Debian Package Tracker

From: Matthias Klose <doko@ubuntu.com>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted openjdk-8 8u102-b14-2 (source) into unstable
Date: Tue, 26 Jul 2016 11:53:15 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Jul 2016 13:00:12 +0200
Source: openjdk-8
Binary: openjdk-8-jdk-headless openjdk-8-jre-headless openjdk-8-jdk openjdk-8-jre openjdk-8-demo openjdk-8-source openjdk-8-doc openjdk-8-dbg openjdk-8-jre-jamvm openjdk-8-jre-zero
Architecture: source
Version: 8u102-b14-2
Distribution: unstable
Urgency: medium
Maintainer: OpenJDK Team <openjdk@lists.launchpad.net>
Changed-By: Matthias Klose <doko@ubuntu.com>
Description:
 openjdk-8-dbg - Java runtime based on OpenJDK (debugging symbols)
 openjdk-8-demo - Java runtime based on OpenJDK (demos and examples)
 openjdk-8-doc - OpenJDK Development Kit (JDK) documentation
 openjdk-8-jdk - OpenJDK Development Kit (JDK)
 openjdk-8-jdk-headless - OpenJDK Development Kit (JDK) (headless)
 openjdk-8-jre - OpenJDK Java runtime, using ${vm:Name}
 openjdk-8-jre-headless - OpenJDK Java runtime, using ${vm:Name} (headless)
 openjdk-8-jre-jamvm - Alternative JVM for OpenJDK, using JamVM
 openjdk-8-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
 openjdk-8-source - OpenJDK Development Kit (JDK) source files
Changes:
 openjdk-8 (8u102-b14-2) unstable; urgency=medium
 .
   * Update AArch64 and KFreeBSD patches.
 .
 openjdk-8 (8u102-b14-1) unstable; urgency=medium
 .
   * Update to 8u101-b14, including security fixes:
   * IIOP Input Stream Hooking. CVE-2016-3458:
     defaultReadObject is not forbidden in readObject in subclasses of
     InputStreamHook which provides leverage to deserialize malicious objects
     if a reference to the input stream can be obtained separately.
   * Complete name checking. S8148872, CVE-2016-3500:
     In some cases raw names in XML data are not checked for length limits
     allowing for DoS attacks.
   * Better delineation of XML processing. S8149962, CVE-2016-3508:
     Denial of service measures do not take newline characters into account.
     This can be used to conduct attacks like the billion laughs DoS.
   * Coded byte streams. S8152479, CVE-2016-3550:
     A fuzzed class file triggers an integer overflow in array access.
   * Clean up lookup visibility. S8154475, CVE-2016-3587:
     A fast path change allowed access to MH.invokeBasic via the public lookup
     object. MH.iB does not do full type checking which can be used to create
     type confusion.
   * Bolster bytecode verification. S8155981, CVE-2016-3606:
     The bytecode verifier checks that any classes' <init> method calls
     super.<init> before returning. There is a way to bypass this requirement
     which allows creating subclasses of classes that are not intended to be
     extended.
   * Persistent Parameter Processing. S8155985, CVE-2016-3598:
     TOCTOU issue with types List passed into dropArguments() which can be used
     to cause type confusion.
   * Additional method handle validation. S8158571, CVE-2016-3610:
     MHs.filterReturnValue does not check the filter parameter list size.
     The single expected parameter is put in the last parameter position for
     the filter MH allowing for type confusion.
   * Enforce GCM limits. S8146514:
     In GCM the counter should not be allowed to wrap (per the spec), since that
     plus exposing the encrypted data could lead to leaking information.
   * Construction of static protection domains. S8147771:
     SubjectDomainCombiner does not honor the staticPermission field and will
     create ProtectionDomains that vary with the system policy which may allow
     unexpected permission sets.
   * Share Class Data. S8150752:
     Additional verification of AppCDS archives is required to prevent an
     attacker from creating a type confusion situation.
   * Enforce update ordering. S8149070:
     If the GCM methods update() and updateAAD() are used out of order, the
     security of the system can be weakened and an exception should be thrown
     to warn the developer.
   * Constrain AppCDS behavior. S8153312:
     AppCDS does not create classloader constraints upon reloading classes
     which could allow class spoofing under some circumstances.
Checksums-Sha1:
 5a3ca188c675e3c57cab6fa7469a7fc60eee72ff 4479 openjdk-8_8u102-b14-2.dsc
 2ad59442493ba04165b32d3f27e8eb31b3f8acbb 228444 openjdk-8_8u102-b14-2.debian.tar.xz
Checksums-Sha256:
 cbf037cbac3642dc87fa164bbe853901f5fd43cc5090daf258a58bfc06fe0a92 4479 openjdk-8_8u102-b14-2.dsc
 39e4a055d7940d316c868c30378ece39cfa7a97816c50152081198ad16c13463 228444 openjdk-8_8u102-b14-2.debian.tar.xz
Files:
 e12b02b301450b7995bd471388385716 4479 java optional openjdk-8_8u102-b14-2.dsc
 4699c5bb03114aa284b215acede8909d 228444 java optional openjdk-8_8u102-b14-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXl0zPAAoJEL1+qmB3j6b1YG4QAJfA6aWC/ctsM1+jC0oqq2Rc
XURZcvWVuSl3CJQ8wsMWQXGU4WPVZx/GlYgzue3xgsykfQZINvTx2ndqxRfE8YKk
hnhip3phoMmGhK5CcjXabJq14QvsvDBc+9DWw4jVCac81FtixXpwVxXPae4oUXqD
yhGKkXH1MPOnHWcBrey9zB/2DXNyE13l9kiqIJMfi+8xeeGHoLZqHt9LUW5G2PLO
JkX0A+USVuX/4jVIE7XDnTl1p/yXa0epCrd4WLuJJEXeyYxji3Z/KdgjImwv4o1q
TygwTfkSSId302PdjNYWdvWjbwLzwLz+ZPiLZlgNRq37IpGCkiKRj0kFONORDKxE
Euo9S96/eL8jIdtnqXlxkuFG6/M5DFi+F2lWV0M/QX+Y7ZlitFYKGlrFzvOcTtLv
/GIOMDFBoY1l7A339obtS+dHIJ2cVLF6IzrHgitW1lWITBD/+6V7GMJJgGyxSyaN
FG/3UOeeaWNe5NPVMwQfsDhaOgyOJVMWQ33FfH9ZYCljcBH9Y7TDAiqie5vydATk
8lhWH4EcX2WFPOxHkmCmqYZ42wXIFOQkiYAkeo2cVRd6jq+dDy49liKlea2vRrxI
lTMtUcmIJi0Q56jvn4wF/XIlfVbd7+Kll1n4O1Q9KWTK1cdHIg1WcPNOaEvop6la
qx1V+athU4HDX7GVfci8
=CyiN
-----END PGP SIGNATURE-----
News for package openjdk-8
