-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 20 Nov 2017 21:24:32 +0100 Source: openjdk-7 Binary: openjdk-7-jdk openjdk-7-jre-headless openjdk-7-jre openjdk-7-jre-lib openjdk-7-demo openjdk-7-source openjdk-7-doc openjdk-7-dbg icedtea-7-jre-jamvm openjdk-7-jre-zero Architecture: source Version: 7u151-2.6.11-2 Distribution: experimental Urgency: medium Maintainer: OpenJDK Team <openjdk@lists.launchpad.net> Changed-By: Matthias Klose <doko@ubuntu.com> Description: icedtea-7-jre-jamvm - Alternative JVM for OpenJDK, using JamVM openjdk-7-dbg - Java runtime based on OpenJDK (debugging symbols) openjdk-7-demo - Java runtime based on OpenJDK (demos and examples) openjdk-7-doc - OpenJDK Development Kit (JDK) documentation openjdk-7-jdk - OpenJDK Development Kit (JDK) openjdk-7-jre - OpenJDK Java runtime, using openjdk-7-jre-headless - OpenJDK Java runtime, using (headless) openjdk-7-jre-lib - OpenJDK Java runtime (architecture independent libraries) openjdk-7-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark openjdk-7-source - OpenJDK Development Kit (JDK) source files Closes: 881764 Changes: openjdk-7 (7u151-2.6.11-2) experimental; urgency=medium . [ Tiago Stürmer Daitx ] * Backport of 8u151 security fixes. Closes: #881764. * Security patches: - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a CardImpl can be recovered via finalization, then separate instances pointing to the same device can be created. - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's readObject allocates an array based on data in the stream which could cause an OOM. - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced thread can be used as the root of a Trusted Method Chain. - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and possibly other Linux flavors) CR-NL in the host field are ignored and can be used to inject headers in an HTTP request stream. - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos implementations can incorrectly take information from the unencrypted portion of the ticket from the KDC. This can lead to an MITM attack impersonating Kerberos services. - CVE-2017-10346, S8180711: Better alignment of special invocations. A missing load constraint for some invokespecial cases can allow invoking a method from an unrelated class. - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10347, S8181323: Better timezone processing. An array is allocated based on data in the serial stream without a limit on the size. - CVE-2017-10349, S8181327: Better Node predications. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10345, S8181370: Better keystore handling. A malicious serialized object in a keystore can cause a DoS when using keytool. - CVE-2017-10348, S8181432: Better processing of unresolved permissions. An array is allocated based on data in the serial stream without a limit onthe size. - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious serialized stream could cause an OOM due to lack on checking on the number of interfaces read from the stream for a Proxy. - CVE-2017-10355, S8181612: More stable connection processing. If an attack can cause an application to open a connection to a malicious FTP server (e.g., via XML), then a thread can be tied up indefinitely in accept(2). - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS keystores should be retired from common use in favor of more modern keystore protections. - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds check could lead to leaked memory contents. - CVE-2016-9841, S8184682: Upgrade compression library. There were four off by one errors found in the zlib library. Two of them are long typed which could lead to RCE. * debian/patches/hotspot-aarch64-S8150652-unused-template.diff: unused template breaks builds with gcc-6 due to macro conflict. * debian/rules: try /etc/os-release before lsb-release; allows one to check if patches still apply cleanly across distros from the command line by setting distrel. Checksums-Sha1: 85475db18f3a31f1e03f527867d84c2ada2f7134 4693 openjdk-7_7u151-2.6.11-2.dsc 3ee99d032c540b99b4662c5a07e45777e5926947 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz 45d1d472cbc21b158131f8693305d2186ba46c19 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo Checksums-Sha256: d3fb92001698a9b7017ce15a4f54b4d801c646a09ee2116dac81545d3efd99fe 4693 openjdk-7_7u151-2.6.11-2.dsc 113ff457e519c784862338bcd9102068254acc1e1c64532224616de6c1c36c28 194216 openjdk-7_7u151-2.6.11-2.debian.tar.xz 4eb7a0afa51503e9e48eceebb726a64fe68370bcd81f06568de8a98d86570a99 16089 openjdk-7_7u151-2.6.11-2_source.buildinfo Files: edf1d04573ff0bce254d1222a30dc666 4693 java optional openjdk-7_7u151-2.6.11-2.dsc 63a9edef331635a16a12d08b5b50c5c7 194216 java optional openjdk-7_7u151-2.6.11-2.debian.tar.xz afa858d26c0dccec58ad5067ffa85038 16089 java optional openjdk-7_7u151-2.6.11-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAloTOoIQHGRva29AdWJ1 bnR1LmNvbQAKCRC9fqpgd4+m9ZMqD/0aBCrigg63DCNQkhRYSoEEGHpJ+xgd8Vmx UVgW+17C+dLslt1iXYtynumdTXE5uFbhH5i7Rc1HfudeBDjA0jIV4kDejKHr596e a6/zM3U7+qjFaojOCVW17XjG4jK1EefJy6U7VD02r4Qz2NgCb67n4XLKKlFuT9Ej eDZg3T69B+Cb9+asHgNoHF3szD6PSDE+6KW7vg3VI5gL8BsLOjRpzYjw7j6pywjj NzAtwhcEbAkN9LR3vuZwJAD13soKf9McIGqPofII+MPaOeZXxg+0uOJ2bLVI8ebR fROF0Ylm5kGFnc/EK/rEwCB0pTuZpjm9WHWYvwRfFTPaQbeIL6E+Tsg/Q7g4yjal MWAn7wM4LA1kHiXKhU3U0v3VcmvkbOjW4iHKC3LK6Q095QmSuCjdKp9Pz8849RTy 4IYSCOIsS2lV6km5gt4qbW/ugR9XqqGz9nbQkWFAs8vpexeZvlLrOX7gwJ782XQk NEtiYf9l0STO/zwKEdqYKyEes0FiNLhPAiGqdA+C/AfF0AhpaQyVZJz3FFe6OAD1 Li/h3+sREZ1g+GCIxzpEjg9LcuahK9maIbiBerHx07BsqoC1CoPAAX2rZBWT+YbD fFV6aUwR+5Z7tkFhNTnE76Zh2i7doEnoqkp7KCENn4FCXB8+Af97nDWiyyUCR1gR 2c/O0vHIhg== =Et3U -----END PGP SIGNATURE-----
