Accepted openjdk-7 7u151-2.6.11-2 (source) into experimental
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Nov 2017 21:24:32 +0100
Source: openjdk-7
Binary: openjdk-7-jdk openjdk-7-jre-headless openjdk-7-jre openjdk-7-jre-lib openjdk-7-demo openjdk-7-source openjdk-7-doc openjdk-7-dbg icedtea-7-jre-jamvm openjdk-7-jre-zero
Architecture: source
Version: 7u151-2.6.11-2
Distribution: experimental
Urgency: medium
Maintainer: OpenJDK Team <openjdk@lists.launchpad.net>
Changed-By: Matthias Klose <doko@ubuntu.com>
Description:
icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
openjdk-7-dbg - Java runtime based on OpenJDK (debugging symbols)
openjdk-7-demo - Java runtime based on OpenJDK (demos and examples)
openjdk-7-doc - OpenJDK Development Kit (JDK) documentation
openjdk-7-jdk - OpenJDK Development Kit (JDK)
openjdk-7-jre - OpenJDK Java runtime, using
openjdk-7-jre-headless - OpenJDK Java runtime, using (headless)
openjdk-7-jre-lib - OpenJDK Java runtime (architecture independent libraries)
openjdk-7-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
openjdk-7-source - OpenJDK Development Kit (JDK) source files
Closes: 881764
Changes:
openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium
.
[ Tiago Stürmer Daitx ]
* Backport of 8u151 security fixes. Closes: #881764.
* Security patches:
- CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
CardImpl can be recovered via finalization, then separate instances
pointing to the same device can be created.
- CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
readObject allocates an array based on data in the stream which could
cause an OOM.
- CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
thread can be used as the root of a Trusted Method Chain.
- CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
possibly other Linux flavors) CR-NL in the host field are ignored and
can be used to inject headers in an HTTP request stream.
- CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
implementations can incorrectly take information from the unencrypted
portion of the ticket from the KDC. This can lead to an MITM attack
impersonating Kerberos services.
- CVE-2017-10346, S8180711: Better alignment of special invocations. A
missing load constraint for some invokespecial cases can allow invoking
a method from an unrelated class.
- CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
based on data in the serial stream without a limit onthe size.
- CVE-2017-10347, S8181323: Better timezone processing. An array is
allocated based on data in the serial stream without a limit on the
size.
- CVE-2017-10349, S8181327: Better Node predications. An array is
allocated based on data in the serial stream without a limit onthe size.
- CVE-2017-10345, S8181370: Better keystore handling. A malicious
serialized object in a keystore can cause a DoS when using keytool.
- CVE-2017-10348, S8181432: Better processing of unresolved permissions.
An array is allocated based on data in the serial stream without a limit
onthe size.
- CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
serialized stream could cause an OOM due to lack on checking on the
number of interfaces read from the stream for a Proxy.
- CVE-2017-10355, S8181612: More stable connection processing. If an
attack can cause an application to open a connection to a malicious FTP
server (e.g., via XML), then a thread can be tied up indefinitely in
accept(2).
- CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
keystores should be retired from common use in favor of more modern
keystore protections.
- CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
check could lead to leaked memory contents.
- CVE-2016-9841, S8184682: Upgrade compression library. There were four
off by one errors found in the zlib library. Two of them are long typed
which could lead to RCE.
* debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused
template breaks builds with gcc-6 due to macro conflict.
* debian/rules: try /etc/os-release before lsb-release; allows one to check
if patches still apply cleanly across distros from the command line by
setting distrel.
Checksums-Sha1:
85475db18f3a31f1e03f527867d84c2ada2f7134 4693 openjdk-7_7u151-2.6.11-2.dsc
3ee99d032c540b99b4662c5a07e45777e5926947 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz
45d1d472cbc21b158131f8693305d2186ba46c19 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo
Checksums-Sha256:
d3fb92001698a9b7017ce15a4f54b4d801c646a09ee2116dac81545d3efd99fe 4693 openjdk-7_7u151-2.6.11-2.dsc
113ff457e519c784862338bcd9102068254acc1e1c64532224616de6c1c36c28 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz
4eb7a0afa51503e9e48eceebb726a64fe68370bcd81f06568de8a98d86570a99 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo
Files:
edf1d04573ff0bce254d1222a30dc666 4693 java optional openjdk-7_7u151-2.6.11-2.dsc
63a9edef331635a16a12d08b5b50c5c7 194216 java optional openjdk-7_7u151-2.6.11-2.debian.tar.xz
afa858d26c0dccec58ad5067ffa85038 16089 java optional openjdk-7_7u151-2.6.11-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAloTOoIQHGRva29AdWJ1
bnR1LmNvbQAKCRC9fqpgd4+m9ZMqD/0aBCrigg63DCNQkhRYSoEEGHpJ+xgd8Vmx
UVgW+17C+dLslt1iXYtynumdTXE5uFbhH5i7Rc1HfudeBDjA0jIV4kDejKHr596e
a6/zM3U7+qjFaojOCVW17XjG4jK1EefJy6U7VD02r4Qz2NgCb67n4XLKKlFuT9Ej
eDZg3T69B+Cb9+asHgNoHF3szD6PSDE+6KW7vg3VI5gL8BsLOjRpzYjw7j6pywjj
NzAtwhcEbAkN9LR3vuZwJAD13soKf9McIGqPofII+MPaOeZXxg+0uOJ2bLVI8ebR
fROF0Ylm5kGFnc/EK/rEwCB0pTuZpjm9WHWYvwRfFTPaQbeIL6E+Tsg/Q7g4yjal
MWAn7wM4LA1kHiXKhU3U0v3VcmvkbOjW4iHKC3LK6Q095QmSuCjdKp9Pz8849RTy
4IYSCOIsS2lV6km5gt4qbW/ugR9XqqGz9nbQkWFAs8vpexeZvlLrOX7gwJ782XQk
NEtiYf9l0STO/zwKEdqYKyEes0FiNLhPAiGqdA+C/AfF0AhpaQyVZJz3FFe6OAD1
Li/h3+sREZ1g+GCIxzpEjg9LcuahK9maIbiBerHx07BsqoC1CoPAAX2rZBWT+YbD
fFV6aUwR+5Z7tkFhNTnE76Zh2i7doEnoqkp7KCENn4FCXB8+Af97nDWiyyUCR1gR
2c/O0vHIhg==
=Et3U
-----END PGP SIGNATURE-----