusted Method Chain.
    - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
      possibly other Linux flavors) CR-NL in the host field are ignored and
      can be used to inject headers in an HTTP request stream.
    - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
      implementations can incorrectly take information from the unencrypted
      portion of the ticket from the KDC. This can lead to an MITM attack
      impersonating Kerberos services.
    - CVE-2017-10346, S8180711: Better alignment of special invocations. A
      missing load constraint for some invokespecial cases can allow invoking
      a method from an unrelated class.
    - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
      based on data in the serial stream without a limit onthe size.
    - CVE-2017-10347, S8181323: Better timezone processing. An array is
      allocated based on data in the serial stream without a limit on the
      size.
    - CVE-2017-10349, S8181327: Better Node predications. An array is
      allocated based on data in the serial stream without a limit onthe size.
    - CVE-2017-10345, S8181370: Better keystore handling. A malicious
      serialized object in a keystore can cause a DoS when using keytool.
    - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
      An array is allocated based on data in the serial stream without a limit
      onthe size.
    - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
      serialized stream could cause an OOM due to lack on checking on the
      number of interfaces read from the stream for a Proxy.
    - CVE-2017-10355, S8181612: More stable connection processing. If an
      attack can cause an application to open a connection to a malicious FTP
      server (e.g., via XML), then a thread can be tied up indefinitely in
      accept(2).
    - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
      keystores should be retired from common use in favor of more modern
      keystore protections.
    - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
      check could lead to leaked memory contents.
    - CVE-2016-9841, S8184682: Upgrade compression library. There were four
      off by one errors found in the zlib library. Two of them are long typed
      which could lead to RCE.
  * debian/rules:
    - openjdk8 now ships limited and unlimited policy.jar files (S8157561)
      into their own directories under jre/lib/security/policy.
  * debian/rules, d/p/sec-webrev-8u151-hotspot-8179084.patch,
    d/p/sec-webrev-8u151-hotspot-8180711.patch: Apply hotspot security updates
    to both aarch32 and aarch64.
  * d/p/gcc6.diff, d/p/aarch64.diff, d/p/aarch32.diff, d/p/m68k-support.diff,
    d/p/system-libjpeg.diff: Remove hunks related to the generated configure
    file generated during the build.
  * d/p/hotspot-ppc64el-S8168318-cmpldi.patch: Use cmpldi instead of li/cmpld.
    LP: #1723893.
  * d/p/hotspot-ppc64el-S8170328-andis.patch: Use andis instead of lis/and.
    LP: #1723862.
  * d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch: Add
    Montgomery multiply intrinsic. LP: #1723860.
  * d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: Leverage extrdi for
    bitfield extract is absent in OpenJDK 8. LP: #1723861.
  * d/p/jdk-S8165852-overlayfs.patch: Mount point not found for a file which
    is present in overlayfs.

  [ Matthias Klose ]
  * Bump standards version.

Date: 2018-03-14 11:45:24.661809+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/openjdk-8/8u162-b12-0ubuntu0.16.04.2
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list