------------------------------------------------------------ revno: 694 committer: Matthias Klose <d...@ubuntu.com> branch nick: openjdk8 timestamp: Mon 2017-01-23 11:17:38 +0100 message: [ Tiago Stürmer Daitx ] * debian/rules: add -O3 to DEB_CFLAGS_MAINT_STRIP and DEB_CXXFLAGS_MAINT_STRIP for dpkg_buildflags_jdk and dpkg_buildflags_hs as ppc64le has -O3 by default. LP: #1640845. * Update to 8u121-b13, including security fixes. - S8165344, CVE-2017-3272: A protected field can be leveraged into type confusion. - S8167104, CVE-2017-3289: Custom class constructor code can bypass the required call to super.init allowing for uninitialized objects to be created. - S8156802, CVE-2017-3241: RMI deserialization should limit the types deserialized to prevent attacks that could escape the sandbox. - S8164143, CVE-2017-3260: It is possible to corrupt memory by calling dispose() on a CMenuComponentmultiple times. - S8168714, CVE-2016-5546: ECDSA will accept signatures that have various extraneous bytes added to them whereas the signature is supposed to be unique. - S8166988, CVE-2017-3253: The PNG specification allows the [iz}Txt sections to be 2^32-1 bytes long so these should not be uncompressed unless the user explicitly requests it. - S8168728, CVE-2016-5548: DSA signing exhibits a timing bias that may leak information about k. - S8168724, CVE-2016-5549: ECDSA signing exhibits a timing bias that may leak information about k. - S8161743, CVE-2017-3252: LdapLoginModule incorrectly tries to deserialize responses from an LDAP server when an LDAP context is expected. - S8167223, CVE-2016-5552: Parsing of URLs can be inconsistent with how users or external applications would interpret them leading to possible security issues. - S8168705, CVE-2016-5547: A value from an InputStream is read directly into the size argument of a new byte[] without validation. - S8164147, CVE-2017-3261: An integer overflow exists in SocketOutputStream which can lead to memorydisclosure. - S8151934, CVE-2017-3231: Under some circumstances URLClassLoader will dispatch HTTP GET requests where the invoker does not have permission. - S8165071, CVE-2016-2183: 3DES can be exploited for block collisions when long running sessions are allowed. * d/p/8132051-zero.diff: Superseeded by upstream fix S8154210; removed. * d/p/hotspot-JDK-8158260-ppc64el.patch: Applied upstream; removed. * d/p/6926048.diff: Already applied upstream; removed. * d/p/jdk-ppc64el-S8170153.patch, d/p/openjdk-ppc64el-S8170153.patch: Improve StrictMath performance on ppc64el. LP: #1646927. * d/p/jdk-841269-filechooser.patch: Fix FileChooser behavior when displaying links to non-existant files. Closes: #841269. * Refreshed various patches. removed: debian/patches/6926048.diff debian/patches/8132051-zero.diff debian/patches/hotspot-JDK-8158260-ppc64el.patch added: debian/patches/jdk-841269-filechooser.patch debian/patches/jdk-ppc64el-S8170153.patch debian/patches/openjdk-ppc64el-S8170153.patch debian/patches/sec-webrev-8u121-aarch64-hotspot-8159507.patch debian/patches/sec-webrev-8u121-aarch64-hotspot-8161218.patch debian/patches/sec-webrev-8u121-aarch64-hotspot-8167104.patch modified: debian/changelog debian/patches/8141491.diff debian/patches/aarch64.diff debian/patches/adlc-parser.patch debian/patches/applet-hole.patch debian/patches/autoconf-select.diff debian/patches/compare-pointer-with-literal.patch debian/patches/default-jvm-cfg-default.diff debian/patches/disable-doclint-by-default.diff debian/patches/dnd-files.patch debian/patches/dont-strip-images.diff debian/patches/gcc6.diff debian/patches/hotspot-disable-werror.diff debian/patches/hotspot-libpath-aarch64.diff debian/patches/hotspot-mips-align.diff debian/patches/hotspot-no-march-i586.diff debian/patches/hotspot-set-compiler.diff debian/patches/hotspot-warn-no-errformat.diff debian/patches/icc_loading_with_symlink.diff debian/patches/icedtea-4953367.patch debian/patches/icedtea-override-redirect-compiz.patch debian/patches/include-all-srcs.diff debian/patches/javadoc-sort-enum-and-annotation-types.diff debian/patches/jdk-freetypeScaler-crash.diff debian/patches/jdk-getAccessibleValue.diff debian/patches/jdk-pulseaudio.diff debian/patches/jdk-target-arch-define.diff debian/patches/ld-symbolic-functions-default.diff debian/patches/libjpeg-fix.diff debian/patches/libpcsclite-dlopen.diff debian/patches/link-with-as-needed.diff debian/patches/m68k-support.diff debian/patches/multiple-pkcs11-library-init.patch debian/patches/nonreparenting-wm.diff debian/patches/pass-extra-flags.diff debian/patches/ppc64el.diff debian/patches/s390x-thread-stack-size.diff debian/patches/sparc-fixes.diff debian/patches/system-lcms.diff debian/patches/system-libjpeg.diff debian/patches/system-libpng.diff debian/patches/system-pcsclite.diff debian/patches/workaround_expand_exec_shield_cs_limit.diff debian/patches/zero-architectures.diff debian/patches/zero-fpu-control-is-noop.diff debian/patches/zero-missing-headers.diff debian/patches/zero-x32.diff debian/rules The size of the diff (2735 lines) is larger than your specified limit of 1000 lines
-- lp:~openjdk/openjdk/openjdk8 https://code.launchpad.net/~openjdk/openjdk/openjdk8 Your team Debian Java Maintainers is subscribed to branch lp:~openjdk/openjdk/openjdk8. To unsubscribe from this branch go to https://code.launchpad.net/~openjdk/openjdk/openjdk8/+edit-subscription __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.