[ubuntu/yakkety-security] openjdk-8 8u121-b13-0ubuntu1.16.10.2 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Wed Jan 25 20:30:38 UTC 2017

openjdk-8 (8u121-b13-0ubuntu1.16.10.2) yakkety-security; urgency=medium

  * debian/buildwatch.sh: updated to stop it if no 'make' process is running,
    as it probably means that the build failed - otherwise buildwatch keeps
    the builder alive until it exits after the timer (3 hours by default)
  * debian/rules: updated jtreg tests to use agentvm and auto concurrency.

openjdk-8 (8u121-b13-0ubuntu1.16.10.1) yakkety-security; urgency=medium

  * Update to 8u121-b13, including security fixes:
    - S8165344, CVE-2017-3272: A protected field can be leveraged into type
    - S8167104, CVE-2017-3289: Custom class constructor code can bypass the
      required call to super.init allowing for uninitialized objects to be
    - S8156802, CVE-2017-3241: RMI deserialization should limit the types
      deserialized to prevent attacks that could escape the sandbox.
    - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
      dispose() on a CMenuComponentmultiple times.
    - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
      extraneous bytes added to them whereas the signature is supposed to be
    - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
      sections to be 2^32-1 bytes long so these should not be uncompressed
      unless the user explicitly requests it.
    - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
      leak information about k.
    - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may
      leak information about k.
    - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
      deserialize responses from an LDAP server when an LDAP context is
    - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
      users or external applications would interpret them leading to possible
      security issues.
    - S8168705, CVE-2016-5547: A value from an InputStream is read directly
      into the size argument of a new byte[] without validation.
    - S8164147, CVE-2017-3261: An integer overflow exists in
      SocketOutputStream which can lead to memorydisclosure.
    - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
      dispatch HTTP GET requests where the invoker does not have permission.
    - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
      long running sessions are allowed.
  * debian/patches/8132051-zero.diff: superseeded by upstream fix S8154210;
  * debian/patches/hotspot-JDK-8158260-ppc64el.patch: applied upstream;
  * debian/patches/6926048.diff: already applied upstream; deleted.
  * debian/patches/jdk-ppc64el-S8170153.patch: improve StrictMath performance
    on ppc64el. LP: #1646927.
  * debian/patches/openjdk-ppc64el-S8170153.patch: same.
  * debian/patches/jdk-841269-filechooser.patch: fix FileChooser behavior when
    displaying links to non-existant files. Closes: #841269.
  * Refreshed various patches.

openjdk-8 (8u111-b14-3) unstable; urgency=high

  [ Tiago Stürmer Daitx ]
  * Remove cacao references, updated jtreg tests to use agentvm and auto
  * Run the jtreg tests on autopkg testing.

Date: 2017-01-23 15:17:14.348858+00:00
Changed-By: Tiago Stürmer Daitx <tiago.daitx at canonical.com>
Maintainer: OpenJDK <openjdk at lists.launchpad.net>
Signed-By: Steve Beattie <sbeattie at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Yakkety-changes mailing list