Accepted openjdk-8 8u151-b12-1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted openjdk-8 8u151-b12-1 (source) into unstable
From: Matthias Klose <doko@ubuntu.com>
Date: Wed, 01 Nov 2017 06:34:13 +0000
Message-id: <[🔎] E1e9mbN-00080H-3j@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Nov 2017 07:12:56 +0100
Source: openjdk-8
Binary: openjdk-8-jdk-headless openjdk-8-jre-headless openjdk-8-jdk openjdk-8-jre openjdk-8-demo openjdk-8-source openjdk-8-doc openjdk-8-dbg openjdk-8-jre-zero
Architecture: source
Version: 8u151-b12-1
Distribution: unstable
Urgency: high
Maintainer: OpenJDK Team <openjdk@lists.launchpad.net>
Changed-By: Matthias Klose <doko@ubuntu.com>
Description:
 openjdk-8-dbg - Java runtime based on OpenJDK (debugging symbols)
 openjdk-8-demo - Java runtime based on OpenJDK (demos and examples)
 openjdk-8-doc - OpenJDK Development Kit (JDK) documentation
 openjdk-8-jdk - OpenJDK Development Kit (JDK)
 openjdk-8-jdk-headless - OpenJDK Development Kit (JDK) (headless)
 openjdk-8-jre - OpenJDK Java runtime, using
 openjdk-8-jre-headless - OpenJDK Java runtime, using  (headless)
 openjdk-8-jre-zero - Alternative JVM for OpenJDK, using Zero/Shark
 openjdk-8-source - OpenJDK Development Kit (JDK) source files
Changes:
 openjdk-8 (8u151-b12-1) unstable; urgency=high
 .
   * Update to 8u151-b12. Hotspot 8u144-b01 for aarch32 with 8u151 hotspot
     patches.
 .
   [ Tiago Stürmer Daitx ]
   * Security patches:
     - CVE-2017-10274, S8169026: Handle smartcard clean up better. If a
       CardImpl can be recovered via finalization, then separate instances
       pointing to the same device can be created.
     - CVE-2017-10281, S8174109: Better queuing priorities. PriorityQueue's
       readObject allocates an array based on data in the stream which could
       cause an OOM.
     - CVE-2017-10285, S8174966: Unreferenced references. RMI's Unreferenced
       thread can be used as the root of a Trusted Method Chain.
     - CVE-2017-10295, S8176751: Better URL connections. On Ubuntu (and
       possibly other Linux flavors) CR-NL in the host field are ignored and
       can be used to inject headers in an HTTP request stream.
     - CVE-2017-10388, S8178794: Correct Kerberos ticket grants. Kerberos
       implementations can incorrectly take information from the unencrypted
       portion of the ticket from the KDC. This can lead to an MITM attack
       impersonating Kerberos services.
     - CVE-2017-10346, S8180711: Better alignment of special invocations. A
       missing load constraint for some invokespecial cases can allow invoking
       a method from an unrelated class.
     - CVE-2017-10350, S8181100: Better Base Exceptions. An array is allocated
       based on data in the serial stream without a limit onthe size.
     - CVE-2017-10347, S8181323: Better timezone processing. An array is
       allocated based on data in the serial stream without a limit on the
       size.
     - CVE-2017-10349, S8181327: Better Node predications. An array is
       allocated based on data in the serial stream without a limit onthe size.
     - CVE-2017-10345, S8181370: Better keystore handling. A malicious
       serialized object in a keystore can cause a DoS when using keytool.
     - CVE-2017-10348, S8181432: Better processing of unresolved permissions.
       An array is allocated based on data in the serial stream without a limit
       onthe size.
     - CVE-2017-10357, S8181597: Process Proxy presentation. A malicious
       serialized stream could cause an OOM due to lack on checking on the
       number of interfaces read from the stream for a Proxy.
     - CVE-2017-10355, S8181612: More stable connection processing. If an
       attack can cause an application to open a connection to a malicious FTP
       server (e.g., via XML), then a thread can be tied up indefinitely in
       accept(2).
     - CVE-2017-10356, S8181692: Update storage implementations. JKS and JCEKS
       keystores should be retired from common use in favor of more modern
       keystore protections.
     - CVE-2016-10165, S8183028: Improve CMS header processing. Missing bounds
       check could lead to leaked memory contents.
     - CVE-2016-9841, S8184682: Upgrade compression library. There were four
       off by one errors found in the zlib library. Two of them are long typed
       which could lead to RCE.
   * debian/rules:
     - openjdk8 now ships limited and unlimited policy.jar files (S8157561)
       into their own directories under jre/lib/security/policy.
   * debian/rules, d/p/sec-webrev-8u151-hotspot-8179084.patch,
     d/p/sec-webrev-8u151-hotspot-8180711.patch: Apply hotspot security updates
     to both aarch32 and aarch64.
