------------------------------------------------------------ revno: 610 committer: Matthias Klose <d...@ubuntu.com> branch nick: openjdk7 timestamp: Wed 2017-02-08 10:09:47 +0100 message: openjdk-7 (7u121-2.6.8-2) experimental; urgency=high [ Tiago Stürmer Daitx ] * Security fixes from 8u121: - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. * Missing - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. * Ignored - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. -- Matthias Klose <d...@ubuntu.com> Tue, 07 Feb 2017 11:09:39 +0100 added: patches/sec-webrev-8u121-8151934-jdk.patch patches/sec-webrev-8u121-8156802-jdk.patch patches/sec-webrev-8u121-8158406-jdk.patch patches/sec-webrev-8u121-8158997-jdk.patch patches/sec-webrev-8u121-8159507-hotspot.patch patches/sec-webrev-8u121-8160108-jdk-backport-for-8156802.patch patches/sec-webrev-8u121-8161218-hotspot.patch patches/sec-webrev-8u121-8161743-jdk.patch patches/sec-webrev-8u121-8162577-jdk.patch patches/sec-webrev-8u121-8162973-jdk.patch patches/sec-webrev-8u121-8164143-jdk.patch patches/sec-webrev-8u121-8164147-jdk.patch patches/sec-webrev-8u121-8165071-jdk.patch patches/sec-webrev-8u121-8165344-jdk.patch patches/sec-webrev-8u121-8166988-jdk.patch patches/sec-webrev-8u121-8167104-hotspot.patch patches/sec-webrev-8u121-8167223-jdk.patch patches/sec-webrev-8u121-8168705-jdk.patch patches/sec-webrev-8u121-8168714-jdk.patch patches/sec-webrev-8u121-8168728-jdk.patch modified: changelog control rules The size of the diff (7508 lines) is larger than your specified limit of 1000 lines
-- lp:~openjdk/openjdk/openjdk7 https://code.launchpad.net/~openjdk/openjdk/openjdk7 Your team Debian Java Maintainers is subscribed to branch lp:~openjdk/openjdk/openjdk7. To unsubscribe from this branch go to https://code.launchpad.net/~openjdk/openjdk/openjdk7/+edit-subscription __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.