[Branch ~openjdk/openjdk/openjdk7] Rev 610: openjdk-7 (7u121-2.6.8-2) experimental; urgency=high
noreply at launchpad.net
noreply at launchpad.net
Wed Feb 8 09:10:39 UTC 2017
------------------------------------------------------------
revno: 610
committer: Matthias Klose <doko at ubuntu.com>
branch nick: openjdk7
timestamp: Wed 2017-02-08 10:09:47 +0100
message:
openjdk-7 (7u121-2.6.8-2) experimental; urgency=high
[ Tiago Stürmer Daitx ]
* Security fixes from 8u121:
- S8167104, CVE-2017-3289: Custom class constructor code can bypass the
required call to super.init allowing for uninitialized objects to be
created.
- S8164143, CVE-2017-3260: It is possible to corrupt memory by calling
dispose() on a CMenuComponentmultiple times.
- S8168714, CVE-2016-5546: ECDSA will accept signatures that have various
extraneous bytes added to them whereas the signature is supposed to be
unique.
- S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt
sections to be 2^32-1 bytes long so these should not be uncompressed
unless the user explicitly requests it.
- S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may
leak information about k.
- S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to
deserialize responses from an LDAP server when an LDAP context is
expected.
- S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how
users or external applications would interpret them leading to possible
security issues.
- S8168705, CVE-2016-5547: A value from an InputStream is read directly
into the size argument of a new byte[] without validation.
- S8164147, CVE-2017-3261: An integer overflow exists in
SocketOutputStream which can lead to memorydisclosure.
- S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will
dispatch HTTP GET requests where the invoker does not have permission.
- S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when
long running sessions are allowed.
* Missing
- S8165344, CVE-2017-3272: A protected field can be leveraged into type
confusion.
- S8156802, CVE-2017-3241: RMI deserialization should limit the types
deserialized to prevent attacks that could escape the sandbox.
* Ignored
- S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may
leak information about k.
-- Matthias Klose <doko at ubuntu.com> Tue, 07 Feb 2017 11:09:39 +0100
added:
patches/sec-webrev-8u121-8151934-jdk.patch
patches/sec-webrev-8u121-8156802-jdk.patch
patches/sec-webrev-8u121-8158406-jdk.patch
patches/sec-webrev-8u121-8158997-jdk.patch
patches/sec-webrev-8u121-8159507-hotspot.patch
patches/sec-webrev-8u121-8160108-jdk-backport-for-8156802.patch
patches/sec-webrev-8u121-8161218-hotspot.patch
patches/sec-webrev-8u121-8161743-jdk.patch
patches/sec-webrev-8u121-8162577-jdk.patch
patches/sec-webrev-8u121-8162973-jdk.patch
patches/sec-webrev-8u121-8164143-jdk.patch
patches/sec-webrev-8u121-8164147-jdk.patch
patches/sec-webrev-8u121-8165071-jdk.patch
patches/sec-webrev-8u121-8165344-jdk.patch
patches/sec-webrev-8u121-8166988-jdk.patch
patches/sec-webrev-8u121-8167104-hotspot.patch
patches/sec-webrev-8u121-8167223-jdk.patch
patches/sec-webrev-8u121-8168705-jdk.patch
patches/sec-webrev-8u121-8168714-jdk.patch
patches/sec-webrev-8u121-8168728-jdk.patch
modified:
changelog
control
rules
The size of the diff (7508 lines) is larger than your specified limit of 1000 lines
--
lp:~openjdk/openjdk/openjdk7
https://code.launchpad.net/~openjdk/openjdk/openjdk7
Your team Debian Java Maintainers is subscribed to branch lp:~openjdk/openjdk/openjdk7.
To unsubscribe from this branch go to https://code.launchpad.net/~openjdk/openjdk/openjdk7/+edit-subscription
More information about the pkg-java-maintainers
mailing list