Back to openjdk-7 PTS page

Accepted openjdk-7 7u151-2.6.11-2 (source) into experimental

Hash: SHA256

Format: 1.8
Date: Mon, 20 Nov 2017 21:24:32 +0100
Source: openjdk-7
Binary: openjdk-7-jdk openjdk-7-jre-headless openjdk-7-jre openjdk-7-jre-lib openjdk-7-demo openjdk-7-source openjdk-7-doc openjdk-7-dbg icedtea-7-jre-jamvm openjdk-7-jre-zero
Architecture: source
Version: 7u151-2.6.11-2
Distribution: experimental
Urgency: medium
Maintainer: OpenJDK Team <>
Changed-By: Matthias Klose <>
 icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
 openjdk-7-dbg - Java runtime based on OpenJDK (debugging symbols)
 openjdk-7-demo - Java runtime based on OpenJDK (demos and examples)
 openjdk-7-doc - OpenJDK Development Kit (JDK) documentation
 openjdk-7-jdk - OpenJDK Development Kit (JDK)
 openjdk-7-jre - OpenJDK Java runtime, using
 openjdk-7-jre-headless - OpenJDK Java runtime, using  (headless)
 openjdk-7-jre-lib - OpenJDK Java runtime (architecture independent libraries)
 openjdk-7-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
 openjdk-7-source - OpenJDK Development Kit (JDK) source files
Closes: 881764
 openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium
   [ Tiago Stürmer Daitx ]
   * Backport of 8u151 security fixes. Closes: #881764.
   * Security patches:
     - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
       CardImpl can be recovered via finalization, then separate instances
       pointing to the same device can be created.
     - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
       readObject allocates an array based on data in the stream which could
       cause an OOM.
     - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
       thread can be used as the root of a Trusted Method Chain.
     - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
       possibly other Linux flavors) CR-NL in the host field are ignored and
       can be used to inject headers in an HTTP request stream.
     - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
       implementations can incorrectly take information from the unencrypted
       portion of the ticket from the KDC. This can lead to an MITM attack
       impersonating Kerberos services.
     - CVE-2017-10346, S8180711: Better alignment of special invocations. A
       missing load constraint for some invokespecial cases can allow invoking
       a method from an unrelated class.
     - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
       based on data in the serial stream without a limit onthe size.
     - CVE-2017-10347, S8181323: Better timezone processing. An array is
       allocated based on data in the serial stream without a limit on the
     - CVE-2017-10349, S8181327: Better Node predications. An array is
       allocated based on data in the serial stream without a limit onthe size.
     - CVE-2017-10345, S8181370: Better keystore handling. A malicious
       serialized object in a keystore can cause a DoS when using keytool.
     - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
       An array is allocated based on data in the serial stream without a limit
       onthe size.
     - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
       serialized stream could cause an OOM due to lack on checking on the
       number of interfaces read from the stream for a Proxy.
     - CVE-2017-10355, S8181612: More stable connection processing. If an
       attack can cause an application to open a connection to a malicious FTP
       server (e.g., via XML), then a thread can be tied up indefinitely in
     - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
       keystores should be retired from common use in favor of more modern
       keystore protections.
     - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
       check could lead to leaked memory contents.
     - CVE-2016-9841, S8184682: Upgrade compression library. There were four
       off by one errors found in the zlib library. Two of them are long typed
       which could lead to RCE.
   * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused
     template breaks builds with gcc-6 due to macro conflict.
   * debian/rules: try /etc/os-release before lsb-release; allows one to check
     if patches still apply cleanly across distros from the command line by
     setting distrel.
 85475db18f3a31f1e03f527867d84c2ada2f7134 4693 openjdk-7_7u151-2.6.11-2.dsc
 3ee99d032c540b99b4662c5a07e45777e5926947 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz
 45d1d472cbc21b158131f8693305d2186ba46c19 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo
 d3fb92001698a9b7017ce15a4f54b4d801c646a09ee2116dac81545d3efd99fe 4693 openjdk-7_7u151-2.6.11-2.dsc
 113ff457e519c784862338bcd9102068254acc1e1c64532224616de6c1c36c28 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz
 4eb7a0afa51503e9e48eceebb726a64fe68370bcd81f06568de8a98d86570a99 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo
 edf1d04573ff0bce254d1222a30dc666 4693 java optional openjdk-7_7u151-2.6.11-2.dsc
 63a9edef331635a16a12d08b5b50c5c7 194216 java optional openjdk-7_7u151-2.6.11-2.debian.tar.xz
 afa858d26c0dccec58ad5067ffa85038 16089 java optional openjdk-7_7u151-2.6.11-2_source.buildinfo