   * d/p/gcc6.diff, d/p/aarch64.diff, d/p/aarch32.diff, d/p/m68k-support.diff,
     d/p/system-libjpeg.diff: Remove hunks related to the generated configure
     file generated during the build.
   * d/p/hotspot-ppc64el-S8168318-cmpldi.patch: Use cmpldi instead of li/cmpld.
     LP: #1723893.
   * d/p/hotspot-ppc64el-S8170328-andis.patch: Use andis instead of lis/and.
     LP: #1723862.
   * d/p/hotspot-ppc64el-S8145913-montgomery-multiply-intrinsic.patch: Add
     Montgomery multiply intrinsic. LP: #1723860.
   * d/p/hotspot-ppc64el-S8181810-leverage-extrdi.patch: Leverage extrdi for
     bitfield extract is absent in OpenJDK 8. LP: #1723861.
   * d/p/jdk-S8165852-overlayfs.patch: Mount point not found for a file which
     is present in overlayfs.
 .
   [ Matthias Klose ]
   * Bump standards version.
Checksums-Sha1:
 d811bdaf2a49677cc0c3ebeb7a65c4b4a4551708 4456 openjdk-8_8u151-b12-1.dsc
 88d3574f63bd94c1e32c130c1b71e273e5a28ae5 70121877 openjdk-8_8u151-b12.orig.tar.gz
 794f8c6980956bdcfcb19efb58413f611de8cc86 252832 openjdk-8_8u151-b12-1.debian.tar.xz
 57583480b8e6709b68dd6f9d26fc290d83aa6a78 15733 openjdk-8_8u151-b12-1_source.buildinfo
Checksums-Sha256:
 96f2d6982f2de7d9006d851b7cbf9dfebb300c57bb65e3090c03e339cd2388eb 4456 openjdk-8_8u151-b12-1.dsc
 3a81eb858ceadaab9a14190aae800aace0f1b5f86b2e9707b9a9e30b7aca248c 70121877 openjdk-8_8u151-b12.orig.tar.gz
 eb56f974b8761e9287037b40d1eefb8ebd4773739c3d13a5f7e9b65ae69ace1a 252832 openjdk-8_8u151-b12-1.debian.tar.xz
 89074e77d48765244c1a0cbfaa5b6e5405927edd90c7bae6a10e04e94a1b4c02 15733 openjdk-8_8u151-b12-1_source.buildinfo
Files:
 e756f4c7b1cd8fe4060924df284738d5 4456 java optional openjdk-8_8u151-b12-1.dsc
 5d5befdaf8f6df93befa5fc8c69e786d 70121877 java optional openjdk-8_8u151-b12.orig.tar.gz
 234de2af1b6b18d223d7add1f09b9598 252832 java optional openjdk-8_8u151-b12-1.debian.tar.xz
 4e4d2ee238124add8325035773f362b5 15733 java optional openjdk-8_8u151-b12-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQItBAEBCAAXBQJZ+WZ7EBxkb2tvQHVidW50dS5jb20ACgkQvX6qYHePpvWcRhAA
sMJoWmTLhdqK2rFvfSss7GM2NbMBDBp+PKBEUkuvLnz+IYYkqw1UfCnU+/ze4k07
x77g2QL+ly+uP5jkuXGomDbGY+ptbG1rF/BBUsHpsOSp6qVGHhfjsX9GJikVUvhi
LFbcMozWoIhP8OB1m6jyvSmH7V0+izLsfPoI2jy6JyiYkDMFv9i20izhEwlIcxv2
rwL6a0uaejYIQkty8P82vaPMDcKlBlstJhE6Oc+VOBh/fAEj9CWyKqfS1L/pRhWA
1yD4IaS0rJHDvdneJqQl6S09KtzAzawLQG/u3XcpEY1/pRCZeG+3V1RePBpaGQsq
2sVdoXAT2MqGMa4P5fLJSZn9yo4MpPztks5D4FU0wVxVeAgNjOrBWelGeIvpp26o
lt7VjHzm3nv0Iw+0jHaliUr0RYbgIBwLKE+YKPdloqSJ+9zV20/tSgOPnbVYxpx5
/knvKyFCOJ1mCG9NR2UB1MFcIbXC+dzbHxj4f38YQZQV/ynzUMJ9eKl9LdczgXvl
WI4OmjKqgqz5bNnf4ofSx1rqeScdC4ik9fTfn+3kgvMKQWxc4prtpf7nbub71+4d
BPXeHjeAn3gbsKmNNy+TGUJS+FV/pVBoNt4QxP9V5r/6jZoeuTzUUkyAD9VPLa24
/hnXlBiKCdhb3x4fHnsH5zoPv7DMOuIvLErUb0M13YA=
=2CdX
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: Accepted pugixml 1.8.1-7 (source) into unstable
Next by Date: Accepted openvas 9.0.1 (source all) into unstable
Previous by thread: Accepted pugixml 1.8.1-7 (source) into unstable
Next by thread: Accepted openvas 9.0.1 (source all) into unstable
Index(es):
- Date
- Thread